LUKS uses PBKDF2 to protect against dictionary attacks and to
give some protection to low-entropy passphrases (see RFC 2898 and
the cryptsetup FAQ).
From a terminal: The passphrase is read until the first newline
and then processed by PBKDF2 without the newline character.
From stdin: LUKS will read passphrases from stdin up to the first
newline character or the compiled-in maximum key file length. If
--keyfile-size is given, it is ignored.
From key file: The complete keyfile is read up to the compiled-in
maximum size. Newline characters do not terminate the input. The
--keyfile-size option can be used to limit what is read.
Passphrase processing: Whenever a passphrase is added to a LUKS
header (luksAddKey, luksFormat), the user may specify how much
the time the passphrase processing should consume. The time is
used to determine the iteration count for PBKDF2 and higher times
will offer better protection for low-entropy passphrases, but
open will take longer to complete. For passphrases that have
entropy higher than the used key length, higher iteration times
will not increase security.
The default setting of one or two seconds is sufficient for most
practical cases. The only exception is a low-entropy passphrase
used on a device with a slow CPU, as this will result in a low
iteration count. On a slow device, it may be advisable to
increase the iteration time using the --iter-time option in order
to obtain a higher iteration count. This does slow down all later
luksOpen operations accordingly.
