Bootloader take 4-5 minutes to unlock system drive.

Topics: Technical Issues
Aug 20, 2015 at 10:01 PM
Edited Aug 20, 2015 at 10:02 PM
Hello "veracrypt" community.
And by the way im extremly happy that I found veracrypt since I was a big fan of truecrypt and im happy to see that it lives on and that it even is kept alive and being improved. It is such a great software. ;-)
I found veracrypt by accident, so I hope the word about veracrypt will spread in the future so people who use the autdated truecrypt can try out veracrypt instead ;-)

My problem
Well I have encrypted my system drive ( c:\ ) and when I boot my system I now see the password screen where I enter my code and PIM..
After entering my code there are a 4-5 minute waiting time, and I think this is a bit extreeme compared to "truecrypt" that unlock my system drive in 1 secound in the past.
So I was wondering what I might have done wrong and how I can fix this ?

My system does not have "uefi" feature in the bios and do not support uefi at all.
core i7 980x 3800mhz ( oc )
12gb ddr3 ram
2 ssd drives and 1 old backup hd.
windows 10 pro 64bit.
Vera crypt 1.13
encryption ( aes-twofish-serpenter ) 768bit encryption.
code length..: 35-40
PIM ..: I press Enter, I could read that uses a default value.

I know the encryption is very secure compared that my computer is just used for gaming and web surfing, but I just like to secure my data and also I find it interesting to use the software and learn more about it and encryption now and then.

ANyway hope someone can help me..
PS.. Yes I did use the search function but I had no success in finding what I seek, though I read many interesting questions and answers along the way.
Aug 20, 2015 at 10:54 PM

You can set the PIM to a lower value if your password is 20 or more characters which will reduce the number of iterations performed by the hash algorithm.

Kind Regards.
Sep 22, 2015 at 4:04 PM
thank you very much for maintaining and developing this great software.

I have a request according to the PIM and the password length. Like sketched in the posting above from delevero I have the same problem with long delay times during logon. So to avoid it I'm enforced by the software to use a 20 character password.

For my private system it's absolute overkill, because I'm not in the focus of the NSA or any other agency, group or person that would invest more then 5 minutes to decrypt my system. My 'enemies' are just normal thiefs that steal my laptop, potentially unfriedly disposed colleagues or a jealous wife.

So for my purpose a three character password and a PIM = 1 would be more than I really need. Because none of these persons would really try to decrypt an encrypted password with brute force (assumed that they try to read it e.g. with a Live-CD). If they see that it's encrypted they will give up. And if they really wouldn't give up, the damage is relatively small.

So my request is to simply set the PIM minimal value for short passwords to 1 (instead of 98) for system encryption and to 1 (instead of 485) for non-system encryption and file containers. Or make these thresholds configurable (I know that it's a bigger effort). So make the software more flexible, please. This means that you would leave it to the users how strong their security requirements are and if they are willing to invest 5 minutes of delay or use a very long password each time they boot their computer.

Please don't misunderstand me: Your current solution is very fine for any person with very high security requirements. But I guess that many users of this software are playing in my league (from the security point of view) and would be happy to have more flexible options.

Best Regards
Sep 22, 2015 at 4:28 PM
VeraCrypt has learned from the TrueCrypt experience: many adversaries use brute force tools successfully on TrueCrypt to commit unauthorized entry where users have selected weak passwords. For that reason, VeraCrypt has been designed to prevent the use of weak passwords. One big advantage of the PIM strategy is that it makes the life of the brute force tool builder more difficult. The PIM strategy also contributes to the prevention of weak passwords. VeraCrypt is a high-end security product and is designed accordingly, with the intention of firmly establishing a reputation for being de facto unbreakable. The approach you suggest would make VeraCrypt breakable, and would therefore damage VeraCrypt's reputation.
Sep 22, 2015 at 5:02 PM
If you don't need the "extra security" VeraCrypt or Truecrypt offers, than you could simply use Bitlocker and enjoy some performance improvements and hardware assistance. If you have a TPM you could use Bitlocker. While setting it up simply also select a PIN for system startup and you should be fine in your scenario. But that is something I wouldn't realy call secure.

Conclusion: If you want a software that adds a insecure PIN at system startup and has a very little performance impact, than use Bitlocker and don't use a software designed to be as secure as possible in all cases a human being could imagine.
Sep 22, 2015 at 7:34 PM
agowa338 wrote:

Conclusion: If you want a software that adds a insecure PIN at system startup and has a very little performance impact, than use Bitlocker and don't use a software designed to be as secure as possible in all cases a human being could imagine.

What Agowa338 said