boot password verification time
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Frist, not sure if forum is active, but "codeplex" seems to be under a long term maintenance.
I'm using VeraCrypt version 1.0f-2 on windows 7 with a quad core i5 processor.
I've encrypted the entire disk. As others have mentioned (https://veracrypt.codeplex.com/discussions/549728), verifying the password on boot is very slow. It takes about 75 seconds for me. It's especially problematic if you accidentally type your password in wrong. I'm a little confused at this long time, because using dm-crypt on ubuntu, it takes less than 1 second to verify my password using a dual core i7 processor. Is veracrypt really that much better as far as security goes? Should I be concerned about dm-crypt? Most other comments have compared to truecrypt's speed, but not dm-crypt.
In the link above, the order, (RIPEMD160 -> SHA2 -> Whirlpool) is mentioned. Does this apply to the "Volumes -> Set Header Key Derivation Algorithm" menu? This list there does not seem to match those options. Have you already phased out RIPEMD160? Have you already changed the default to SHA-512 as is suggested in the above link? I'm just trying to understand what the fastest option to choose right now is.
Is the "PKCS-5 PRF" the header key derivation algorithm? If so, I don't think it is being changed when I do "Set Header Key Derivation algorithm" on the system disk.
I tried creating a few 1MB images in the GUI, they seem to take about 10-20 seconds to mount, and the "Set Header Key Derivation algorithm" seems to work. This is a lot more reasonable of a time, and I read that your speed improvement is possible using 32 bit, multi-core, and some other hardware based crypto. Is 75 seconds the best I am going to get with this i5 machine on boot, or is there some improvement possible by changing to match the first option tried on boot?
Does "Default Mount Parameters" option apply only to the GUI and not the system boot?
Thanks,
i have the same problem (round about 1 minute verifying at boot menu)...
what is to do to solving this problem??
test
Hi,
First, you can't compare between dm-crypt and boot encryption. Boot encryption uses 16-bit code that runs on BIOS mode, which explains why it cans so long to verify the password. dm-crypt or normal VeraCrypt runs on Windows/Linux/MacOSX run on 32-bit/64-bit with full power which gives the quick mount times.
Improvements are expected on this side as you can see on the different links and posts. I will not repeat what has been written before.
The PKCS5-PRF is the header key derivation algorithm. It can't be changed for system encryption. Also, the default mount parameters doesn't influence the boot encryption.
RIPEMD-160 is deprecated by you can still use it for system encryption. It will give you faster boot (2 times quicker than SHA-256). It offers less security than SHA-256 and its design is aging but it is not publicly broken yet. Until boot is optimized, RIPEMD-160 will remain supported for system encryption.
So, to have a quicker boot, choose RIPEMD-160. Currently, you can't change the PKCS5-PRF for system encryption, so if you already use SHA-256, you have to decrypt your system and encrypt it again using RIPEMD-160.
We know there are massive cracking engines out there in the wild.
Some probably are trying to generate rainbow hash tables for our Veracrypt
passwords. The extra security we enjoy using Veracrypt is because
it takes many many seconds for those engines to
calculate 'one' single hash. I think.
Adding the unique salt and a VC file is invulnerable to cracking.
I gladly accept the 1 minute+ boot up time for this invulnerablity.
Think of it as a superpower. Please don't suggest weakening it.
karrson
Last edit: karrson 2015-04-18
@karrson: I will give you an example, why the dynamic mode Mounir will implement is necessary:
You are very paranoid about your apartment and that nobody should get in there without your permission, rightfully so! Even the government should not be able to sneak into your apartment without having to leave traces like a broken door or lock.
So you install a 200 dollar lock, which has no known way to be picked. You open the lock with a special magnetic key, that can be used like a normal key. You can open the door in almost the same time as with your weak lock and key, but it is a lot safer because the possibillities are 99999999 times higher than with the weak lock. Then you get even more paranoid and put an additional 10.000 dollar lock on your door, that has even more possibilities. That should be enough you think but your paranoia tells you "NO!!! NOT ENOUGH!!!" so you install a 5 meter thick steel door and steel walls around your apartment, with retina scanner, 30 character password and two additional doors. The time you now have to take to get into your apartment went from 5 seconds with a lock that nobody will be able to pick in the next 100 years to (unless the mechanism itself is flawed) 5 minutes just to get into your apartment.
You will soon realize, that it is utterly stupid to need 5 minutes got get into your apartment! It will get even more stupid, if your apartment is a taxi company, where people have to get fast access to and have no time to wait 5 minutes to get in.
Same goes with Veracrypt, a 40 character password will not be cracked in the next 100 years of technology but you can type it in 20th of the time of waiting for Veracrypt to boot. Yes, there should be the option for these many iterations and it can be default, but giving the user the option to lower the iterations when the password is strong enough is NOT a security breach, it is the door to the future of Veracrypt to be widely used of people that need fast access to their Notebook, because their business partners do not want to wait 2-3 minutes until C: booted...
