Constant tindercrypt::metadata::PBKDF2_DEFAULT_ITERATIONS

pub const PBKDF2_DEFAULT_ITERATIONS: usize = 100000;

The default number of iterations for the PBKDF2 key derivation algorithm.

We use a constant number of 100,000 iterations. As of 2019, this number seems to be commonly suggested, and is used in various projects, such as the Borg backup project (issue) and 1Password (blog). While not ideal, from a strict security standpoint, raising it higher would make it less tolerable in low-end devices, and wouldn’t offer better security than a more modern KDF, such as scrypt or argon2.

To understand the performance gap between different devices, here’s a quick run of cryptsetup benchmark for the PBKDF2-sha256 algorithm, in a mid-end and low-end device:

• Mid 2010 i7 CPU: ~1,800,000 iterations per second for 256-bit key
• Raspberry Pi 3 Model B: ~270,000 iterations per second for 256-bit key

With 100,000 iterations, a mid-end device would require roughly 55ms to create a key, while a low-end device would require roughly 370ms.