Reset PIM defaults when changing volume KDF

A SourceForge report pointed out that the password-change and header-KDF dialogs reused the current custom PIM when the user selected a different KDF. That was harmless when all choices used the same PBKDF2 PIM scale, but it is wrong with Argon2 because the same numeric PIM has different security and performance meaning. Avoid silently carrying a custom PIM across KDF changes in both the Windows and wx dialogs. If the new KDF differs from the current one and the user has not explicitly opened the New PIM field, use the default PIM for the selected KDF instead. Keep preserving the current PIM when the KDF is unchanged. Enable explicit New PIM entry in the header KDF-only flow, warn before resetting an existing custom PIM to the new KDF default, and validate explicitly entered KDF-only PIM values. Report the new KDF from the Windows dialog as well as the new PIM so favorite volumes update both stored PIM and pinned KDF metadata after password or header KDF changes, including system favorites. Add translation fallbacks, documentation, and release notes for the new behavior.
2026-06-17 01:56:10 -05:00 · 2026-06-11 04:31:46 +09:00
parent e5415498f4
commit 75857757fe
50 changed files with 452 additions and 77 deletions
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1706,6 +1706,8 @@ Information about Corsican localization:
 	    <entry lang="co" key="MACOSX_APFS_SYSTEM_STORE">L’allucamentu fisicu APFS selezziunatu « {0} » cuntene u vulume di u sistema macOS muntatu attualmente è ùn pò micca esse impiegatu cum’è un ospite di vulume VeraCrypt.</entry>
 	    <entry lang="co" key="MACOSX_DEVICE_NOT_WRITABLE">macOS signaleghja l’apparechju selezziunatu « {0} » cum’è essendu in lettura sola. Selezziunate una partizione fisica o un discu induve si pò scrive.</entry>
 	    <entry lang="co" key="MACOSX_APFS_EROFS_HINT">macOS hà signalatu l’apparechju selezziunatu cum’è essendu in lettura sola. S’ellu hè un discu APFS, assicuratevi chì ghjè a partizione d’allucamentu APFS fisica chì hè selezziunata, è micca un vulume APFS sintetizatu. Impiegate l’attrezzu di discu o « diskutil list » per identificà a partizione fisica eppò pruvate torna.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
 	</localization>
 	<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 		<xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="cs" key="MACOSX_APFS_SYSTEM_STORE">Vybrané fyzické úložiště APFS '{0}' obsahuje aktuálně připojený systémový svazek macOS a nelze jej použít jako hostitele svazku VeraCryptu.</entry>
    <entry lang="cs" key="MACOSX_DEVICE_NOT_WRITABLE">macOS hlásí vybrané zařízení '{0}' jako pouze pro čtení. Vyberte zapisovatelný fyzický diskový oddíl nebo disk.</entry>
    <entry lang="cs" key="MACOSX_APFS_EROFS_HINT">macOS oznámil, že vybrané zařízení je pouze pro čtení. Jde-li o disk APFS, ujistěte se, že jste vybrali fyzický diskový oddíl úložiště APFS, nikoli syntetizovaný svazek APFS. Pomocí Diskové utility nebo příkazu 'diskutil list' určete fyzický diskový oddíl a zkuste to znovu.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1687,6 +1687,8 @@
    <entry lang="de" key="MACOSX_APFS_SYSTEM_STORE">Die ausgewählte physische APFS-Speicherpartition '{0}' enthält das derzeit eingebundene macOS-Systemvolume und kann nicht als VeraCrypt-Volume-Host verwendet werden.</entry>
    <entry lang="de" key="MACOSX_DEVICE_NOT_WRITABLE">macOS meldet, dass das ausgewählte Gerät '{0}' schreibgeschützt ist. Wählen Sie eine beschreibbare physische Partition oder Festplatte aus.</entry>
    <entry lang="de" key="MACOSX_APFS_EROFS_HINT">macOS hat das ausgewählte Gerät als schreibgeschützt gemeldet. Handelt es sich um eine APFS-Festplatte, stellen Sie sicher, dass Sie die physische APFS-Speicherpartition ausgewählt haben und nicht ein synthetisches APFS-Volume. Identifizieren Sie die physische Partition mit dem Festplatten-Dienstprogramm oder dem Befehl „diskutil list“ und versuchen Sie es dann erneut.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <!-- XML-Schema -->
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="es" key="MACOSX_APFS_SYSTEM_STORE">El almacenamiento físico APFS seleccionado '{0}' contiene el volumen de sistema macOS actualmente montado y no puede usarse como host de volumen VeraCrypt.</entry>
    <entry lang="es" key="MACOSX_DEVICE_NOT_WRITABLE">macOS informa que el dispositivo seleccionado '{0}' es de sólo lectura. Seleccione una partición física o disco con permiso de escritura.</entry>
    <entry lang="es" key="MACOSX_APFS_EROFS_HINT">macOS informó que el dispositivo seleccionado es de sólo lectura. Si se trata de un disco APFS, asegúrese de haber seleccionado la partición física de almacenamiento APFS, no un volumen APFS sintetizado. Use la Utilidad de Discos o 'diskutil list' para identificar la partición física y luego reinténtelo.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
 </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="fi" key="MACOSX_APFS_SYSTEM_STORE">Valittu fyysinen APFS-tallennusosio '{0}' sisältää parhaillaan liitetyn macOS-järjestelmätaltion, eikä sitä voi käyttää VeraCrypt-taltion isäntänä.</entry>
    <entry lang="fi" key="MACOSX_DEVICE_NOT_WRITABLE">macOS ilmoittaa valitun laitteen '{0}' olevan vain luku -tilassa. Valitse kirjoituskelpoinen fyysinen osio tai levy.</entry>
    <entry lang="fi" key="MACOSX_APFS_EROFS_HINT">macOS ilmoitti valitun laitteen olevan vain luku -tilassa. Jos kyseessä on APFS-levy, varmista, että valitsit fyysisen APFS-tallennusosion etkä APFS:n syntetisoitua taltiota. Käytä Levytyökalua tai komentoa 'diskutil list' fyysisen osion tunnistamiseen ja yritä sitten uudelleen.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="fr" key="MACOSX_APFS_SYSTEM_STORE">Le support physique APFS sélectionné '{0}' contient le volume système macOS actuellement monté et ne peut pas être utilisé comme hôte de volume VeraCrypt.</entry>
    <entry lang="fr" key="MACOSX_DEVICE_NOT_WRITABLE">macOS signale que le périphérique sélectionné '{0}' est en lecture seule. Sélectionnez une partition physique ou un disque accessible en écriture.</entry>
    <entry lang="fr" key="MACOSX_APFS_EROFS_HINT">macOS a signalé que le périphérique sélectionné est en lecture seule. S’il s’agit d’un disque APFS, assurez-vous d’avoir sélectionné la partition physique de stockage APFS et non un volume APFS synthétisé. Utilisez l’Utilitaire de disque ou 'diskutil list' pour identifier la partition physique, puis réessayez.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="it" key="MACOSX_APFS_SYSTEM_STORE">Lo store fisico APFS selezionato '{0}' contiene il volume di sistema macOS attualmente montato e non può essere usato come host di un volume VeraCrypt.</entry>
    <entry lang="it" key="MACOSX_DEVICE_NOT_WRITABLE">macOS segnala il dispositivo selezionato '{0}' come di sola lettura. Seleziona una partizione fisica o un disco scrivibile.</entry>
    <entry lang="it" key="MACOSX_APFS_EROFS_HINT">macOS ha segnalato il dispositivo selezionato come di sola lettura. Se questo è un disco APFS, assicurati di aver selezionato la partizione dello store fisico APFS, non un volume APFS sintetizzato. Usa Utility Disco o 'diskutil list' per identificare la partizione fisica, quindi riprova.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="ja" key="MACOSX_APFS_SYSTEM_STORE">選択された APFS 物理ストア '{0}' には現在マウントされている macOS システムボリュームが含まれているため、VeraCrypt ボリュームホストとして使用できません。</entry>
    <entry lang="ja" key="MACOSX_DEVICE_NOT_WRITABLE">macOS は、選択されたデバイス '{0}' を読み取り専用として報告しています。書き込み可能な物理パーティションまたはディスクを選択してください。</entry>
    <entry lang="ja" key="MACOSX_APFS_EROFS_HINT">macOS は、選択されたデバイスを読み取り専用として報告しました。これが APFS ディスクの場合は、APFS 合成ボリュームではなく物理 APFS ストアパーティションを選択していることを確認してください。ディスクユーティリティまたは 'diskutil list' を使用して物理パーティションを確認してから、再試行してください。</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="ko" key="MACOSX_APFS_SYSTEM_STORE">선택한 APFS 물리적 저장소 '{0}'에는 현재 마운트된 macOS 시스템 볼륨이 포함되어 있으므로 VeraCrypt 볼륨 호스트로 사용할 수 없습니다.</entry>
    <entry lang="ko" key="MACOSX_DEVICE_NOT_WRITABLE">macOS에서 선택한 장치 '{0}'을 읽기 전용으로 보고했습니다. 쓰기 가능한 물리적 파티션 또는 디스크를 선택하세요.</entry>
    <entry lang="ko" key="MACOSX_APFS_EROFS_HINT">macOS에서 선택한 장치를 읽기 전용으로 보고했습니다. APFS 디스크인 경우 APFS 합성 볼륨이 아니라 물리적 APFS 저장소 파티션을 선택했는지 확인하세요. 디스크 유틸리티 또는 'diskutil list'를 사용하여 물리적 파티션을 식별한 다음 다시 시도하세요.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1686,6 +1686,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" attributeFormDefault="unqualified" elementFormDefault="qualified">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="nb" key="MACOSX_APFS_SYSTEM_STORE">Den valgte fysiske APFS-lagringen «{0}» inneholder det monterte macOS-systemvolumet og kan ikke brukes som vert for et VeraCrypt-volum.</entry>
    <entry lang="nb" key="MACOSX_DEVICE_NOT_WRITABLE">macOS rapporterer den valgte enheten «{0}» som skrivebeskyttet. Velg en skrivbar fysisk partisjon eller disk.</entry>
