[pkg-cryptsetup-devel] Bug#924560: cryptsetup luksOpen requires 1GB of RAM in the default configuration
Guilhem Moulin
guilhem at debian.org
Thu Mar 14 18:43:26 GMT 2019
Hi Milan,
On Thu, 14 Mar 2019 at 19:22:42 +0100, Milan Broz wrote:
>>> I think diverging from upstream (and other distros) with respect to
>>> default algorithms requires careful consideration. And in that case,
>>> compared to PBKDF2 Argon2 has interesting properties (such as resistance
>>> to GPU cracking) which would be a shame not to benefit from out of the
>>> box.
>
> For this case you need to specify PBKDF parameters directly and skip benchmark
> (these PBKDF options were added exactly for this use case).
>
> This problem is there even with PBKDF2 for the iterations time - on some
> IoT devices with LUKS device (formatted on developer's machine) the unlocking
> time increases to many minutes. (With Argon PBKDF it is just worse because memory
> can be unavailable.)
Aha, you beat me to it :-)
>> I guess dracut with systemd in the initrd might be affected worse,
>> than initramfs-tools. I wonder if I should open a bug report in
>> systemd, to potentially execute luks2 unlock with some locking /
>> sequentially.
>
> FYI we know about that parallel unlocking problem already and we are trying
> to find (with systemd people) some solution (perhaps based on cgroups memory limits
> and some locking).
Cool, do you have a link to refer to? Couldn't find anything from a
quick glance at systemd's issue tracker.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20190314/e858bca6/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list