Volume (master) key digest is there only to verify validity of the key. The digest iteration count is not relevant for the security of LUKS in normal situation.
This iteration (slowdown) for digest will only help if the volume key was generated by a flawed RNG, where brute-force is possible. (For proper RNG it is impossible to brute force key even without iterations.) Moreover, if you know some plaintext on device, attacker will use different trick (I think it is described in linked paper): You try to decrypt device and check that plaintext (for example filesytem magic string). This bypasses digest completely and cost is onle one cipher decryption step per try (much cheaper than digest calculation). IOW: the digest iteration count is not important, only the iteration count in keyslot is, this one slows down password dictionary and brute- force attacks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1703691 Title: Using iter-time doesn't give the desired timeout and security To manage notifications about this bug go to: https://bugs.launchpad.net/cryptsetup/+bug/1703691/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