    <entry lang="nb" key="MACOSX_APFS_EROFS_HINT">macOS rapporterte den valgte enheten som skrivebeskyttet. Hvis dette er en APFS-disk, må du forsikre deg om at du har valgt den fysiske APFS-lagringspartisjonen, ikke et syntetisert APFS-volum. Bruk Diskverktøy eller «diskutil list» for å identifisere den fysiske partisjonen, og prøv på nytt.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="nl" key="MACOSX_APFS_SYSTEM_STORE">De geselecteerde fysieke APFS-opslag '{0}' bevat het momenteel gekoppelde macOS-systeemvolume en kan niet worden gebruikt als host voor een VeraCrypt-volume.</entry>
    <entry lang="nl" key="MACOSX_DEVICE_NOT_WRITABLE">macOS meldt dat het geselecteerde apparaat '{0}' alleen-lezen is. Selecteer een fysieke partitie of schijf waarop geschreven kan worden.</entry>
    <entry lang="nl" key="MACOSX_APFS_EROFS_HINT">macOS geeft aan dat het geselecteerde apparaat alleen-lezen is. Als dit een APFS-schijf is, controleer dan of u de fysieke APFS-opslagpartitie hebt geselecteerd en niet een gesynthetiseerd APFS-volume. Gebruik Schijfhulpprogramma of 'diskutil list' om de fysieke partitie te identificeren en probeer het vervolgens opnieuw.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" attributeFormDefault="unqualified" elementFormDefault="qualified">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="pl" key="MACOSX_APFS_SYSTEM_STORE">Wybrany fizyczny magazyn APFS „{0}” zawiera aktualnie zamontowany wolumen systemu macOS i nie może być używany jako host wolumenu VeraCrypt.</entry>
    <entry lang="pl" key="MACOSX_DEVICE_NOT_WRITABLE">System macOS zgłasza wybrane urządzenie „{0}” jako tylko do odczytu. Wybierz zapisywalną partycję fizyczną lub dysk.</entry>
    <entry lang="pl" key="MACOSX_APFS_EROFS_HINT">System macOS zgłosił wybrane urządzenie jako tylko do odczytu. Jeśli jest to dysk APFS, upewnij się, że wybrano fizyczną partycję magazynu APFS, a nie wolumen syntezowany przez APFS. Użyj narzędzia dyskowego lub polecenia „diskutil list”, aby zidentyfikować partycję fizyczną, a następnie spróbuj ponownie.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="pt-br" key="MACOSX_APFS_SYSTEM_STORE">O armazenamento físico APFS selecionado '{0}' contém o volume de sistema macOS atualmente montado e não pode ser usado como host de volume VeraCrypt.</entry>
    <entry lang="pt-br" key="MACOSX_DEVICE_NOT_WRITABLE">O macOS informa que o dispositivo selecionado '{0}' é somente leitura. Selecione uma partição física ou disco gravável.</entry>
    <entry lang="pt-br" key="MACOSX_APFS_EROFS_HINT">O macOS informou que o dispositivo selecionado é somente leitura. Se for um disco APFS, certifique-se de ter selecionado a partição física de armazenamento APFS, não um volume APFS sintetizado. Use o Utilitário de Disco ou 'diskutil list' para identificar a partição física e tente novamente.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="ru" key="MACOSX_APFS_SYSTEM_STORE">Выбранное физическое хранилище APFS '{0}' содержит смонтированный сейчас системный том macOS, его нельзя использовать в качестве хоста томов VeraCrypt.</entry>
    <entry lang="ru" key="MACOSX_DEVICE_NOT_WRITABLE">macOS сообщает, что выбранное устройство '{0}' доступно только для чтения. Выберите физический раздел или диск, доступный для записи.</entry>
    <entry lang="ru" key="MACOSX_APFS_EROFS_HINT">macOS сообщает, что выбранное устройство доступно только для чтения. Если это диск с файловой системой APFS, убедитесь, что вы выбрали физический раздел хранилища APFS, а не синтезированный том APFS. Используйте дисковую утилиту или 'diskutil list', чтобы определить физический раздел, затем повторите попытку.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="sl" key="MACOSX_APFS_SYSTEM_STORE">Izbrana fizična shramba APFS '{0}' vsebuje trenutno priklopljen sistemski nosilec macOS in je ni mogoče uporabiti kot gostitelja nosilca VeraCrypt.</entry>
    <entry lang="sl" key="MACOSX_DEVICE_NOT_WRITABLE">macOS poroča, da je izbrana naprava '{0}' samo za branje. Izberi zapisljivo fizično particijo ali disk.</entry>
    <entry lang="sl" key="MACOSX_APFS_EROFS_HINT">macOS je poročal, da je izbrana naprava samo za branje. Če je to disk APFS, se prepričaj, da si izbral fizično particijo shrambe APFS, ne sintetiziranega nosilca APFS. S programom Disk Utility ali ukazom 'diskutil list' poišči fizično particijo in poskusi znova.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="tr" key="MACOSX_APFS_SYSTEM_STORE">Seçilmiş fiziksel APFS deposu '{0}', şu anda bağlı olan macOS sistem birimini içeriyor ve VeraCrypt birimi barındırmak için kullanılamaz.</entry>
    <entry lang="tr" key="MACOSX_DEVICE_NOT_WRITABLE">macOS, seçilmiş aygıtı '{0}' salt okunur olarak bildiriyor. Yazılabilir bir fiziksel bölüm ya da disk seçin.</entry>
    <entry lang="tr" key="MACOSX_APFS_EROFS_HINT">macOS, seçilmiş aygıtı salt okunur olarak bildirdi. Bu bir APFS diskiyse, APFS sentezlenmiş birimi değil fiziksel APFS depolama bölümünü seçtiğinizden emin olun. Fiziksel bölümü belirlemek için Disk İzlencesi ya da 'diskutil list' komutunu kullanıp yeniden deneyin.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,8 @@
    <entry lang="zh-cn" key="MACOSX_APFS_SYSTEM_STORE">所选 APFS 物理存储 '{0}' 包含当前挂载的 macOS 系统卷，无法作为 VeraCrypt 卷主机使用。</entry>
    <entry lang="zh-cn" key="MACOSX_DEVICE_NOT_WRITABLE">macOS 报告所选设备 '{0}' 为只读。请选择可写的物理分区或磁盘。</entry>
    <entry lang="zh-cn" key="MACOSX_APFS_EROFS_HINT">macOS 报告所选设备为只读。如果这是 APFS 磁盘，请确保您选择的是物理 APFS 存储分区，而不是 APFS 合成卷。请使用“磁盘工具”或 'diskutil list' 来识别物理分区，然后重试。</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -70,6 +70,7 @@ Note: When VeraCrypt re-encrypts a volume header, the original volume header is
 force scanning tunneling microscopy [17] to recover the overwritten header (however, see also the chapter
 <a href="Security%20Requirements%20and%20Precautions.html">
 <em>Security Requirements and Precautions</em></a>).</p>
+<p>If the selected new KDF differs from the current KDF and the volume currently uses a custom PIM, VeraCrypt does not automatically reuse the current PIM. Unless you select <em>Use PIM</em> in the New section and enter a custom value, the rewritten volume header will use the default PIM for the selected KDF.</p>
 </div>
 <h3>Volumes -&gt; Set Header Key Derivation Algorithm</h3>
 <p>This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-BLAKE2S-256 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which
@@ -77,6 +78,8 @@ Note: When VeraCrypt re-encrypts a volume header, the original volume header is
 <a href="Header%20Key%20Derivation.html">
 <em>Header Key Derivation, Salt, and Iteration Count</em></a>.<br>
 <br>
+If the selected KDF differs from the current KDF and the volume currently uses a custom PIM, VeraCrypt does not automatically reuse the current PIM. Unless you select <em>Use PIM</em> in the New section and enter a custom value, the rewritten volume header will use the default PIM for the selected KDF.<br>
+<br>
 Note: When VeraCrypt re-encrypts a volume header, the original volume header is first overwritten many times (3, 7, 35 or 256 depending on the user choice) with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic
 force scanning tunneling microscopy [17] to recover the overwritten header (however, see also the chapter
 <a href="Security%20Requirements%20and%20Precautions.html">
@@ -50,6 +50,7 @@
 	<ul>
 	<li>Add Argon2id as an alternative memory-hard KDF for non-system volumes.</li>
 	<li>Use "KDF" terminology in the user interface and documentation instead of "PKCS-5 PRF".</li>
+	<li>When changing a volume password or changing only a volume header KDF, use the selected KDF's default PIM when a different KDF is selected unless a new PIM is explicitly specified.</li>
 	<li>Update logo icons with simplified icons without extra label text.</li>
 	<li>Harden XML and TLV parsers against malformed input.</li>
 	<li>Security: Fix <a href="https://github.com/veracrypt/VeraCrypt/security/advisories/GHSA-94c6-mgmv-mqc5" target="_blank">GHSA-94c6-mgmv-mqc5</a>: non-default <code>WOLFCRYPT=1</code> builds now use wolfCrypt PBKDF2 instead of HKDF and honor VeraCrypt's PBKDF2 iteration count.
@@ -85,7 +86,7 @@
 <li>Fix EFI <code>DcsProp</code> rewrite handling.</li>
 <li>Fix ghost drive letter after command line unmount (GH #337, GH #1426).</li>
 <li>Fix favorite volume mount race.</li>
-<li>Validate PIM when changing only the KDF.</li>
+<li>Update stored favorite volume PIM/KDF metadata after password or header KDF changes.</li>
 <li>Fix elevated COM format drive validation and device path normalization (GH #1670).</li>
 <li>Fix ReFS formatting during volume creation.</li>
 <li>Fix MSI traveler disk creation with WHQL-signed drivers, ARM64 MSI build, Start Menu folder upgrades, and discovery of newer SDK MSI tools.</li>
@@ -1684,6 +1684,8 @@
    <entry lang="en" key="MACOSX_APFS_SYSTEM_STORE">The selected APFS physical store '{0}' contains the currently mounted macOS system volume and cannot be used as a VeraCrypt volume host.</entry>
    <entry lang="en" key="MACOSX_DEVICE_NOT_WRITABLE">macOS reports the selected device '{0}' as read-only. Select a writable physical partition or disk.</entry>
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
+    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
+    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -40,19 +40,33 @@ namespace VeraCrypt
 		return true;
 	}

