Added User Interface to change iteration time for LUKS encryption

Author: haouarihk

archinstall/lib/disk/device_handler.py

@@ -14,6 +14,7 @@
 from ..general import SysCommand, SysCommandWorker
 from ..luks import Luks2
 from ..models.device_model import (
+	DEFAULT_ITER_TIME,
 	BDevice,
 	BtrfsMountOption,
 	DeviceModification,
@@ -308,14 +309,15 @@ def encrypt(
 		mapper_name: str | None,
 		enc_password: Password | None,
 		lock_after_create: bool = True,
+		iter_time: int = DEFAULT_ITER_TIME,
 	) -> Luks2:
 		luks_handler = Luks2(
 			dev_path,
 			mapper_name=mapper_name,
 			password=enc_password,
 		)
 
-		key_file = luks_handler.encrypt()
+		key_file = luks_handler.encrypt(iter_time=iter_time)
 
 		self.udev_sync()
 
@@ -346,7 +348,7 @@ def format_encrypted(
 			password=enc_conf.encryption_password,
 		)
 
-		key_file = luks_handler.encrypt()
+		key_file = luks_handler.encrypt(iter_time=enc_conf.iter_time)
 
 		self.udev_sync()
 

archinstall/lib/disk/encryption_menu.py

@@ -17,7 +17,7 @@
 from archinstall.tui.types import Alignment, FrameProperties
 
 from ..menu.abstract_menu import AbstractSubMenu
-from ..models.device_model import Fido2Device
+from ..models.device_model import DEFAULT_ITER_TIME, Fido2Device
 from ..models.users import Password
 from ..output import FormattedOutput
 from ..utils.util import get_password
@@ -65,6 +65,14 @@ def _define_menu_options(self) -> list[MenuItem]:
 				preview_action=self._preview,
 				key='encryption_password',
 			),
+			MenuItem(
+				text=tr('Iteration time'),
+				action=lambda x: select_iteration_time(x),
+				value=self._enc_config.iter_time,
+				dependencies=[self._check_dep_enc_type],
+				preview_action=self._preview,
+				key='iter_time',
+			),
 			MenuItem(
 				text=tr('Partitions'),
 				action=lambda x: select_partitions_to_encrypt(self._device_modifications, x),
@@ -120,6 +128,7 @@ def run(self, additional_title: str | None = None) -> DiskEncryption | None:
 
 		enc_type: EncryptionType | None = self._item_group.find_by_key('encryption_type').value
 		enc_password: Password | None = self._item_group.find_by_key('encryption_password').value
+		iter_time: int | None = self._item_group.find_by_key('iter_time').value
 		enc_partitions = self._item_group.find_by_key('partitions').value
 		enc_lvm_vols = self._item_group.find_by_key('lvm_volumes').value
 
@@ -140,6 +149,7 @@ def run(self, additional_title: str | None = None) -> DiskEncryption | None:
 				partitions=enc_partitions,
 				lvm_volumes=enc_lvm_vols,
 				hsm_device=self._enc_config.hsm_device,
+				iter_time=iter_time or DEFAULT_ITER_TIME,
 			)
 
 		return None
@@ -153,6 +163,9 @@ def _preview(self, item: MenuItem) -> str | None:
 		if (enc_pwd := self._prev_password()) is not None:
 			output += f'\n{enc_pwd}'
 
+		if (iter_time := self._prev_iter_time()) is not None:
+			output += f'\n{iter_time}'
+
 		if (fido_device := self._prev_hsm()) is not None:
 			output += f'\n{fido_device}'
 
@@ -214,6 +227,14 @@ def _prev_hsm(self) -> str | None:
 		output += f' ({fido_device.manufacturer}, {fido_device.product})'
 		return f'{tr("HSM device")}: {output}'
 
+	def _prev_iter_time(self) -> str | None:
+		iter_time = self._item_group.find_by_key('iter_time').value
+
+		if iter_time and iter_time != DEFAULT_ITER_TIME:
+			return f'{tr("Iteration time")}: {iter_time}ms'
+
+		return None
+
 
 def select_encryption_type(
 	device_modifications: list[DeviceModification],
@@ -354,3 +375,50 @@ def select_lvm_vols_to_encrypt(
 				return volumes
 
