luks increase delays between password attempts

Question

From what I understand, argon provides a delay between password attempts. Does luks allow increasing or reducing the delay?

Answer 1

It's not a good idea to conceptualize this as a "password delay". A delay is typically added artificially by a program: for example, when iPhones prevent you from typing your password for a while, that's not related to the cryptography that locks the phone, instead it's a feature of the actual keyguard program.

On the other hand, the KDF iteration count is a real cryptographic thing. When you enter your password, it is passed through a key derivation function (such as Argon2), which has some parameters to tune. One of those -- the iteration count -- is the amount of work your CPU must do before getting the correct key to decrypt the drive proper -- and it is also the amount of work you would need to do before figuring out that the original password was wrong, which is what you perceive as a delay.

The reason a KDF is used is because human-memorable strings have lousy entropy, not good enough for cryptographic keys. For example, if you were using a 4-digit password, it's fairly quick to run through all the 10000 combinations. If there wasn't a KDF, then checking each one is basically instant, so whoever gains access to your hard drive can easily pwn your data. On the other hand, a KDF can increase the time it takes to check each one: the default LUKS configuration takes about 2 seconds to run on my laptop, so even if I knew that you were using a 4-digit password, it would still take me up to 6 hours to run through all of them.

Because of this, the KDF difficulty is fairly important for securing your disk from being readable if stolen. The default settings are a reasonable compromise between being slow enough to avoid casual bruteforcing, and not too slow as to annoy people if they make typos in the password. You should consider these two aspects when choosing the KDF difficulty.

As for how to change it, you'll need to change a keyslot corresponding to your password, and specify your new parameters there. Here's a full example:

First, we create a new file and format it as a LUKS volume, for testing:

$ dd if=/dev/zero of=./test.bin bs=1M count=200
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 0.0911995 s, 2.3 GB/s
$ cryptsetup luksFormat ./test.bin
WARNING!
This will overwrite data on ./test.bin irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for ./test.bin: 
Verify passphrase: 

Viewing the volume info, we can see that it has one keyslot, whose Argon2 parameters are time cost=7 and memory=1048576.

$ cryptsetup luksDump ./test.bin 
LUKS header information
Version:        2
Epoch:          3
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           e2af83b3-719a-47e8-a43b-e5b1266041bd
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)
Data segments:
  0: crypt
    offset: 16777216 [bytes]
    length: (whole device)
    cipher: aes-xts-plain64
    sector: 4096 [bytes]
Keyslots:
  0: luks2
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      argon2id
    Time cost:  7
    Memory:     1048576
    Threads:    4
    Salt:       56 ac 57 47 ed a6 fb 52 44 1c 17 76 be 79 73 30 
                b0 7e 87 76 62 8b a2 a3 e3 56 d1 dd 4e 7b 18 3f 
    AF stripes: 4000
    AF hash:    sha256
    Area offset:32768 [bytes]
    Area length:258048 [bytes]
    Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
    Hash:       sha256
    Iterations: 103206
    Salt:       d7 fb 29 2d 32 b2 cf 2a b5 7f 86 63 aa 0c 49 c2 
                4e c7 14 b0 2c 9d 07 e6 c1 82 85 a5 f9 20 45 6a 
    Digest:     55 0b 79 c3 c6 b8 0f db ba ea cf b4 5e 5c 20 51 
                c0 3d 1d cb 8b 04 9f 51 ad b1 4c 69 66 63 61 7e 

The easiest way to update this keyslot is to use luksChangeKey. At that time, you can specify the difficulty parameters. You may choose to specify the time and memory components separately, but it's much easier to use the --iter-time/-i parameter: this benchmarks your own computer, and makes it so that the KDF takes the given number of milliseconds.

You can see that setting it to a low value (like 0.1 seconds) will decrease the KDF parameters:

$ cryptsetup luksChangeKey ./test.bin -i 100
Enter passphrase to be changed: 
Enter new passphrase: 
Verify passphrase:
$ cryptsetup luksDump ./test.bin
...
Keyslots:
  0: luks2
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      argon2id
    Time cost:  4
    Memory:     87989
    Threads:    4
    Salt:       21 8e 01 50 ac ad 69 3b 4d d1 08 1d 0f 03 f9 26 
                f2 07 0e 40 19 17 79 67 c6 71 ec 24 4d 25 ab 5c 
    AF stripes: 4000
    AF hash:    sha256
    Area offset:290816 [bytes]
    Area length:258048 [bytes]
    Digest ID:  0
...
$ sudo cryptsetup open ./test.bin testdrive
Enter passphrase for ./test.bin: 
... 100 ms later ...
No key available with this passphrase.
Enter passphrase for ./test.bin: 
... 100 ms later ...
$

... and setting it to a larger value (like 30 seconds) will increase the parameters:

$ cryptsetup luksChangeKey ./test.bin -i 30000
Enter passphrase to be changed: 
Enter new passphrase: 
Verify passphrase:
$ cryptsetup luksDump ./test.bin
...
Keyslots:
  0: luks2
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      argon2id
    Time cost:  102
    Memory:     1048576
    Threads:    4
    Salt:       17 52 de 45 52 93 cd 91 39 ef 01 c5 fb a7 39 2d 
                ae 47 23 86 80 a9 6c 2c 88 1f a0 39 8a ed 19 80 
    AF stripes: 4000
    AF hash:    sha256
    Area offset:32768 [bytes]
    Area length:258048 [bytes]
    Digest ID:  0
...
$ sudo cryptsetup open ./test.bin testdrive
Enter passphrase for ./test.bin: 
... 30 seconds later ...
No key available with this passphrase.
Enter passphrase for ./test.bin: 
... 30 seconds later ...
$

To do this on the live system, replace ./test.bin with the path to your actual cryptdrive. On my system, it's /dev/nvme0n1p3.