You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If another encrypted partition is used for hibernation, the iterations should also be adjusted there.
The figure of 600,000 is just one example. I have based this on the iterations of BitWarden, which also work with 600,000, and also on other articles that I link to in the resources. For my purposes, I use a different number, but 600,000 might be a good start for some. Instead of waiting 30 seconds, I now only wait 3 to 4 seconds, which is acceptable for me.
In this context, I also convert directly from LUKS1 to LUKS2 (before I change the iterations). On the one hand because of better protection against header corruption and the option to switch from PBKDF2 to Argon2 if required:
sudo cryptsetup convert /dev/sda2 --type luks2
Unfortunately, Debian's version of GRUB currently only supports LUKS with PBKDF2 and no Argon2, which provides better protection against GPU-based attacks (although of course the question is whether your own threat level needs this extra protection). If one does not depend on Debian: There are Argon2-GRUB patches for Arch and Gentoo.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
When I tried SpiralLinux with FDE for the first time, it took a very long time until the LUKS slots were opened after entering the password.
It turns out that GRUB does not use hardware acceleration for decryption and is therefore slow.
I have solved it for myself by setting the number of iterations manually.
I use this command (from a live system):
(sda2 must be adjusted accordingly)
If another encrypted partition is used for hibernation, the iterations should also be adjusted there.
The figure of 600,000 is just one example. I have based this on the iterations of BitWarden, which also work with 600,000, and also on other articles that I link to in the resources. For my purposes, I use a different number, but 600,000 might be a good start for some. Instead of waiting 30 seconds, I now only wait 3 to 4 seconds, which is acceptable for me.
In this context, I also convert directly from LUKS1 to LUKS2 (before I change the iterations). On the one hand because of better protection against header corruption and the option to switch from PBKDF2 to Argon2 if required:
Unfortunately, Debian's version of GRUB currently only supports LUKS with PBKDF2 and no Argon2, which provides better protection against GPU-based attacks (although of course the question is whether your own threat level needs this extra protection). If one does not depend on Debian: There are Argon2-GRUB patches for Arch and Gentoo.
Resources:
Beta Was this translation helpful? Give feedback.
All reactions