This project has moved and is read-only. For the latest updates, please go here.

Question about PIM

Topics: Users Discussion
Sep 29, 2015 at 11:43 PM
If I read the documentation correctly, I can use high PIM values (more than 98 for system encryption and more than 485 otherwise) to increase security.
  • I can also use lower values to increase mounting performance, but only if my passwort has at least 20 characters, correct?
  • If my pw has less than 20 characters, what will happen if I choose a PIM of 97 for sys encryption? Error message? Or does it automatically use the default value?
  • What if I leave it empty and on boot type in "98"? Is empty = 98 or could I increase security even a little bit by choosing 98 instead of nothing?
  • Why do I have to remember how the PIM is used (PIMx2048 and 15k + PIMx1000)? Would'nt it be easier to just let people choose the iteration count directly?
  • Why the seperate calculations? On boot, performance is more important, granted, but if 500k iterations is minimum for non-system volumes, why is 200k safe enough for the system volume?
  • Why is the length of the password the only criterion for Veracrypt to decide if the user can fall below the default PIM values? For example, if you use a 3-character-password and a good keyfile, a low iteration count would'nt hurt security, am I right?
Sep 30, 2015 at 12:23 AM
I will answer some of your questions. The last two questions would need Mounir to answer.

Arme001 wrote:
I can also use lower values to increase mounting performance, but only if my password has at least 20 characters, correct?
Correct.

Arme001 wrote:
If my pw has less than 20 characters, what will happen if I choose a PIM of 97 for sys encryption? Error message? Or does it automatically use the default value?
You will get an error message.

Arme001 wrote:
What if I leave it empty and on boot type in "98"? Is empty = 98 or could I increase security even a little bit by choosing 98 instead of nothing?
The program defaults can be different from the PIM calculations. Hence, when using the program default, do not enter a PIM. In cases where the program default iterations matches precisely the PIM calculations, you can enter the default PIM. For example, the non-system hashes HMAC-SHA-512, HMAC-SHA-256 and HMAC-Whirlpool calculations match the program default iterations of 500000 by using a PIM of 485. You could leave the PIM empty or enter the PIM 485 value to successfully mount the volume.

Arme001 wrote:
Why do I have to remember how the PIM is used (PIMx2048 and 15k + PIMx1000)? Would'nt it be easier to just let people choose the iteration count directly?
PIM would be a smaller number and in my opinion an easy number to remember since it is used in different calculations between system and non-system encryption when using many volumes. As you noted, there are different calculations between system and non-system volumes leading to different iteration results.
Nov 2, 2015 at 10:52 PM
How exactly is using PIM different than using a strong password and keyfile(s)?
Nov 3, 2015 at 2:23 AM
k3tonan wrote:
How exactly is using PIM different than using a strong password and keyfile(s)?
The purpose of PIM was to future proof VeraCrypt by allowing for a higher than program default custom PIM which directly impacts the hash iterations due to advances in hardware and to allow users that wanted faster volume mount/boot times by restricting users to use a minimum password length of 20 characters which allows you to use a lower PIM value.

PIM is not a replacement for passwords and keyfiles.

https://veracrypt.codeplex.com/wikipage?title=Personal%20Iterations%20Multiplier%20%28PIM%29