[pkg-cryptsetup-devel] Bug#924560: cryptsetup luksOpen requires 1GB of RAM in the default configuration

[Dimitri John Ledkov]

Package: cryptsetup
Version: 2:2.1.0-1
Severity: important

Dear Maintainer,

Currently the new cryptsetup defaults to LUKS2 format with the
following parameters:

Default PBKDF for LUKS2: argon2i
Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4

Meaning that 1GB of RAM is required at luksOpen. This is a significant
RAM increase compared to the previous defaults used in LUKS1. Meaning
that many devices will no longer be able to installs afresh, using
full-disk encryption.

For example many IoT and Pi devices have 1GB of ram in total, and thus
would OOM kill when trying to luksOpen.

Please consider reducing the default memory requirement of the argon2i
in luks2 by default, or switching to pbkdf2 for LUKS2 as well.

If there are multiple encrypted datavolumes, unlocked automatically
with crypttab, under systemd, they would be unlocked in parallel,
meaning peak memory requirement would be 1GB*N on boot for those
systems.

I think it is unfortunate to not support default encryption on 1GB big
devices and VMs.

I have filed a similar bug report in Ubuntu as well just now:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1820049

Regards,

Dimitri.