Header Key Derivation, Salt, and Iteration Count
512-bit salt is used, which means there are 2512
keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks (pre-computing all the keys for a dictionary
of passwords is very difficult when a salt is used) . The salt consists of random values generated by the
VeraCrypt random number generator
during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160, or HMAC-Whirlpool (see [8, 9, 20, 22]) – the user selects which. The length of the derived
key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-RIPEMD-160 is used (in XTS mode, an additional 256-bit secondary header key is used; hence,
two 256-bit keys are used for AES-256 in total). For more information, refer to . A large number of iterations of the key derivation function have to be performed to derive a header key, which increases the time necessary to perform an exhaustive search
for passwords (i.e., brute force attack) .
Prior to version 1.12, VeraCrypt always used a fixed number of iterations depending on the volume type and the derivation algorithm used:
- For system partition encryption (boot encryption), 200000 iterations are used for the HMAC-SHA-256 derivation function and
327661 iterations are used for HMAC-RIPEMD-160.
- For standard containers and other partitions, 655331 iterations are used for HMAC-RIPEMD-160 and
500000 iterations are used for HMAC-SHA-512, HMAC-SHA-256 and HMAC-Whirlpool.
Starting from version 1.12, the
PIM field (Personal Iterations Multiplier) enables users to have more control over the number of iterations used by the key derivation function.
PIM value is not specified or if it is equal to zero, VeraCrypt uses the default values expressed above.
PIM value is given by the user, the number of iterations of the key derivation function is calculated as follows:
- For system encryption that doesn't use SHA-512 or Whirlpool: Iterations = PIM x 2048
- For system encryption that uses SHA-512 or Whirlpool, non-system encryption and file containers: Iterations = 15000 + (PIM x 1000)
Header keys used by ciphers in a cascade are mutually independent, even though they are derived from a single password (to which keyfiles may have been applied). For example, for the AES-Twofish-Serpent cascade, the header key derivation function is instructed
to derive a 768-bit encryption key from a given password (and, for XTS mode, in addition, a 768-bit
secondary header key from the given password). The generated 768-bit header key is then split into three 256-bit keys (for XTS mode, the
secondary header key is split into three 256-bit keys too, so the cascade actually uses six 256-bit keys in total), out of which the first key is used by Serpent, the second key is used by Twofish, and the third by AES (in addition,
for XTS mode, the first secondary key is used by Serpent, the second secondary key is used by Twofish, and the third secondary key by AES). Hence, even when an adversary has one of the keys, he cannot use it to derive the other keys, as there is no feasible
method to determine the password from which the key was derived (except for brute force attack mounted on a weak password).