Cryptography/full-disk encryption

Most modern operating systems support full-disk encryption (FDE): a small boot area is left unencrypted (and never changes), containing the code to ask for a password and use that password to decrypt and run the rest of the operating system. The entire rest of the disk is always encrypted -- every write to the disk is intercepted by the operating system and encrypted, so everything written to the disk is encrypted.

Even if the entire computer is stolen, the data is useless without the password.

As of 2020, the latest FDE software running on modern server hardware is fast enough that the latency is indistinguishable from not using encryption at all.[1]



Even-Mansour block ciphers


Even-Mansour block ciphers are very simple: Given a block of data, these XOR a key with the block, apply a publicly-known permutation, then XOR a key again. Many cryptographers have studied this construction and some variants.[2]

As of 2014, the de-facto standard disk encryption mode for full-disk encryption (FDE) is a specific variant called XEX-based tweaked-codebook mode with ciphertext stealing (XTS). It's good for full-disk encryption, but authenticated encryption has several advantages over XTS in almost any other application.[3]

  1. Ignat Korchagin. "Speeding up Linux disk encryption". 2020.
  2. JP Aumasson. "Lazy crypto reloaded".
  3. "You Don't Want XTS". 2014.