1
I cannot open one of my LUKS partitions on Raspberry PI due to the memory restriction. I already found out that the suggestion in this case is to recreate the partition on the slowest device, which will access it (in this case the Raspberry PI).
However, I'm concerned about the possibly decreased level of security (probably, with less computing power, a weaker key will be used).
This is what cryptsetup's documentation says about the issue:
Note: Passphrase iteration is determined by cryptsetup depending on CPU power. On a slow device, this may be lower than you want. I recently benchmarked this on a Raspberry Pi and it came out at about 1/15 of the iteration count for a typical PC. If security is paramount, you may want to increase the time spent in iteration, at the cost of a slower unlock later. For the Raspberry Pi, using
cryptsetup luksFormat -i 15000 <target device>
gives you an iteration count and security level equal to an average PC for passphrase iteration and master-key iteration. If in doubt, check the iteration counts with
cryptsetup luksDump <target device>
and adjust the iteration count accordingly by creating the container again with a different iteration time (the number after '-i' is the iteration time in milliseconds) until your requirements are met.
Now, I'm not sure what will happen, if I follow the advice above?
- Will the partition be as secure as on a PC (if the iterations number is correct), just slower?
- If it is slower, is only the unlock slower, or and later reads/writes are just as fast as without the extra iteration? (If so, why? Is it because by unlocking we only decrypt the key that will be later used to decrypt the content in the partition?)
- Will it still consume less memory than the partition created on a fast PC? (In other words: I want to recreate the partition in order to be able to use it with Raspberry PI. With the default values it will be usable, but less secure. Will it still be usable with the increased iteration count, or would it again consume too much memory?)
Thank you very much, changing
– Attilio – 2020-02-12T20:17:55.487--pbkdf-memory
worked :) Just one follow-up question: decreasing the memory only decreases the speed ofluksOpen
, (and not the strength of the encryption), correct? (IndeedluksOpen
ing the decreased LUKS2 disk is much slower thanluksOpen
ing a LUKS1 disk, but unfortunately man page does not say much about the effect)