[dm-crypt] Add --iter-count in order to not use --iter-time

Arno Wagner arno at wagner.name
Wed Sep 20 12:15:54 CEST 2017


On Wed, Sep 20, 2017 at 00:40:22 CEST, Milan Broz wrote:
[...]
> 
> This option can be quite dangerous but I agree that there is a use case
> for it.
> 

I agree that while this option will allow some people to shoot 
themselves in the foot (and hence is somewhat dangerous), it
does have its uses. Unfortunately, people can always abotage 
themselves when using crypto, so I think the additional risk is
small.

One thing to think about with the memory hard KDF for LUKS2 
(I assume Argon2) is whether to give the user access to all 
the relevant parameters. I think the same reasoning as to 
BPKDF2 iterations applies, i.e. warn people to not do this 
unless they know what they are doing, but if they want to 
do it anywys, give them a clean way to do so to minimize
additional risks.

Regards,
Arno




-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list