How to switch back to RIPEMD-160? Everything is grayed out.

Topics: Technical Issues
Jan 1, 2015 at 4:39 AM
With 1.0f I encrypted my system partition. AES w/ SHA-256 for the hash. Boot time is now very slow nearly ~5 minutes. The exact same machine with RIPEMD-160 on 1.0e took 1 minute or less. So I want to switch back. How?

When I go to System > Set Header Key Derivation Algorithm all the fields are grayed out except the password and wipe mode. How do I change back to RIPEMD-160?

Clarity about AutoDetect
  1. Does the boot loader autodetect or does it have some order? I see mixed messages about what is going on here. Release notes say "Make SHA-512 the default key derivation algorithm and change the order of preference of derivation algorithms : SHA-512 -> Whirlpool -> SHA-256 -> RIPEMD160" Does this apply to boot loader?
Coordinator
Jan 1, 2015 at 10:03 PM
Hi,

In the context of the bootloader, the PRF function is hardcoded so the order to preference doesn't affect VeraCrypt in this case.
Currently, the change of the PRF in the case of system encryption is not implemented because it requires creating a new bootloader. That's why it is greyed out in the change password dialog.

Unfortunately, for now, the only way to go back to RIPEMD-160 is to decrypt your system and encrypt back using RIPEMD-160. But I will try to implement this in the future to avoid losing time in decryption/encryption.

That being said, I find the 5x factor between SHA-256 and RIPEMD-160 on your machine strange. Normally, it should be a 2x factor, at least on that's the case on the different machine where I tested it.
Can you please tell us what CPU are you using? This will help me better measure the performance of the encryption and also plan if any enchancement can be implemented in the future on this side.

Thanks.
Jan 2, 2015 at 2:05 AM
So I got out the watch and it turns out my perception of time is a bit off. You were closer:

VeraCrypt PW Authentication Times:
RIPEMD-160: 1m 10s
SHA-256: 2m 40s

The system I use is very low end: Zotac ZBOX-BI320-U-W2 which has a Celeron 2957U 1.4ghz w/ 2GB RAM. It doesn't have an AES extension but the machine is still tolerable for casual use once it boots up. Takes about 20m to fully encrypt the disk.
Coordinator
Jan 2, 2015 at 9:42 AM
Thanks for the feedback.
Indeed, your times are closer to what I expected.