On Wed, Sep 17, 2025 at 09:29:12AM +1000, Damien Miller wrote:
> On Wed, 17 Sep 2025, Jeremie Courreges-Anglas wrote:
> 
> > Should vnconfig move from blowfish, it should probably be to a scheme
> > actually designed for data storage like AES-XTS (like softraid CRYPTO)
> > or similar.
> > 
> >   https://en.wikipedia.org/wiki/Disk_encryption_theory
> > 
> > I'm no crypto expert, but I doubt that moving from blowfish-CBC to
> > AES-CBC would be a big win.
> 
> softraid already uses AES-XTS for encrypted volumes.

Yup.

> IMO vnconfig
> crypto is just legacy and should be removed.

From looking at the code, vnconfig already says:

  WARNING: Consider using softraid crypto.

Maybe we should make it clear that we're going to remove this code,
say, for 7.9?  If people actually wanted to keep using this, I guess
someone would have stepped up by now.

-- 
jca