Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2026-06-17 10:06:06 -05:00
Code Activity

Reset PIM defaults when changing volume KDF

Browse Source 
A SourceForge report pointed out that the password-change and header-KDF dialogs reused the current custom PIM when the user selected a different KDF. That was harmless when all choices used the same PBKDF2 PIM scale, but it is wrong with Argon2 because the same numeric PIM has different security and performance meaning.

Avoid silently carrying a custom PIM across KDF changes in both the Windows and wx dialogs. If the new KDF differs from the current one and the user has not explicitly opened the New PIM field, use the default PIM for the selected KDF instead. Keep preserving the current PIM when the KDF is unchanged.

Enable explicit New PIM entry in the header KDF-only flow, warn before resetting an existing custom PIM to the new KDF default, and validate explicitly entered KDF-only PIM values.

Report the new KDF from the Windows dialog as well as the new PIM so favorite volumes update both stored PIM and pinned KDF metadata after password or header KDF changes, including system favorites. Add translation fallbacks, documentation, and release notes for the new behavior.
This commit is contained in:
Mounir IDRASSI
2026-06-11 04:31:46 +09:00
parent e5415498f4
commit 75857757fe
50 changed files with 452 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files
doc/html/en/Program Menu.html
+3
View File
@@ -70,6 +70,7 @@ Note: When VeraCrypt re-encrypts a volume header, the original volume header is
force scanning tunneling microscopy [17] to recover the overwritten header (however, see also the chapter
<a href="Security%20Requirements%20and%20Precautions.html">
<em>Security Requirements and Precautions</em></a>).</p>
<p>If the selected new KDF differs from the current KDF and the volume currently uses a custom PIM, VeraCrypt does not automatically reuse the current PIM. Unless you select <em>Use PIM</em> in the New section and enter a custom value, the rewritten volume header will use the default PIM for the selected KDF.</p>
</div>
<h3>Volumes -&gt; Set Header Key Derivation Algorithm</h3>
<p>This function allows you to re-encrypt a volume header with a header key derived using a different PRF function (for example, instead of HMAC-BLAKE2S-256 you could use HMAC-Whirlpool). Note that the volume header contains the master encryption key with which
@@ -77,6 +78,8 @@ Note: When VeraCrypt re-encrypts a volume header, the original volume header is
<a href="Header%20Key%20Derivation.html">
<em>Header Key Derivation, Salt, and Iteration Count</em></a>.<br>
<br>
If the selected KDF differs from the current KDF and the volume currently uses a custom PIM, VeraCrypt does not automatically reuse the current PIM. Unless you select <em>Use PIM</em> in the New section and enter a custom value, the rewritten volume header will use the default PIM for the selected KDF.<br>
<br>
Note: When VeraCrypt re-encrypts a volume header, the original volume header is first overwritten many times (3, 7, 35 or 256 depending on the user choice) with random data to prevent adversaries from using techniques such as magnetic force microscopy or magnetic
force scanning tunneling microscopy [17] to recover the overwritten header (however, see also the chapter
<a href="Security%20Requirements%20and%20Precautions.html">