Could you please add the easy/non-controversial things first?
Like “I recommend a minimum length of 20 characters, including spaces between the letters.” translates into “in any case, the resulting diceware passphrase should not be shorter than 20 characters”. This might matter for 5/6 words length diceware passphrases?
- 5.13 Is LUKS with default parameters less secure on a slow CPU?
Unfortunately, yes. However the only aspect affected is the protection for low-entropy passphrase or master-key. All other security aspects are independent of CPU speed.
The master key is less critical, as you really have to work at it to give it low entropy. One possibility is to supply the master key yourself. If that key is low-entropy, then you get what you deserve. The other known possibility is to use /dev/urandom for key generation in an entropy-starved situation (e.g. automatic installation on an embedded device without network and other entropy sources).
For the passphrase, don’t use a low-entropy passphrase. If your passphrase is good, then a slow CPU will not matter. If you insist on a low-entropy passphrase on a slow CPU, use something like “–iter-time=10000” or higher and wait a long time on each LUKS unlock and pray that the attacker does not find out in which way exactly your passphrase is low entropy. This also applies to low-entropy passphrases on fast CPUs. Technology can do only so much to compensate for problems in front of the keyboard.
Also note that power-saving modes will make your CPU slower. This will reduce iteration count on LUKS container creation. It will keep unlock times at the expected values though at this CPU speed.
Could you ask him please if very high values for luks -h sha512 --iter-time as per my last post makes sense? How much can --iter-time / PBKDF2 do for us? Could even a 5 words diceware passphrase be stretched long enough if the --iter-time number is high enough? What value should we use for --iter-time? Probably depends on how many diceware words are being used. What would be the minimum number of diceware words / characters so --iter-time / PBKDF2 can stretch to 256 bits?