[tptacek]

Can I suggest you reread the article? I felt bad that I spent so much time on the mechanics of tweakable ciphers because people didn't really need to understand them to see why not to use XTS, but here you've vindicated all those paragraphs by stating the exact problem they solve, and did it be presenting an unsafe alternative to them.

[midas007]

Unsafe for what, how? You're making all sorts of claims and now an accusation without backing them up with a shred of evidence.

XTS is only useful for FDE, everything else should look for simpler constructions.

Maybe you need to read:

http://cactus.eas.asu.edu/partha/Teaching/539-CommonFiles/Cr...

Would really appreciated if you would know you're talking about and provide evidence before saying "it's wrong" or "it's bad advice."

[tptacek]

Did you just propose a disk encryption scheme whereby PBKDF2 is called on a sector by sector basis?

Later: FWIW, it looks like the parent comment was edited after I wrote this.

[midas007]

Absolutely not, that would NOT SCALE.

Again, you're making accusations, shifting the conversation without providing evidence. Talking with you is pointless.

[tptacek]

So when I "derive a new key" for a sector when it gets "rewritten", that key comes from...

[makomk]

Presumably the sector key is derived from the master key using one of the numerous fast KDFs, with PBKDF used only to derive the master key from the password. That's the obvious way to do it and midas007 explicitly mentions PBKDF as a way to generate a master key from a password with sector keys derived from that master key using some unspecified technique. You appear to have come up with your own obviously daft way of implementing the suggestion and then criticized that rather than the original proposal. Please don't do that.

[tptacek]

Did you just propose running a KDF for every sector of the disk? Which of these numerous "fast KDFs" that derive related keys from master keys are you referring to?