PBKDF2 is used to determine the number of iterations in LUKS during key derivation. By increasing the time required for brute-force attacks while maintaining system usability, the iteration count has a direct effect on security and performance.
Here’s how to decide on an optimal iteration count for LUKS:
1. How Iterations Work
The iteration count determines how many times the key derivation function runs. Higher counts make it harder for attackers to guess passwords but can also increase the time it takes to unlock the encrypted disk. LUKS typically selects a suitable count based on the system’s hardware.
2. Optimal Iterations
For modern systems, the goal is to achieve a derivation time of about 1 second. This typically corresponds to 100,000–500,000 iterations, depending on the performance of the hardware. On older or slower systems, fewer iterations may be used to keep things efficient.
3. Setting Iterations in LUKS
You can customize the iteration count when creating or formatting a LUKS volume. For example:
cryptsetup luksFormat --pbkdf pbkdf2 --pbkdf-force-iterations 200000 /dev/sdX
This command specifies the number of iterations explicitly.
4. Testing and Benchmarking
To find the right balance for your system, use the following commands:
• Run a performance benchmark:
cryptsetup benchmark
• This will test the speed of the key derivation process and give you an idea of how many iterations your system can handle efficiently.
• Experiment with different counts and test the unlock time to ensure it remains practical.
