[dm-crypt] Add --iter-count in order to not use --iter-time

Oliver Smith ollieparanoid at bitmessage.ch
Tue Sep 19 22:43:00 CEST 2017


Dear cryptsetup developers,


we are working on a project where we are building a Linux distro targeting older 
mobile devices (e.g. armhf arch). The OS image is built and luksFormat is 
executed on a modern CPU before being moved to the older device, resulting in a 
very high iter count. This is problematic because it typically takes the older 
device tens of seconds in some cases to open the luks partition (for reasons you 
point out in the FAQ). Using -iter-time is not really a good option since the 
types of 'modern cpus' where the distro image can be built is quite varied 
(multiple project devs, etc).

(NOTE: I took the liberty to copy-paste and the above text from Clayton Craft,
who is involved in the same project, from here:
<https://gitlab.com/cryptsetup/cryptsetup/issues/280#note_38098185>.)

The problem described above would be solved with a new command-line option for 
the cryptsetup utility, that allows to directly specify the iteration count.

Follow-up questions:
* Would it be feasible for you to implement this feature any time soon?
* Would you accept a patch if we gave it a shot (we might need some guidance 
though)?

PS: I've noted that you can only send to this mailing list, when you are subscribed,
and to subscribe, one must register over a non-TLS secured HTTP connection (which
of course makes trivial MITM attacks possible).


Best regards,
Oliver Smith



More information about the dm-crypt mailing list