-	static bool CheckCustomPimForKdfOnlyChange (VolumePasswordPanel *pimPanel, const shared_ptr <VolumePassword> &password, const shared_ptr <Pkcs5Kdf> &kdf, int currentPim)
+	static bool CheckCustomPimForKdfOnlyChange (VolumePasswordPanel *pimPanel, const shared_ptr <VolumePassword> &password, const shared_ptr <Pkcs5Kdf> &kdf, int pim)
 	{
 		int defaultPim = kdf ? kdf->GetDefaultPim() : 0;
-		if (!kdf || !password || password->Size() == 0 || currentPim <= 0 || defaultPim <= 0 || currentPim == defaultPim)
+		if (!kdf || !password || password->Size() == 0 || pim <= 0 || defaultPim <= 0 || pim == defaultPim)
 			return true;

-		if (currentPim < defaultPim)
-			return CheckCustomPimForPassword (pimPanel, password, currentPim, kdf);
+		if (pim < defaultPim)
+			return CheckCustomPimForPassword (pimPanel, password, pim, kdf);

 		Gui->ShowWarning (kdf->GetPimLargeWarningMessageId());
 		return true;
 	}

+	static bool KdfSelectionsEqual (const shared_ptr <Pkcs5Kdf> &left, const shared_ptr <Pkcs5Kdf> &right)
+	{
+		if (!left && !right)
+			return true;
+		if (!left || !right)
+			return false;
+		return left->GetName() == right->GetName();
+	}
+
+	static bool NewKdfSelectionChangesKdf (const shared_ptr <Pkcs5Kdf> &currentKdf, const shared_ptr <Pkcs5Kdf> &newKdf)
+	{
+		return newKdf && (!currentKdf || !KdfSelectionsEqual (currentKdf, newKdf));
+	}
+
 	static bool CheckPasswordChangeWarnings (VolumePasswordPanel *passwordPanel, const shared_ptr <VolumePassword> &password, int pim, const shared_ptr <Pkcs5Kdf> &kdf)
 	{
 		if (!password || password->Size() == 0)
@@ -89,7 +103,7 @@ namespace VeraCrypt
 #endif

