Since Debian 13 (Trixie), when using the default FDE which uses grub to decrypt the luks partition, I have a single attempt
When the password is mistyped there is a long pause (over 10 seconds) and then the error appears.
I already tried increasing the max tries, which seems to be set to 1 when a keyfile is used.
Will update for more info
I think he’s referring to the 10 second pause between attempts. It’s security theatre because you can replace the bootloader with one that doesn’t pause.
Is it? I always though the password is hashed via Bcrypt (or similar) with very high difficulty so it takes some time to check
Disk encryption is Luks not bcrypt and Luks timeouts are configurable.
So, it is purely a software timeout and not hardware due to key derivation algorithm? That’s partly understandable and partly a security hole if it can be disabled so easily.