How do you create an AES XTS key?

Posted on

Problem :

I am interested in hacking around with Gluster cloud FS whose most recent beta uses AES with XTS only. It also requires openssl >= 1.0.1.

The 1.0.1f Jan 2014 openssl (with 64 bit lib) install for my Mac, does not appear to support this.

  1. Is AES_XTS actually in practise under another cipher name?
  2. How do I generate a 256 bit AES_XTS (master) key on the command line?

Solution :

Is AES_XTS actually in practise under another cipher name?

grep is your friend:

openssl-1.0.1f$ grep -R XTS *
...
crypto/objects/obj_dat.h:{"AES-128-XTS","aes-128-xts",NID_aes_128_xts,0,NULL,0},
crypto/objects/obj_dat.h:{"AES-256-XTS","aes-256-xts",NID_aes_256_xts,0,NULL,0},
...
crypto/objects/obj_mac.h:#define SN_aes_128_xts         "AES-128-XTS"
crypto/objects/obj_mac.h:#define SN_aes_256_xts         "AES-256-XTS"
crypto/objects/objects.txt:                     : AES-128-XTS           : aes-128-xts
crypto/objects/objects.txt:                     : AES-256-XTS           : aes-256-xts
...

So, it looks like your NID names are aes-128-xts and aes-256-xts.


How do I generate a 256 bit AES_XTS (master) key on the command line?

Hmm… XTS is just another block cipher mode of operation (like ECB, CBC, CTR, GCM, etc). So there’s nothing special – just keep doing it the same way you have been doing it.


The 1.0.1f Jan 2014 openssl (with 64 bit lib) install for my Mac, does not appear to support this.

That does not sound right. My version of 1.0.1f has it. Where dod you get your version of OpenSSL?


install for my Mac…

Mac OS X ships 0.9.8. Be sure you are using your version of OpenSSL, and not Apple’s version of OpenSSL.

Apple linkers silently ignore options like -Bstatic, -rpath and LD_PRELOAD. So it takes some effort to ensure you are actually using your version of OpenSSL; and not Apple’s version of OpenSSL.

On OS X, compile your program with -lcryto, -lssl and -L<your openssl path>. By default, OpenSSL is installed in /usr/local/ssl/lib. Then, before launching you program:

set env OPENSSL_LIBPATH /usr/local/ssl/lib
set env DYLD_INSERT_LIBRARIES $OPENSSL_LIBPATH/libcrypto.so:$OPENSSL_LIBPATH/libssl.so

See dylib(1) for information on DYLD_INSERT_LIBRARIES and friends.

To generate a Gluster encryption master key for a volume:
https://www.gluster.org/community/documentation/index.php/Features/disk-encryption

Leave a Reply

Your email address will not be published. Required fields are marked *