 	ChangePasswordDialog::ChangePasswordDialog (wxWindow* parent, shared_ptr <VolumePath> volumePath, Mode::Enum mode, shared_ptr <VolumePassword> password, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, shared_ptr <KeyfileList> newKeyfiles)
-		: ChangePasswordDialogBase (parent), DialogMode (mode), Path (volumePath)
+		: ChangePasswordDialogBase (parent), DialogMode (mode), KdfOnlyKdfSelectionInitialized (false), Path (volumePath)
 	{
 		bool enableNewPassword = false;
 		bool enableNewKeyfiles = false;
@@ -134,6 +148,9 @@ namespace VeraCrypt
 		NewPasswordPanel->UpdateEvent.Connect (EventConnector <ChangePasswordDialog> (this, &ChangePasswordDialog::OnPasswordPanelUpdate));
 		NewPasswordPanelSizer->Add (NewPasswordPanel, 1, wxALL | wxEXPAND);

+		if (mode == Mode::ChangePkcs5Prf)
+			NewPasswordPanel->EnableUsePim (true);
+
 		if (mode == Mode::RemoveAllKeyfiles)
 			NewSizer->Show (false);

@@ -175,6 +192,7 @@ namespace VeraCrypt

 			shared_ptr <VolumePassword> newPassword;
 			int newPim = 0;
+			bool newPimSpecified = false;
 			if (DialogMode == Mode::ChangePasswordAndKeyfiles)
 			{
 				try
@@ -197,13 +215,37 @@ namespace VeraCrypt
 			else
 			{
 				newPassword = currentPassword;
-				newPim = CurrentPasswordPanel->GetVolumePim();
-			}
+				if (DialogMode == Mode::ChangePkcs5Prf)
+				{
+					bool kdfChangesKdf = NewKdfSelectionChangesKdf (currentKdf, newKdf);
+					newPimSpecified = NewPasswordPanel->IsVolumePimSpecified();
+					if (newPimSpecified)
+					{
+						newPim = NewPasswordPanel->GetVolumePim();
+						if (-1 == newPim)
+						{
+							NewPasswordPanel->SetFocusToPimTextCtrl();
+							return;
+						}
+					}
+					else
+					{
+						newPim = kdfChangesKdf ? 0 : currentPim;
+					}

-			if (DialogMode == Mode::ChangePkcs5Prf)
-			{
-				if (!CheckCustomPimForKdfOnlyChange (CurrentPasswordPanel, newPassword, newKdf, currentPim))
-					return;
+					if (kdfChangesKdf && !newPimSpecified && currentPim > 0)
+					{
+						if (!Gui->AskYesNo (LangString["PIM_RESET_ON_KDF_CHANGE_CONFIRM"], false, true))
+						{
+							NewPasswordPanel->SetFocusToPimCheckBox();
+							return;
+						}
+					}
+				}
+				else
+				{
+					newPim = currentPim;
+				}
 			}

 			shared_ptr <KeyfileList> newKeyfiles;
@@ -216,7 +258,7 @@ namespace VeraCrypt
 			shared_ptr <Volume> openVolume;
 			bool masterKeyVulnerable = false;
 			// If the unchanged KDF is not known yet, open the header before applying KDF-specific PIM limits.
-			bool needOpenVolumeForKdf = DialogMode == Mode::ChangePasswordAndKeyfiles
+			bool needOpenVolumeForKdf = (DialogMode == Mode::ChangePasswordAndKeyfiles || DialogMode == Mode::ChangePkcs5Prf)
 				&& !effectiveNewKdf
 				&& newPassword->Size() > 0
 				&& newPim > 0;
@@ -228,6 +270,12 @@ namespace VeraCrypt
 				{
 					return;
 				}
+				else if (DialogMode == Mode::ChangePkcs5Prf
+					&& newPimSpecified
+					&& !CheckCustomPimForKdfOnlyChange (NewPasswordPanel, newPassword, effectiveNewKdf, newPim))
+				{
+					return;
+				}

 				/* force the display of the random enriching interface */
 				RandomNumberGenerator::SetEnrichedByUserStatus (false);
@@ -265,11 +313,18 @@ namespace VeraCrypt

 				if (needOpenVolumeForKdf)
 				{
-					if (!CheckPasswordChangeWarnings (NewPasswordPanel, newPassword, newPim, effectiveNewKdf))
+					if (DialogMode == Mode::ChangePasswordAndKeyfiles
+						&& !CheckPasswordChangeWarnings (NewPasswordPanel, newPassword, newPim, effectiveNewKdf))
 					{
 						// The volume was opened only to detect its KDF; no header rewrite has started.
 						return;
 					}
+					else if (DialogMode == Mode::ChangePkcs5Prf
+						&& newPimSpecified
+						&& !CheckCustomPimForKdfOnlyChange (NewPasswordPanel, newPassword, effectiveNewKdf, newPim))
+					{
+						return;
+					}

 					/* force the display of the random enriching interface */
 					RandomNumberGenerator::SetEnrichedByUserStatus (false);
@@ -350,6 +405,30 @@ namespace VeraCrypt
 			if (CurrentPasswordPanel->GetVolumePim () == -1)
 				ok = false;

+			if (DialogMode == Mode::ChangePkcs5Prf)
+			{
+				shared_ptr <Pkcs5Kdf> currentKdf = CurrentPasswordPanel->GetPkcs5Kdf();
+				shared_ptr <Pkcs5Kdf> newKdf = NewPasswordPanel->GetPkcs5Kdf();
+
+				if (!KdfOnlyKdfSelectionInitialized)
+				{
+					LastCurrentKdf = currentKdf;
+					LastNewKdf = newKdf;
+					KdfOnlyKdfSelectionInitialized = true;
+				}
+				else if (!KdfSelectionsEqual (LastCurrentKdf, currentKdf) || !KdfSelectionsEqual (LastNewKdf, newKdf))
+				{
+					LastCurrentKdf = currentKdf;
+					LastNewKdf = newKdf;
+
+					if (!NewPasswordPanel->IsVolumePimSpecified() && NewKdfSelectionChangesKdf (currentKdf, newKdf))
+						NewPasswordPanel->ResetVolumePimToDefault();
+				}
+
+				if (NewPasswordPanel->GetVolumePim () == -1)
+					ok = false;
+			}
+
 			if (DialogMode == Mode::RemoveAllKeyfiles && (passwordEmpty || keyfilesEmpty))
 				ok = false;

@@ -377,7 +456,7 @@ namespace VeraCrypt

 		OKButton->Enable (ok);

-		if (DialogMode == Mode::ChangePasswordAndKeyfiles)
+		if (DialogMode == Mode::ChangePasswordAndKeyfiles || DialogMode == Mode::ChangePkcs5Prf)
 		{
 			bool pimChanged = (CurrentPasswordPanel->GetVolumePim() != NewPasswordPanel->GetVolumePim());
 			NewPasswordPanel->UpdatePimHelpText(pimChanged);
@@ -46,6 +46,9 @@ namespace VeraCrypt
 		void OnPasswordPanelUpdate (EventArgs &args) { OnPasswordPanelUpdate(); }

