[pkg-cryptsetup-devel] Bug#924560: cryptsetup luksOpen requires 1GB of RAM in the default configuration
Dimitri John Ledkov
xnox at ubuntu.com
Thu Mar 14 12:36:13 GMT 2019
Package: cryptsetup
Version: 2:2.1.0-1
Severity: important
Dear Maintainer,
Currently the new cryptsetup defaults to LUKS2 format with the
following parameters:
Default PBKDF for LUKS2: argon2i
Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4
Meaning that 1GB of RAM is required at luksOpen. This is a significant
RAM increase compared to the previous defaults used in LUKS1. Meaning
that many devices will no longer be able to installs afresh, using
full-disk encryption.
For example many IoT and Pi devices have 1GB of ram in total, and thus
would OOM kill when trying to luksOpen.
Please consider reducing the default memory requirement of the argon2i
in luks2 by default, or switching to pbkdf2 for LUKS2 as well.
If there are multiple encrypted datavolumes, unlocked automatically
with crypttab, under systemd, they would be unlocked in parallel,
meaning peak memory requirement would be 1GB*N on boot for those
systems.
I think it is unfortunate to not support default encryption on 1GB big
devices and VMs.
I have filed a similar bug report in Ubuntu as well just now:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1820049
Regards,
Dimitri.
More information about the pkg-cryptsetup-devel
mailing list