SO STOP CALLING MOUNIR A TRAITOR JUST BECAUSE YOU ARE SO IGNORANT!!! THANKS!!!
Veracrypt has to be user friendly and not the opposite, just because some people can't remember a 20-30 character password!
Mounir has posted on the topic of password length and its entropy that would be worth reading.
http://sourceforge.net/p/veracrypt/discussion/general/thread/09696187/#491d
Anonymous person -you should read more carefully.
I was calling 'you' out for asking for a weaker version of veracrypt.
No harm in asking I guess. Perhaps you are a hacker trying social engineering to weaken encryption? It has been tried before.
Truecrypt is still unbroken with long passwords I think. You can go back to that and be fairly safe for a 1 second boot.
As always do not let anyone video your fingers typing in a password as they pretend to check messages on a smart phone standing near by in clear view.
Mounir has done and is doing an excellent job with Veracrypt.
@karsson: first let me tell you that there are more than one "anonymous" users here...
Second: I would rather guess that you try to push 90 percent of users away by giving slow notebooks a boottime of over 5 minutes, which practically makes them useless in most scenarios.
Let users alone that want less iterations with a more secure password. There is absolutely no reason not to implement this necessary feature, no additional risk, just an option that makes veracrypt user friendly for most people. High iterations will still be set by default as Mounir said and if you want to use lower iterations you can do it only with a strong password and after clicking lots of warnings away... if you want to make veracrypt more "secure" tell Mounir to deactivate 1 character passwords.
@Mounir: sorry, I know there are dozens of discussions on this topic already and you already made your decision with dynamic mode which is great, but I can not leave such postings undiscussed...
Last edit: Mounir IDRASSI 2015-04-21
I edited this post to remove some offensive language...I respect all opinions but I will not tolerate postings with personal attacks or aggressive language. I prefer supposing that everybody here has good intentions.
I tried this on my laptop with i7-2640M. It takes over 4 min just to verify password (used SHA). Considering that complete turn on to windows is less than 30 seconds it is ridiculous. As is it is unusable. If it is more than 10-15 seconds it is too slow. IMHO it should be less than 5.
I just installed Veracrypt to Lenovo T440s having i7 and 256GB SSD.
Password verification takes about 5 minutes which just is plain unacceptable. I can't waste working time for waiting the system to boot up.
Only alternative for me is to get back to plain old Truecrypt as its booting process is fast.
For me, and most likely for 99% of normal users, Veracrypt approach is just wrong. Sorry.
Well, Mounir is already working on the dynamic mode which will give the users the option to choose if they want higher or lower iterations which means lower or higher boot speed! So the only thing we can do is wait, wait and wait...
MOUNIR, HURRY UP MAN! I SWEAR I WILL DONATE IF THE DYNAMIC MODE IS FINISHED AND WORKS!
I can also sing you some songs to make the work time nicer!
Boot speed is ok (?) passowrd verification time is bad. But I mean 5min with notebook-i7 is the new negative world record (???!?111) :-)
I mean the time for verification boot password is after last beta THE issue of VeryCrypt. And to wait >10s to boot process make folks agressive :-) Its not fine, but upon a this subject we must have a little understanding for agressive Waitingpeople ;-)
Another question: We realy need DYNAMIC mode? Or is fixed iterations count >= 12 charakters password and sha-512 would be secure enough? Simplicity of code (?) and faster programming/make the solution?
I mean DiskCryptor use 1000, Sha-512 for preboot and this is fast enough to make double his verification time on VeraCrypt also fast enough for everyone.
Agains thousand theoretically-superduper Asic/GPU power, password hashing with fixed 2500 iterations and sha-512 with >=12 charakters is not secure enough? ;-)
I have upload the installer for version 1.12-BETA that includes a first implementation of dynamic mode. It is available on the nightly builds folder: https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/
The dynamic mode is implemented through the introduction of a new fields called PIN, which is an abbreviation of Personal Iterations Number (this name was contributed by user Ollie). This field can be left empty or set to 0 to have the same behavior as before.
If a value is specified in PIN, then the iterations are calculated as follows:
If the password is less than 20 characters, PIN must be greater than 98 for system encryption and greater than 485 for the other cases.
If the password is longer than 20 characters, PIN can be equal to 1 and upwards.
Thank you in advance for your tests and feedback.
lenovo T440 - intel core i5 - 4GB RAM
encrypt windows 7 partition
password of 22 caracteres - AES 256 bits
Time to verify password : 4 min 40 seg.
It's not posibble wait this time for users of my company
Thank for your work
Did you download the latest version 1.12-BETA? If yes,with a password of 22 characters you can have a quick boot by specifying a Volume PIN that is equal to 1.