 		Mode::Enum DialogMode;
+		bool KdfOnlyKdfSelectionInitialized;
+		shared_ptr <Pkcs5Kdf> LastCurrentKdf;
+		shared_ptr <Pkcs5Kdf> LastNewKdf;

 		VolumePasswordPanel *CurrentPasswordPanel;
 		VolumePasswordPanel *NewPasswordPanel;
@@ -153,10 +153,13 @@ namespace VeraCrypt

 		Layout();
 		Fit();
+
+		Pkcs5PrfChoice->Connect (wxEVT_COMMAND_CHOICE_SELECTED, wxCommandEventHandler (VolumePasswordPanel::OnPkcs5PrfChoiceSelected), nullptr, this);
 	}

 	VolumePasswordPanel::~VolumePasswordPanel ()
 	{
+		Pkcs5PrfChoice->Disconnect (wxEVT_COMMAND_CHOICE_SELECTED, wxCommandEventHandler (VolumePasswordPanel::OnPkcs5PrfChoiceSelected), nullptr, this);
 		WipeTextCtrl (PasswordTextCtrl);
 		WipeTextCtrl (ConfirmPasswordTextCtrl);
 	}
@@ -281,6 +284,40 @@ namespace VeraCrypt
 		}
 	}

+	void VolumePasswordPanel::EnableUsePim (bool pimOnlyDisplay)
+	{
+		EnablePimEntry = true;
+		PimCheckBox->Enable (true);
+		PimCheckBox->Show (true);
+		if (pimOnlyDisplay)
+			DisplayPasswordCheckBox->SetLabel (LangString["IDC_SHOW_PIM"]);
+		DisplayPasswordCheckBox->Show (true);
+		Layout();
+		Fit();
+		GetParent()->Layout();
+		GetParent()->Fit();
+	}
+
+	void VolumePasswordPanel::ResetVolumePimToDefault ()
+	{
+		if (DisplayPasswordCheckBox->IsChecked() && VolumePimTextCtrl->IsShown())
+			DisplayPassword (false, &VolumePimTextCtrl, 3);
+
+		DisplayPasswordCheckBox->SetValue (false);
+		SetVolumePim (0);
+		PimCheckBox->SetValue (false);
+		PimCheckBox->Show (EnablePimEntry);
+		VolumePimStaticText->Show (false);
+		VolumePimTextCtrl->Show (false);
+		VolumePimHelpStaticText->SetForegroundColour (wxSystemSettings::GetColour (wxSYS_COLOUR_WINDOWTEXT));
+		VolumePimHelpStaticText->SetLabel (LangString["IDC_PIM_HELP"]);
+		VolumePimHelpStaticText->Show (false);
+		Layout();
+		Fit();
+		GetParent()->Layout();
+		GetParent()->Fit();
+	}
+
 	int VolumePasswordPanel::GetHeaderWipeCount () const
 	{
 		try
@@ -366,7 +403,8 @@ namespace VeraCrypt

 	void VolumePasswordPanel::OnDisplayPasswordCheckBoxClick (wxCommandEvent& event)
 	{
-		DisplayPassword (event.IsChecked(), &PasswordTextCtrl, 1);
+		if (PasswordTextCtrl->IsShown())
+			DisplayPassword (event.IsChecked(), &PasswordTextCtrl, 1);

 		if (ConfirmPasswordTextCtrl->IsShown())
 			DisplayPassword (event.IsChecked(), &ConfirmPasswordTextCtrl, 2);
@@ -477,6 +515,7 @@ namespace VeraCrypt

 			layoutParent->Layout();
 			layoutParent->Fit();
+			OnUpdate();
 		}
 	}
 }
@@ -31,12 +31,15 @@ namespace VeraCrypt
 		shared_ptr <Pkcs5Kdf> GetPkcs5Kdf () const;
 		int GetVolumePim () const;
 		int GetHeaderWipeCount () const;
+		bool IsVolumePimSpecified () const { return VolumePimTextCtrl->IsEnabled () && VolumePimTextCtrl->IsShown (); }
 		void SetCacheCheckBoxValidator (const wxGenericValidator &validator) { CacheCheckBox->SetValidator (validator); }
 		void SetFocusToPasswordTextCtrl () { PasswordTextCtrl->SetSelection (-1, -1); PasswordTextCtrl->SetFocus(); }
+		void SetFocusToPimCheckBox () { PimCheckBox->SetFocus(); }
 		void SetFocusToPimTextCtrl () { VolumePimTextCtrl->SetSelection (-1, -1); VolumePimTextCtrl->SetFocus(); }
+		void ResetVolumePimToDefault ();
 		void SetVolumePim (int pim);
 		bool PasswordsMatch () const;
-		void EnableUsePim () { PimCheckBox->Enable (true); PimCheckBox->Show (true); }
+		void EnableUsePim (bool pimOnlyDisplay = false);
 		bool IsUsePimChecked () const { return PimCheckBox->GetValue (); }
 		void SetUsePimChecked (bool checked) const { PimCheckBox->SetValue (checked); }
 		bool UpdatePimHelpText (bool pimChanged);
@@ -55,6 +58,7 @@ namespace VeraCrypt
 		void OnKeyfilesButtonClick (wxCommandEvent& event);
 		void OnKeyfilesButtonRightClick (wxMouseEvent& event);
 		void OnKeyfilesButtonRightDown (wxMouseEvent& event);
+		void OnPkcs5PrfChoiceSelected (wxCommandEvent& event) { OnUpdate(); }
 		void OnTextChanged (wxCommandEvent& event) { OnUpdate(); }
 		void OnPimChanged  (wxCommandEvent& event) { OnUpdate(); }
 		void OnUsePimCheckBoxClick( wxCommandEvent& event );
@@ -2538,6 +2538,74 @@ static BOOL CheckKdfOnlyPimForPassword (HWND hwndDlg, const Password *password,
 	return CheckPasswordLength (hwndDlg, password->Length, pim, FALSE, pimValidationPkcs5, TRUE, FALSE);
 }