 	return []
+
+
+def select_iteration_time(preset: int | None = None) -> int | None:
+	header = tr('Enter iteration time for LUKS encryption (in milliseconds)') + '\n'
+	header += tr('Higher values increase security but slow down boot time') + '\n'
+	header += tr(f'Default: {DEFAULT_ITER_TIME}ms, Recommended range: 1000-60000') + '\n'
+
+	def validate_iter_time(value: str | None) -> str | None:
+		if not value:
+			return tr('Iteration time cannot be empty')
+		
+		try:
+			iter_time = int(value)
+			if iter_time < 100:
+				return tr('Iteration time must be at least 100ms')
+			if iter_time > 120000:
+				return tr('Iteration time must be at most 120000ms')
+			return None
+		except ValueError:
+			return tr('Please enter a valid number')
+
+	try:
+		from archinstall.tui.curses_menu import EditMenu
+		from archinstall.tui.result import ResultType
+		from archinstall.tui.types import Alignment
+		
+		result = EditMenu(
+			tr('Iteration time (ms)'),
+			header=header,
+			alignment=Alignment.CENTER,
+			allow_skip=True,
+			default_text=str(preset) if preset else str(DEFAULT_ITER_TIME),
+			validator=validate_iter_time,
+		).input()
+		
+		match result.type_:
+			case ResultType.Skip:
+				return preset
+			case ResultType.Selection:
+				if not result.text():
+					return preset
+				return int(result.text())
+			case ResultType.Reset:
+				return None
+	except ImportError:
+		# Fallback for non-interactive mode
+		return preset or DEFAULT_ITER_TIME

archinstall/lib/disk/filesystem.py

@@ -287,6 +287,7 @@ def _encrypt_lvm_vols(
 					vol.mapper_name,
 					enc_config.encryption_password,
 					lock_after_create,
+					iter_time=enc_config.iter_time,
 				)
 
 				enc_vols[vol] = luks_handler
@@ -317,6 +318,7 @@ def _encrypt_partitions(
 						part_mod.mapper_name,
 						enc_config.encryption_password,
 						lock_after_create=lock_after_create,
+						iter_time=enc_config.iter_time,
 					)
 
 					enc_mods[part_mod] = luks_handler

archinstall/lib/models/device_model.py

@@ -19,7 +19,7 @@
 from ..output import debug
 
 ENC_IDENTIFIER = 'ainst'
-
+DEFAULT_ITER_TIME = 10000
 
 class DiskLayoutType(Enum):
 	Default = 'default_layout'
@@ -1471,6 +1471,7 @@ class _DiskEncryptionSerialization(TypedDict):
 	partitions: list[str]
 	lvm_volumes: list[str]
 	hsm_device: NotRequired[_Fido2DeviceSerialization]
+	iter_time: NotRequired[int]
 
 
 @dataclass
@@ -1480,6 +1481,7 @@ class DiskEncryption:
 	partitions: list[PartitionModification] = field(default_factory=list)
 	lvm_volumes: list[LvmVolume] = field(default_factory=list)
 	hsm_device: Fido2Device | None = None
+	iter_time: int = DEFAULT_ITER_TIME
 
 	def __post_init__(self) -> None:
 		if self.encryption_type in [EncryptionType.Luks, EncryptionType.LvmOnLuks] and not self.partitions:
@@ -1504,6 +1506,9 @@ def json(self) -> _DiskEncryptionSerialization:
 		if self.hsm_device:
 			obj['hsm_device'] = self.hsm_device.json()
 
+		if self.iter_time != DEFAULT_ITER_TIME:  # Only include if not default
+			obj['iter_time'] = self.iter_time
+
 		return obj
 
 	@classmethod
@@ -1559,6 +1564,9 @@ def parse_arg(
 		if hsm := disk_encryption.get('hsm_device', None):
 			enc.hsm_device = Fido2Device.parse_arg(hsm)
 
+		if iter_time := disk_encryption.get('iter_time', None):
+			enc.iter_time = iter_time
+
 		return enc
 
 

archinstall/locales/base.pot

@@ -959,6 +959,33 @@ msgstr ""
 msgid "Encryption type"
 msgstr ""
 
+msgid "Iteration time"
+msgstr ""
+
+msgid "Enter iteration time for LUKS encryption (in milliseconds)"
+msgstr ""
+
+msgid "Higher values increase security but slow down boot time"
+msgstr ""
+
+msgid "Default: 10000ms, Recommended range: 1000-60000"
+msgstr ""
+
+msgid "Iteration time (ms)"
+msgstr ""
+
+msgid "Iteration time cannot be empty"
+msgstr ""
+
+msgid "Iteration time must be at least 100ms"
+msgstr ""
+
+msgid "Iteration time must be at most 120000ms"
+msgstr ""
+
+msgid "Please enter a valid number"
+msgstr ""
+
 msgid "Partitions"
 msgstr ""