Describe the feature you'd like to have

Background: We want to be able to use different ciphers for dmcrypt disk encryption, not only the default option AES-XTS.

Problem: Currenlty disk encryption done through dmcrypt in ceph-csi RBD volume encryption can only be with AES-XTS even though dmcrypt supports different ciphers.

Because different ciphers have different effective key sizes it makes sense to also make the key size configurable. For example, the linux kernel implements AES-XTS with a key size of 512 whereas other AES-based ciphers are implemented with a key size of 128 or 256.

What is the value to the end user? (why is it a priority?)

How would the end user gain value from having this feature?

When AES-XTS does not provide sufficient security, it would be useful to be able to change the cipher to better align with the security requirements of the use case.

How will we know we have a good solution? (acceptance criteria)

Add a list of criteria that should be met for this feature to be useful.

• If ciphers are configurable for RBD volume encryption encryption other than the default AES-XTS
• If the key size is configurable
• If the node does not support a configured cipher and key size pair, then an error message containing this information must be displayed
• If no cipher is specified the current default cipher AES-XTS should still be the default

Additional context

Idea behind implemention

Add any other context or screenshots about the feature request here.

Main logic behind LUKS encryption is found in /internal/util/cryptsetup/cryptsetup.go

So we need to get arguments from storage class RBD volume configuration to the cryptsetup calls.

More importantly, since the LUKS header stores the chosen cipher, it only needs to be specified when the RBD volume is formatted for the first time. There is no need to specify the cipher on subsequent openings.