A few questions about the Passwords wiki

gwx2n · March 12, 2026, 7:42pm

I am using Qubes 4.3 and Whonix 18 within it. I have read the wiki and related discussion, but I am a novice user and there are many things I do not understand yet. Hence, I have a few questions:

1 Can I create an offline virtual machine based on the whonix-workstation-18 template? In such a virtual machine without internet access, I would generate new passwords, store them in KeePassXC, encrypt removable media (external drives, USB sticks), and create Luks and Veracrypt containers.

2 As I mentioned, I read the Passwords wiki on the kicksecure website and the related discussion.

In this discussion, there is a post by Patrick ( password advice wiki page enhancements - #35 by Patrick ) to which I have a few questions. The content of section 5.13 of the cryptsetup FAQ has been changed (compared to what Patrick posted), and in the sentence:

“The other known possibility to create a LUKS container with a bad volume key is to use /dev/urandom for key generation in an entropy-starved situation (e.g. automatic installation on an embedded device without network and other entropy sources or installation in a VM under certain circumstances).”

Added “or installation in a VM under certain circumstances”

My questions:
Can I create secure passwords using the commands listed on the Passwords wiki page on kicksecure in an offline virtual machine based on the whonix-workstation 18 template? I am referring to these commands:
head /dev/random | tr -dc A-Za-z0-9 | head -c 43 ; echo ‘’
makepasswd --chars 43 (wiki indicates that this command relies on /dev/urandom)
diceware -n 12 -w en_eff

Can I safely encrypt removable media on an offline virtual machine based on the whonix-workstation 18 template using the command indicated on the Full Disk Encryption (FDE) wiki page on kicksecure? I am referring to this command:
sudo cryptsetup --verbose --use-random --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random luksFormat

3 I want to check the argon2id parameters used to encrypt my system disk. In dom0, I type:
sudo cryptsetup luksDump /dev/sda2

and here I have doubts

I see Time cost, Memory, Threads. Two parameters (memory, threads) match those given on the Passwords wiki on the kicksecure website. Is Time cost iterations?

With Memory, I only have a number without the unit in which it is given. After using the above command, is the Memory value expressed in kibibytes, kilobytes, or perhaps some other unit?

arraybolt3 · March 12, 2026, 8:03pm

As an aside, we usually like to have one forum post = one topic, though I see that these questions are a number of tightly related topics.

Yes, just set the “Network” to “No network connection” in the “Create New Qube” window.

Yes. Whonix-Workstation uses haveged in the background to extract entropy from the environment, including bits of the environment that can be seen from within the VM. The randomness available within the VM should therefore be sufficient.

Most of what you’re looking at has to do with the internal operation of the argon2id algorithm. This is unspecific to Whonix.

gwx2n · March 13, 2026, 5:16pm

At the very beginning, I want to thank you for your time.

I understand that in such an offline virtual machine based on the whonix-workstation-18 template, I can also create secure Veracrypt or LUKS containers?

I was wondering how to do it. Initially, I wanted to write a post in the discussion about the Passwords wiki on kicksecure, but I thought I’d just clutter up that thread.

What I really need is information on whether I correctly calculate the additional entropy provided by argon2id according to the formula on the Passwords wiki on the kicksecure website.

To insert my calculations, I need answers to these questions:

1 I was hinted at by the fact that the Passwords wiki on the kicksecure website has a support tag. That is why I have asked a question here. The issues I ask about are there.

2 If I hear the answer to my questions, I will still ask you to check the correctness of my calculations. Correctness within the argon2id formula for the additional entropy found on the Passwords wiki on the kicksecure page.

3 Contacting the people responsible for cryptsetup is difficult. I could ask a question on the Qubes forum (I don’t have a github account, you can’t create one through Tor), but I have more trust in people dealing with Whonix. This is due to the fact that Patrick himself gives answers here, as well as the moderators whose nicknames I associate.

arraybolt3 · March 13, 2026, 6:39pm

Reading that page, I’m getting slightly confused since I’m not very familiar with the internal workings of Argon2id. In particular, I’m confused that the page is talking about the “entropy” involved when picking varying parameters; entropy is not something a deterministic hash algorithm like Argon2id provides. It makes it so that the amount of time it takes to test each password guess takes much longer (which the wiki appears to call “key stretching”), but it doesn’t increase the amount of unpredictability in the password itself (entropy). The wiki probably needs clarification here, and I should probably study what it is saying more closely.

Is there a particular reason you’re trying to calculate these parameters instead of sticking with the defaults? Cryptsetup’s defaults should be fine for practical use cases involving full-disk encryption, and KeePassXC’s defaults should similarly be fine for locking password databases.

Patrick · March 14, 2026, 8:26am

Yes. haveged and more. Elaborated here:

gwx2n · March 15, 2026, 1:57pm

I’m sticking with the default settings. I’m not changing anything. The problem, however, is that my settings differ significantly from what’s listed in the Passwords wiki on the Kicksecure website.

After running the command sudo cryptsetup luksDump /dev/sda2 in dom0, I get the following parameters (which I believe are the argon2id parameters):
Time cost: 4
Memory: 743480
Threads: 4

I also checked on a second computer running Qubes. After running the command sudo cryptsetup luksDump /dev/sda2 in dom0, I get the following there:
Time cost: 4
Memory: 370259
Threads: 4

I’m checking all this to determine how long a password I should set for my Qubes drives and removable media. If argon2id provides me with less protection than what’s shown on the Passwords wiki on the kicksecure website, it stands to reason that I need to add more entropy to the password.

disgusted23 · March 17, 2026, 3:59pm

Referring to yours 2 machines where you get diff values for memory, this is probably because the machines has different amounts of ram. “memory cost” for argon2i, *2id is how much ram should be used to decrypt. This can be set manually to a point (previous cryptsetups had this set at 1GiB) on the commandline. Length of pw does not matter really. A 50 character jumbled from /dev/urandom or /dev/random may be many times more secure than someone elseThe default for cryptsetup for the –pbkdf-memory=kilobytes is KB.

The argon2id, argon2i parameters are a mechanism to wrap your password in a key deriving function to help pad it in case the person chose a poor low entropy password. It does not make miracles and you should instead make sure that your password have the needed entropy.(diceware as you mentioned is good: diceware -n makes a very secure method. Recommend to make it 20 words at least. also amount of entropy should be at least enough to protect against trivial attack vectors. If your master key has 512 bits of entropy, your password can have anything up to that. It can have more but theres no point. A 256 bit pw is ideal for a 512 bits key. For diceware, their docs said that each word is equal to approx 13 bits of entropy.)

Length of pw is not nearly a important as the entropy of it. Diceware is not the only way; there are ways like the OP mentioned–they all leverage /dev/urandom of /dev/random; if the machine where you are deriving the password from is working properly there should no be issues with the result.

edits: a lot of times because things were not behaving right on computer.