+static int GetSelectedKdfId (HWND hwndDlg, UINT ctrlId)
+{
+	HWND hComboBox = GetDlgItem (hwndDlg, ctrlId);
+	LRESULT selectedIndex = SendMessage (hComboBox, CB_GETCURSEL, 0, 0);
+	LRESULT itemData;
+
+	if (selectedIndex == CB_ERR)
+		return 0;
+
+	itemData = SendMessage (hComboBox, CB_GETITEMDATA, selectedIndex, 0);
+	if (itemData == CB_ERR)
+		return 0;
+
+	return (int) itemData;
+}
+
+static BOOL NewKdfSelectionChangesKdf (int old_pkcs5, int pkcs5)
+{
+	return (pkcs5 != 0 && (old_pkcs5 == 0 || old_pkcs5 != pkcs5));
+}
+
+static BOOL IsNewPimSpecified (HWND hwndDlg)
+{
+	HWND hPim = GetDlgItem (hwndDlg, IDC_PIM);
+	return IsWindowEnabled (hPim) && IsWindowVisible (hPim);
+}
+
+/* The New PIM field can be shown automatically to mirror the current PIM.
+ * Keep that separate from an explicit user request to write a custom New PIM. */
+static BOOL PasswordChangeNewPimExplicitlySpecified = FALSE;
+static BOOL PasswordChangeNewPimProgrammaticUpdate = FALSE;
+
+static BOOL IsNewPimExplicitlySpecified (HWND hwndDlg)
+{
+	return PasswordChangeNewPimExplicitlySpecified && IsNewPimSpecified (hwndDlg);
+}
+
+static void SetNewPimValueProgrammatically (HWND hwndDlg, int pim)
+{
+	PasswordChangeNewPimProgrammaticUpdate = TRUE;
+	SetPim (hwndDlg, IDC_PIM, pim);
+	PasswordChangeNewPimProgrammaticUpdate = FALSE;
+}
+
+static void SetNewPimTextProgrammatically (HWND hwndDlg, const wchar_t *pimText)
+{
+	PasswordChangeNewPimProgrammaticUpdate = TRUE;
+	SetDlgItemText (hwndDlg, IDC_PIM, pimText);
+	PasswordChangeNewPimProgrammaticUpdate = FALSE;
+}
+
+static void ResetNewPimToDefault (HWND hwndDlg)
+{
+	PasswordChangeNewPimExplicitlySpecified = FALSE;
+	SetNewPimValueProgrammatically (hwndDlg, 0);
+	SetCheckBox (hwndDlg, IDC_NEW_PIM_ENABLE, FALSE);
+	ShowWindow (GetDlgItem (hwndDlg, IDC_NEW_PIM_ENABLE), SW_SHOW);
+	ShowWindow (GetDlgItem (hwndDlg, IDT_PIM), SW_HIDE);
+	ShowWindow (GetDlgItem (hwndDlg, IDC_PIM), SW_HIDE);
+	ShowWindow (GetDlgItem (hwndDlg, IDC_PIM_HELP), SW_HIDE);
+}
+
+typedef struct
+{
+	int NewPimValue;
+	int NewPkcs5Value;
+} PasswordChangeDlgResult;
+
 // implementation for support of change password operation in wait dialog mechanism

 typedef struct
@@ -2653,7 +2721,7 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 {
 	static KeyFilesDlgParam newKeyFilesParam;
 	static BOOL PimValueChangedWarning = FALSE;
-	static int* NewPimValuePtr = NULL;
+	static PasswordChangeDlgResult* ResultPtr = NULL;

 	WORD lw = LOWORD (wParam);
 	WORD hw = HIWORD (wParam);
@@ -2675,12 +2743,14 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 			if (EffectiveVolumePkcs5 == 0)
 				EffectiveVolumePkcs5 = DefaultVolumePkcs5;

-			NewPimValuePtr = (int*) lParam;
+			ResultPtr = (PasswordChangeDlgResult*) lParam;

 			PimValueChangedWarning = FALSE;
+			PasswordChangeNewPimExplicitlySpecified = FALSE;
+			PasswordChangeNewPimProgrammaticUpdate = FALSE;

 			ZeroMemory (&newKeyFilesParam, sizeof (newKeyFilesParam));
-			if (NewPimValuePtr)
+			if (ResultPtr)
 			{
 				/* we are in the case of a volume. Store its name to use it in the key file dialog
 				 * this will help avoid using the current container file as a key file
@@ -2759,12 +2829,13 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 				LocalizeDialog (hwndDlg, "IDD_PCDM_CHANGE_PKCS5_PRF");
 				EnableWindow (GetDlgItem (hwndDlg, IDC_PASSWORD), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_VERIFY), FALSE);
-				EnableWindow (GetDlgItem (hwndDlg, IDT_PIM), FALSE);
-				EnableWindow (GetDlgItem (hwndDlg, IDC_PIM), FALSE);
-				EnableWindow (GetDlgItem (hwndDlg, IDC_PIM_HELP), FALSE);
-				EnableWindow (GetDlgItem (hwndDlg, IDC_NEW_PIM_ENABLE), FALSE);
+				EnableWindow (GetDlgItem (hwndDlg, IDT_PIM), TRUE);
+				EnableWindow (GetDlgItem (hwndDlg, IDC_PIM), TRUE);
+				EnableWindow (GetDlgItem (hwndDlg, IDC_PIM_HELP), TRUE);
+				EnableWindow (GetDlgItem (hwndDlg, IDC_NEW_PIM_ENABLE), TRUE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_ENABLE_NEW_KEYFILES), FALSE);
-				EnableWindow (GetDlgItem (hwndDlg, IDC_SHOW_PASSWORD_CHPWD_NEW), FALSE);
+				EnableWindow (GetDlgItem (hwndDlg, IDC_SHOW_PASSWORD_CHPWD_NEW), TRUE);
+				SetWindowTextW (GetDlgItem (hwndDlg, IDC_SHOW_PASSWORD_CHPWD_NEW), GetString ("IDC_SHOW_PIM"));
 				EnableWindow (GetDlgItem (hwndDlg, IDC_NEW_KEYFILES), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDT_NEW_PASSWORD), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDT_CONFIRM_PASSWORD), FALSE);
@@ -2843,6 +2914,17 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 				EnableWindow (GetDlgItem (hwndDlg, IDC_PKCS5_PRF_ID), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_PKCS5_OLD_PRF_ID), FALSE);

+				if (pwdChangeDlgMode == PCDM_CHANGE_PKCS5_PRF)
+				{
+					PasswordChangeNewPimExplicitlySpecified = FALSE;
+					SetNewPimValueProgrammatically (hwndDlg, 0);
+					EnableWindow (GetDlgItem (hwndDlg, IDT_PIM), FALSE);
+					EnableWindow (GetDlgItem (hwndDlg, IDC_PIM), FALSE);
+					EnableWindow (GetDlgItem (hwndDlg, IDC_PIM_HELP), FALSE);
+					EnableWindow (GetDlgItem (hwndDlg, IDC_NEW_PIM_ENABLE), FALSE);
+					EnableWindow (GetDlgItem (hwndDlg, IDC_SHOW_PASSWORD_CHPWD_NEW), FALSE);
+				}
+
 				if (SetTimer (hwndDlg, TIMER_ID_KEYB_LAYOUT_GUARD, TIMER_INTERVAL_KEYB_LAYOUT_GUARD, NULL) == 0)
 				{
 					Error ("CANNOT_SET_TIMER", hwndDlg);
@@ -2981,15 +3063,21 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 				IDC_PASSWORD, IDC_VERIFY,
 				newKeyFilesParam.EnableKeyFiles && newKeyFilesParam.FirstKeyFile != NULL);

-			if ((lw == IDC_OLD_PIM) && IsWindowEnabled (GetDlgItem (hwndDlg, IDC_PIM)))
+			if ((lw == IDC_OLD_PIM)
+				&& pwdChangeDlgMode != PCDM_CHANGE_PKCS5_PRF
+				&& IsNewPimSpecified (hwndDlg)
+				&& !NewKdfSelectionChangesKdf (GetSelectedKdfId (hwndDlg, IDC_PKCS5_OLD_PRF_ID), GetSelectedKdfId (hwndDlg, IDC_PKCS5_PRF_ID)))
 			{
 				wchar_t tmp[MAX_PIM+1] = {0};
 				GetDlgItemText (hwndDlg, IDC_OLD_PIM, tmp, MAX_PIM + 1);
-				SetDlgItemText (hwndDlg, IDC_PIM, tmp);
+				SetNewPimTextProgrammatically (hwndDlg, tmp);
 			}

 			if (lw == IDC_PIM)
 			{
+				if (!PasswordChangeNewPimProgrammaticUpdate && IsNewPimSpecified (hwndDlg))
+					PasswordChangeNewPimExplicitlySpecified = TRUE;
+
 				if(GetPim (hwndDlg, IDC_OLD_PIM, 0) != GetPim (hwndDlg, IDC_PIM, 0))
 				{
 					PimValueChangedWarning = TRUE;
@@ -3012,8 +3100,10 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 			ShowWindow (GetDlgItem( hwndDlg, IDC_OLD_PIM), SW_SHOW);
 			ShowWindow (GetDlgItem( hwndDlg, IDC_OLD_PIM_HELP), SW_SHOW);

