The GCM cipher mode is now included in the mainline kernel. It is, at least in theory, a very viable alternative to less secure modes as far as speed is concerned, but also offers some degree of authentication.
Just one problem- I can't figure out how to get the thing working under LUKS with cryptsetup.
I've tried various permutations of:
(cipher)-gcm-essiv:(hash)
...with ciphers serpent, twofish, and aes; and hashes sha256, sha512, and tgr192. Even tried replacing "essiv" with "plain" (and, of course, leaving off the hash accordingly).
All the relevant cipher, mode, and hash modules were loaded and verified in each case. My suspicion is that the specification of gcm somehow changes what the cipher spec is supposed to look like, viz. it needs something extra, or something removed. The author of the GCM module, from all I can gather, doesn't seem too actively involved with Linux in general, so contacting him is a last resort.
Does anybody else have suggestions?
Don't.
GCM is an AEAD mode, which makes it is unsuitable for block device encryption (since the output is longer than the input). If you're looking for something more secure than *-cbc-essiv, try XTS -- use e.g. aes-xts-benbi as the cipher spec.