This project has moved. For the latest updates, please go here.

Default PIM for System Drive

Topics: Users Discussion
Sep 4, 2015 at 3:38 AM
What is the default PIM value used for System drive encryption if no value is input by the user?
Sep 4, 2015 at 4:46 AM
The answers are in the manual at the following links.

https://veracrypt.codeplex.com/wikipage?title=Header%20Key%20Derivation

https://veracrypt.codeplex.com/wikipage?title=Personal%20Iterations%20Multiplier%20%28PIM%29

NOTE: The program's default iterations may not be the same as PIM iteration calculations.
Sep 4, 2015 at 4:45 PM
So if I'm understanding this correctly, for system partition encryption (boot encryption) 200,000 iterations are used (HMAC-SHA-256). Iterations are calculated by Iterations = PIM x 2048 so the default PIM for system partition encryption would be 200,000 / 2,048 = 97.65, rounded up to 98.

So the default PIM is 98, and if I used a PIM of 98 it'd be roughly the same as using the default and not specifying a PIM. Is that correct or am I way off base here?

Second question, 98 is the minimum PIM value for system encryption, but what is the maximum recommended PIM for system encryption?
Sep 4, 2015 at 5:12 PM
Edited Sep 4, 2015 at 5:15 PM
So the default PIM is 98, and if I used a PIM of 98 it'd be roughly the same as using the default and not specifying a PIM. Is that correct or am I way off base here?
.
Using SHA-256 hash for system encryption, yes. Program default is 200000 and user minimum PIM value when password is less than 20 characters is 98 which is 200704.

There are two types of iterations. Program default iterations where the PIM is set to zero or left empty and explicitly setting the PIM.

Per the links I provided, you cannot use a smaller PIM than the minimum allowed unless your password is 20 or more characters. However, you can have a higher PIM value than the minimum PIM no matter what the length of your password.

.
Second question, 98 is the minimum PIM value for system encryption, but what is the maximum recommended PIM for system encryption?
.
I do not mean to sound flippant, but how long are you willing to wait for the volume to mount while the program performs the hash iterations?

This will require you to perform some experiments with various PIM settings on your system to determine the wait times for volume mount and your willingness to wait for the volume to mount or in cases when you enter the password incorrectly, wait to retry the password.
Sep 4, 2015 at 5:29 PM
That's a good question, I'm not sure about the wait time myself. If I used the default PIM for system drive encryption, on average how long does it take to mount? Knowing the average time of the default setting, I would know if I could tolerate a higher PIM / wait time.
Sep 4, 2015 at 6:00 PM
The mount times are machine dependent based on various hardware components.
Sep 4, 2015 at 6:35 PM
You can review and vote-up the feature request for benchmarking hash & PIM at the link below.

https://veracrypt.codeplex.com/workitem/182

PS: See an edit I made to my post in your other thread. It appears we posted our updates nearly at the same time. :-)
Sep 4, 2015 at 6:37 PM
Thanks for all the responses to my questions over various threads, you've been very helpful.
Sep 9, 2015 at 8:39 PM
Edited Sep 9, 2015 at 8:53 PM
How many iterations did TrueCrypt use for system drive encryption?

Also does anyone know where I can find detailed discussion from Mounir concerning the switch in iterations? I believe I came across it on a forum somewhere (perhaps this one), but I can't seem to find it now. It had a detailed response from Mounir explaining his reasoning for increasing the iterations.
Sep 9, 2015 at 9:34 PM
The home page has an explanation of the increase of the VC iterations along with the TC iteration values.

https://veracrypt.codeplex.com/