-			// check also the "Use PIM" for the new password if it is enabled
-			if (IsWindowEnabled (GetDlgItem (hwndDlg, IDC_NEW_PIM_ENABLE)))
+			// Preserve the PIM automatically only when the selected KDF is not changing.
+			if (pwdChangeDlgMode != PCDM_CHANGE_PKCS5_PRF
+				&& IsWindowEnabled (GetDlgItem (hwndDlg, IDC_NEW_PIM_ENABLE))
+				&& !NewKdfSelectionChangesKdf (GetSelectedKdfId (hwndDlg, IDC_PKCS5_OLD_PRF_ID), GetSelectedKdfId (hwndDlg, IDC_PKCS5_PRF_ID)))
 			{
 				SetCheckBox (hwndDlg, IDC_NEW_PIM_ENABLE, TRUE);

@@ -3030,6 +3120,7 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR

 		if (lw == IDC_NEW_PIM_ENABLE)
 		{
+			PasswordChangeNewPimExplicitlySpecified = TRUE;
 			ShowWindow (GetDlgItem (hwndDlg, IDC_NEW_PIM_ENABLE), SW_HIDE);
 			ShowWindow (GetDlgItem( hwndDlg, IDT_PIM), SW_SHOW);
 			ShowWindow (GetDlgItem( hwndDlg, IDC_PIM), SW_SHOW);
@@ -3128,9 +3219,11 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR

 		if (hw == CBN_SELCHANGE)
 		{
+			BOOL kdfSelectionChanged = FALSE;
 			switch (lw)
 			{
 			case IDC_PKCS5_PRF_ID:
+				kdfSelectionChanged = TRUE;
 				if (bSysEncPwdChangeDlgMode)
 				{
 					int new_hash_algo_id = (int) SendMessage (GetDlgItem (hwndDlg, IDC_PKCS5_PRF_ID), CB_GETITEMDATA, 
@@ -3144,6 +3237,22 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 					}
 				}
 				break;
+
+			case IDC_PKCS5_OLD_PRF_ID:
+				kdfSelectionChanged = TRUE;
+				break;
+			}
+
+			if (kdfSelectionChanged
+				&& !bSysEncPwdChangeDlgMode
+				&& (pwdChangeDlgMode == PCDM_CHANGE_PASSWORD || pwdChangeDlgMode == PCDM_CHANGE_PKCS5_PRF)
+				&& IsWindowEnabled (GetDlgItem (hwndDlg, IDC_NEW_PIM_ENABLE))
+				&& !IsNewPimExplicitlySpecified (hwndDlg)
+				&& NewKdfSelectionChangesKdf (GetSelectedKdfId (hwndDlg, IDC_PKCS5_OLD_PRF_ID), GetSelectedKdfId (hwndDlg, IDC_PKCS5_PRF_ID)))
+			{
+				ResetNewPimToDefault (hwndDlg);
+				PimValueChangedWarning = FALSE;
+				SetDlgItemTextW (hwndDlg, IDC_PIM_HELP, (wchar_t *) GetDictionaryValueByInt (IDC_PIM_HELP));
 			}
 			return 1;

@@ -3157,7 +3266,8 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR

 		if (lw == IDC_SHOW_PASSWORD_CHPWD_NEW)
 		{
-			HandleShowPasswordFieldAction (hwndDlg, IDC_SHOW_PASSWORD_CHPWD_NEW, IDC_PASSWORD, IDC_VERIFY);
+			if (pwdChangeDlgMode != PCDM_CHANGE_PKCS5_PRF)
+				HandleShowPasswordFieldAction (hwndDlg, IDC_SHOW_PASSWORD_CHPWD_NEW, IDC_PASSWORD, IDC_VERIFY);
 			HandleShowPasswordFieldAction (hwndDlg, IDC_SHOW_PASSWORD_CHPWD_NEW, IDC_PIM, 0);
 			return 1;
 		}
@@ -3173,15 +3283,25 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 				SendMessage (GetDlgItem (hwndDlg, IDC_WIPE_MODE), CB_GETCURSEL, 0, 0),
 				0);
 			int nStatus;
-			int old_pkcs5 = (int) SendMessage (GetDlgItem (hwndDlg, IDC_PKCS5_OLD_PRF_ID), CB_GETITEMDATA,
-					SendMessage (GetDlgItem (hwndDlg, IDC_PKCS5_OLD_PRF_ID), CB_GETCURSEL, 0, 0), 0);
-			int pkcs5 = (int) SendMessage (GetDlgItem (hwndDlg, IDC_PKCS5_PRF_ID), CB_GETITEMDATA,
-					SendMessage (GetDlgItem (hwndDlg, IDC_PKCS5_PRF_ID), CB_GETCURSEL, 0, 0), 0);
+			int old_pkcs5 = GetSelectedKdfId (hwndDlg, IDC_PKCS5_OLD_PRF_ID);
+			int pkcs5 = GetSelectedKdfId (hwndDlg, IDC_PKCS5_PRF_ID);

 			int old_pim = GetPim (hwndDlg, IDC_OLD_PIM, 0);
 			int pim = GetPim (hwndDlg, IDC_PIM, 0);
+			BOOL newPimSpecified = IsNewPimExplicitlySpecified (hwndDlg);
+			BOOL newKdfChangesKdf = !bSysEncPwdChangeDlgMode && NewKdfSelectionChangesKdf (old_pkcs5, pkcs5);
+			BOOL newPimSelectable = (pwdChangeDlgMode == PCDM_CHANGE_PASSWORD || pwdChangeDlgMode == PCDM_CHANGE_PKCS5_PRF);
 			int iMaxPasswordLength = (bUseLegacyMaxPasswordLength)? MAX_LEGACY_PASSWORD : MAX_PASSWORD;

+			if (pwdChangeDlgMode == PCDM_ADD_REMOVE_VOL_KEYFILES || pwdChangeDlgMode == PCDM_REMOVE_ALL_KEYFILES_FROM_VOL)
+			{
+				pim = old_pim;
+			}
+			else if (newPimSelectable && !newPimSpecified)
+			{
+				pim = newKdfChangesKdf ? 0 : old_pim;
+			}
+
 			if (bSysEncPwdChangeDlgMode && !CheckPasswordCharEncoding (GetDlgItem (hwndDlg, IDC_PASSWORD), NULL))
 			{
 				Error ("UNSUPPORTED_CHARS_IN_PWD", hwndDlg);
@@ -3202,6 +3322,13 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 				return 1;
 			}

