Hi Paddy,
I may have been wrong about the key order (it isnt immediately obvious which key is stored in which slot), and just jumping to conclusions.
Here are the steps that I used to ensure the keys are in the optimum order, and also to adjust the number of iterations done on each key - which influences how quickly the device can be unlocked. The steps are fairly simple and quick, but you do have to enter your passphrase
many times!
# 1. specify your encrytped device (subtitute your device name)
device=/dev/nvme0n1p5
# 2. check what's in the encyption header - note the iterations for each key
sudo cryptsetup luksDump $device
# 3. create an extra passphrase as a back-stop. Enter your passphrase when prompted (3 times)
sudo cryptsetup --key-slot 7 luksAddKey $device
# 4. delete existing user key slot
sudo cryptsetup luksKillSlot $device 0
# 5. delete existing machine key slot
sudo cryptsetup luksKillSlot $device 1
# 6. Create a new key slot for your passphrase, with required iter-time:
sudo cryptsetup --iter-time 500 --key-slot 0 luksAddKey $device
# 7. Create a new key slot for the machine key, with required iter-time:
sudo cryptsetup --iter-time 1000 --key-slot 1 luksAddKey $device /etc/crypt.system
# 8. check what's in the encyption header - note the iterations for each key
sudo cryptsetup luksDump $device
# 9. Reboot, and check to see how fast the startup is.
If you'd like to reduce the boot time, repeat steps 1, 4, 6 & 8, choosing a lower value for iter-time (the iter-time is the amount of time, in milliseconds, that the encryption process spends "hashing" (scrambling) your passphrase before it is stored. It would take the same amount of time to repeat this process each time you decrypt the device - but only if your processor can operate at the same speed during boot. That's not always the case - in my case it was 10 times slower.)
You can also repeat steps 5 & 7, choosing a lower iter-time, to speed up the second part of the boot process, but this will make less of a difference.
When you've finished, you can optionally delete the "back-stop" key in slot 7 (but there's no harm in leaving it).
In my case, I found that an iter-time of 200 for my passphrase gave 185000 iterations, which took about 2 seconds during boot. For the machine key, I found that an iter-time of 1000 gave 900000 iterations, which took about 1 second during boot. The default iter-time is 2000. The relationship between iter-time and number of iterations depends on how fast your machine is. As I mentioned previously, there are potential security implications of reducing the number of iterations, but so long as a sufficiently long/complex passphrase is used, there's no problem. This topic is well discussed
here.
I hope that the above proves to be useful for anyone suffering agonisingly long boot times.
Bookmarks