You can download this version from the nightly builds folder : https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/
Hello.
I will start off by stating that I am totally new to using VeraCrypt (I have experience with another encryption application)
I landed her as for I, like others was experiencing the long delay time when verifying the password.
Specifics:
Win 8.1 Enterprise 64bit
Intel i7
16gb ram
250gb Intel SSD
Entire drive encrypted using AES 256
22 character password
I just upgraded from 1.0f-2 to 1.22B-BETA to take advantage of the PIN option. Aka hoping for overall faster boot times.
Thus comes to the part which I don't understand and could use some help (yes I read the above posts several times)
If I enter my password and leave the PIN blank, the password will verify however the password verification time, give or take, is the same as ver 1.0f-2.
I have tried 1 for the PIN, but the password verification fails within a second or two.
I tried 98 for the PIN, still fails but takes longer than 1.
I tried 500 (just taking a shot in the dark). Still fails, but takes a LONG time to do so.
Clearly I am missing something. I could use some help with how to properly select the correct PIN number and or any specific configuration I need to do within the VeraCrypt app.
Thanks in advance.
Hi,
Since your system is already encrypted with an older version, in order to take advantage of the new dynamic mode feature, you must use the change password functionality:
Open VeraCrypt, and go to menu System -> Change Password.
In the change password dialog, type your password and leave the PIN empty in the Current part, and in the New part, type your password again (or a new long password) and here set the PIN to 1. Here is a screenshot that explains this:
After this, once you reboot, you can use the new PIN.
Last point: don't forget to create a new Rescue Disk after you install 1.12-BETA and especially after you change the PIN from the default empty value.
Last edit: Mounir IDRASSI 2015-06-10
Mounir.
Thank you for the detailed instructions.
I did just as you suggested and now the Verifying Password process only takes about 1 second.
Thank you!
Thank you Mounir for implementing the dynamic mode.
But what about giving the user 3 possible options for iterations, the standard iteration number is the one that is used right now. The other 2 options could be selected with a password over 22 characters and you can choose between 10.000 iterations or 50.000 iterations for example.
So if Veracrypt mounts a container or the system drive it first checks the 10.000, then the 50.000 and at last the standard iteration number. Because the 10.000 and 50.000 don't add hardly any time to somebody that uses the standard iteration number there would be no disadvantage.
But using this PIN is totally overkill, not user-friendly and could be avoided.
My opinion. Can you think about it? I don't think any user wants to be able to set the iteration number spefifically in this wide range of options, they just want to set it lower so that their PC or laptop can mount the system in under 10 seconds...
The PIN mode makes an easy fix very complicated, which is not necessary.
Just to make sure everyone understands that you do not have to set the iteration field in order to use the current VeraCrypt default iterations. This maintains backward compatibility and behavior to previous versions of VeraCrypt.
The problem with setting hardcoded iteration values are various hardware configurations result in slower/faster mounting times for a volume. As an example, my system specs may allow for higher iterations than your system in order to mount the volume in X seconds.
Also, every person will have different expectations for trading-off weaker/faster or stronger/slower mount times for certain volumes.
Another suggestion is to allow use of both an iteration field and a slider to set iteration field. See the discussion in the ticket below.
https://veracrypt.codeplex.com/workitem/147
I agree with Enigma2Illusion that hard coding specific values is not the way to go. The objective of the dynamic mode is not to allow user to reduce iterations but to give users a way to customize security depending on their needs, and this may include increasing iterations compared to the current level to match increasing computing power.
I kindly disagree with the anonymous poster about his description of this feature as useless and that it should be avoided. Of course, there are still some effort to do in order to make it more user friendly and that's the subject of the discussion in the link posted by Enigma2Illusion above.
Any suggestions in this direction are welcomed.
I disagree with Enigma2Illusion. Security ist not a trade-off. Crypto is not securer. It is either secure or not secure.
The punchline of PIN is: Choose good passphrase and you must not muse about PIN (=1). But I have not understanding why PIN = 1 is not default ;-)
Not /milions/ of iterations for password123 are best. Good passphrases with xx.xxx iterations are best.
But we should be NOT change this any more for PBKDF2. The real solution for key derrivation problem are bcrypt or scrypt. In VeraCrypt2 :-)
But I also mean, the next construction area - except still known hiccups on all OS? - are GPT and DiskCryptor-like (means: good) benefits for SSDs.
Further KDF-todos is a job for 2016 (for my money).
This is why Mounir set lower limits for the iteration based on the password length and he prompts with a question asking the user if they used a strong password.
I am curious about the references to bcrypt or scrypt as I have read that they require high memory usage. Would the high memory requirement prevent using bcrypt or scrypt for system encryption?