From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: [dm-crypt] Re: Performance/Requirements of Argon2 header with removable devices
Date: Fri, 11 Jun 2021 10:34:27 +0200 [thread overview]
Message-ID: <20210611083427.GB11826@tansi.org> (raw)
In-Reply-To: <416615b9-ac00-036c-ae00-7b3e91a22aff@gmx.com>
Hi Andreas,
there is a "work factor" (basically the old iteration count),
a paralellization factor and a memory footprint.
If you do not have the memory, you can probably forget
opening the LUKS container. Speed down is intentionally
exceptionally bad. The impact of the other factors is just
linear, i.e. you may just have to wait a bit longer.
I don't know whether you can open a LUKS container via
cryptsetup at all if you do not have enough memory.
It would probably have to start pageing and that alone
would give you an extreme unlock time. Also, if the
memory gets locked for the Argon2 calculation, it
cannot be paged in the first place.
My recommendation would be to use "--pbkdf-memory"
and set a value that is supported on all your devices
you want to use that LUKS container with.
Regards,
Arno
On Fri, Jun 11, 2021 at 10:08:31 CEST, Andreas Heinlein wrote:
> Hello,
>
> I have another question regarding the new LUKS2 header resp. the Argon2
> algorithm.
>
> I understand that Argon2 deliberately requires a large amount of memory,
> and that this amount is dynamically calculated when creating the device.
>
> How does a removable device encrypted with LUKS behave in this case? If I
> create the device on i.e. a Core i9 with 16 GiB RAM and then try to open
> it on an Atom x5 with 1GiB, will this be possible at all? Yes, it would
> be ultra-slow in any case even with LUKS1 header, because of the number of
> iterations, but it would work.
>
> Thanks,
> Andreas
> _______________________________________________
> dm-crypt mailing list -- dm-crypt@saout.de
> To unsubscribe send an email to dm-crypt-leave@saout.de
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de
prev parent reply other threads:[~2021-06-11 8:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-11 8:08 [dm-crypt] Performance/Requirements of Argon2 header with removable devices Andreas Heinlein
2021-06-11 8:34 ` Arno Wagner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210611083427.GB11826@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).