+			if (newPimSelectable && newKdfChangesKdf && !newPimSpecified && old_pim > 0
+				&& AskWarnNoYes ("PIM_RESET_ON_KDF_CHANGE_CONFIRM", hwndDlg) != IDYES)
+			{
+				SetFocus (GetDlgItem (hwndDlg, IDC_NEW_PIM_ENABLE));
+				return 1;
+			}
+
 			if (pwdChangeDlgMode == PCDM_CHANGE_PKCS5_PRF)
 			{
 				newKeyFilesParam.EnableKeyFiles = KeyFilesEnable;
@@ -3249,12 +3376,16 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 			{
 			case PCDM_REMOVE_ALL_KEYFILES_FROM_VOL:
 			case PCDM_ADD_REMOVE_VOL_KEYFILES:
-			case PCDM_CHANGE_PKCS5_PRF:
 				memcpy (newPassword.Text, oldPassword.Text, sizeof (newPassword.Text));
 				newPassword.Length = (unsigned __int32) strlen ((char *) oldPassword.Text);
 				pim = old_pim;
 				break;

+			case PCDM_CHANGE_PKCS5_PRF:
+				memcpy (newPassword.Text, oldPassword.Text, sizeof (newPassword.Text));
+				newPassword.Length = (unsigned __int32) strlen ((char *) oldPassword.Text);
+				break;
+
 			default:
 				if (GetPassword (hwndDlg, IDC_PASSWORD, (LPSTR) newPassword.Text, iMaxPasswordLength + 1, FALSE, TRUE))
 					newPassword.Length = (unsigned __int32) strlen ((char *) newPassword.Text);
@@ -3300,13 +3431,14 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 			ShowWaitDialog(hwndDlg, TRUE, ChangePwdWaitThreadProc, &changePwdParam);

 err:
-			// notify the caller in case the PIM has changed
-			if (NewPimValuePtr)
+			if (ResultPtr && nStatus == 0)
 			{
-				if (pim != old_pim)
-					*NewPimValuePtr = pim;
+				if (newKdfChangesKdf || pim != old_pim)
+					ResultPtr->NewPimValue = pim;
 				else
-					*NewPimValuePtr = -1;
+					ResultPtr->NewPimValue = -1;
+
+				ResultPtr->NewPkcs5Value = newKdfChangesKdf ? pkcs5 : -1;
 			}

 			burn (&oldPassword, sizeof (oldPassword));
@@ -6520,10 +6652,71 @@ static BOOL MountAllDevices (HWND hwndDlg, BOOL bPasswordPrompt)
 	return param.bRet;
 }

+static bool FavoritePimOrKdfNeedsUpdate (const FavoriteVolume &favorite, int newPimValue, int newPkcs5Value)
+{
+	return ((newPimValue != -1 && favorite.Pim != newPimValue)
+		|| (newPkcs5Value > 0 && favorite.Pkcs5 != newPkcs5Value));
+}
+
+static void UpdateFavoritePimAndKdfValues (FavoriteVolume &favorite, int newPimValue, int newPkcs5Value)
+{
+	if (newPimValue != -1)
+		favorite.Pim = newPimValue;
+
+	if (newPkcs5Value > 0)
+		favorite.Pkcs5 = newPkcs5Value;
+}
+
+static void UpdateFavoritePimAndKdfValues (HWND hwndDlg, const wchar_t *volumePath, int newPimValue, int newPkcs5Value)
+{
+	bool bFavoriteFound = false;
+
+	if (newPimValue == -1 && newPkcs5Value <= 0)
+		return;
+
+	for (vector <FavoriteVolume>::iterator favorite = FavoriteVolumes.begin();
+		favorite != FavoriteVolumes.end(); favorite++)
+	{
+		if (favorite->Path == volumePath)
+		{
+			bFavoriteFound = true;
+			if (FavoritePimOrKdfNeedsUpdate (*favorite, newPimValue, newPkcs5Value))
+			{
+				UpdateFavoritePimAndKdfValues (*favorite, newPimValue, newPkcs5Value);
+				SaveFavoriteVolumes (hwndDlg, FavoriteVolumes, false);
+			}
+			break;
+		}
+	}
+
+	if (!bFavoriteFound)
+	{
+		for (vector <FavoriteVolume>::iterator favorite = SystemFavoriteVolumes.begin();
+			favorite != SystemFavoriteVolumes.end(); favorite++)
+		{
+			if (favorite->Path == volumePath)
+			{
+				bFavoriteFound = true;
+
+				if (FavoritePimOrKdfNeedsUpdate (*favorite, newPimValue, newPkcs5Value)
+					&& AskYesNo ("FAVORITE_PIM_OR_KDF_CHANGED", hwndDlg) == IDYES)
+				{
+					UpdateFavoritePimAndKdfValues (*favorite, newPimValue, newPkcs5Value);
+					SaveFavoriteVolumes (hwndDlg, SystemFavoriteVolumes, true);
+				}
+				break;
+			}
+		}
+	}
+}
+
 static void ChangePassword (HWND hwndDlg)
 {
 	INT_PTR result;
-	int newPimValue = -1;
+	PasswordChangeDlgResult dlgResult;
+
+	dlgResult.NewPimValue = -1;
+	dlgResult.NewPkcs5Value = -1;

 	GetVolumePath (hwndDlg, szFileName, ARRAYSIZE (szFileName));

@@ -6547,7 +6740,7 @@ static void ChangePassword (HWND hwndDlg)
 	bSysEncPwdChangeDlgMode = FALSE;

 	result = DialogBoxParamW (hInst, MAKEINTRESOURCEW (IDD_PASSWORDCHANGE_DLG), hwndDlg,
-		(DLGPROC) PasswordChangeDlgProc, (LPARAM) &newPimValue);
+		(DLGPROC) PasswordChangeDlgProc, (LPARAM) &dlgResult);

 	if (result == IDOK)
 	{
@@ -6555,6 +6748,7 @@ static void ChangePassword (HWND hwndDlg)
 		{
 		case PCDM_CHANGE_PKCS5_PRF:
 			Info ("PKCS5_PRF_CHANGED", hwndDlg);
+			UpdateFavoritePimAndKdfValues (hwndDlg, szFileName, dlgResult.NewPimValue, dlgResult.NewPkcs5Value);
 			break;

 		case PCDM_ADD_REMOVE_VOL_KEYFILES:
@@ -6566,41 +6760,7 @@ static void ChangePassword (HWND hwndDlg)
 		default:
 			{
 				Info ("PASSWORD_CHANGED", hwndDlg);
-				if (newPimValue != -1)
-				{
-					// update the encoded volue in favorite XML if found
-					bool bFavoriteFound = false;
-					for (vector <FavoriteVolume>::iterator favorite = FavoriteVolumes.begin();
-						favorite != FavoriteVolumes.end(); favorite++)
-					{
-						if (favorite->Path == szFileName)
-						{
-							bFavoriteFound = true;
-							favorite->Pim = newPimValue;
-							SaveFavoriteVolumes (hwndDlg, FavoriteVolumes, false);
-							break;
-						}
-					}
-
-					if (!bFavoriteFound)
-					{
-						for (vector <FavoriteVolume>::iterator favorite = SystemFavoriteVolumes.begin();
-							favorite != SystemFavoriteVolumes.end(); favorite++)
-						{
-							if (favorite->Path == szFileName)
-							{
-								bFavoriteFound = true;
-								favorite->Pim = newPimValue;
-
-								if (AskYesNo("FAVORITE_PIM_CHANGED", hwndDlg) == IDYES)
-								{
-									SaveFavoriteVolumes (hwndDlg, SystemFavoriteVolumes, true);
-								}
-								break;
-							}
-						}
-					}
-				}
+				UpdateFavoritePimAndKdfValues (hwndDlg, szFileName, dlgResult.NewPimValue, dlgResult.NewPkcs5Value);
 			}
 		}
 	}