Document AES-XTS in cgd(4).

share/man/man4/cgd.4

@@ -1,4 +1,4 @@
-.\" $NetBSD: cgd.4,v 1.19 2016/06/01 01:34:43 pgoyette Exp $
+.\" $NetBSD: cgd.4,v 1.20 2016/12/11 00:24:48 alnsn Exp $
 .\"
 .\" Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd November 30, 2013
+.Dd December 11, 2016
 .Dt CGD 4
 .Os
 .Sh NAME
@@ -64,6 +64,21 @@ mode.
 .Tn AES
 uses a 128 bit blocksize and can accept keys of length 128, 192, or 256.
 The default key length is 128.
+.It Ic aes-xts
+.Tn AES
+in
+.Tn XTS
+mode.
+.Tn AES-XTS
+uses a 128 bit blocksize and can accept keys of length 256 or 512.
+Note that
+.Tn AES-XTS
+key is made of two
+.Tn AES
+keys of equal size.
+The second key is used solely to encrypt the block number of the physical
+disk block.
+The default key length is 256.
 .It Ic 3des-cbc
 Triple
 .Tn DES
@@ -159,11 +174,25 @@ and their associated data structures are defined in
 .In dev/cgdvar.h
 header.
 .Sh WARNINGS
+.Pp
 It goes without saying that if you forget the passphrase that you used
 to configure a
 .Nm ,
 then you have irrevocably lost all of the data on the disk.
 Please ensure that you are using an appropriate backup strategy.
+.Pp
+A
+.Nm
+device doesn't authenticate data and thus it can't guarantee integrity
+of the encrypted data.
+In particular, if the plaintext is known to an adversary, it is
+possible to change every second block on a disk encrypted in the
+.Tn CBC
+mode to plaintext blocks of their choice.
+The
+.Tn
+XTS mode isn't vulnerable to this particular attack but a lack of
+integrity should be taken into accout when evaluating security risks.
 .Sh FILES
 .Bl -tag -width indentxxxxxxxxxxx
 .It /dev/{,r}cgd*