How to change the PIM of a VeraCrypt volume
The developers of VeraCrypt introduced Personal Iterations Multiplier (PIM) functionality in the encryption program in version 1.12.
PIM stands for "Personal Iterations Multiplier". It is a parameter that was introduced in VeraCrypt 1.12 and whose value controls the number of iterations used by the header key derivation function.
PIM is used by volumes even if the creator of the volume did not specify a value. It is an optional component that improves security: it adds another step to the authentication process similarly to two-factor authentication. The main difference is that the PIM value is fixed and not generated on the fly when requested. An attacker needs to know the master password and the PIM, if not set to default, to breach the encryption successfully and access the content of the drive or partition.
A couple of good reasons exist to change the PIM value:
- It was leaked or stolen.
- The default value is used and that is not as secure as using a custom PIM.
- You want to change the PIM to speed up or slow down the boot process.
Thankfully though, it is relatively easy to change the PIM of any VeraCrypt volume. The function is linked to the password; if you change the password of a volume, you may change the PIM as well.
Some notes:
- Mounting or booting will be slowed down if you select a PIM that is higher than the default.
- The minimum PIM value for encrypted volumes with passwords less than 20 characters in length is 98 if SHA-512 or Whirlpool are not use, and 485 for all other cases.
- The minimum PIM value for encrypted volumes with passwords greater than or equal to 20 characters is 1.
- You can re-use the password if you just want to change the PIM of the selected volume.
Here is how that is done in detail:
System Drive
- Open the VeraCrypt software on your device.
- Select System > Change Password.
- Type the current password.
- Type the new password and confirm it.
- Check the Use PIM box.
- Type a PIM.
- Select OK to complete the process.
It is still possible to use an old VeraCrypt Rescue Disk, if it exists, to restore the system partition or drive using the old password. It is recommended to delete the old Rescue Disk and create a new one.
While you are at it, select Tools > Backup Volume Header as well. The process is identical to how that was done under TrueCrypt.
Non-System Volume
- Non-system volumes need to be in unmounted state. If the volume is mounted right-click on it and select the dismount option.
- Use Select Device or Select File to select the volume that you want to change the PIM for.
- Select Volumes > Change Volume Password.
- Type the current password.
- Type the new password and confirm it.
- Check the Use PIM box under New.
- Type the new PIM that you want to use.
- Click OK to finalize the process.
Both processes require elevation. You are asked to move the mouse to generate a random pool. Select continue once you are satisfied; VeraCrypt highlights the progress and you should not end it before the bar turns green.
The encryption software displays a success (or failure) message afterward.
That's all there is to the process. You may want to test the boot or mount speed after the operation. If it takes too long you may want to consider reducing the PIM value to speed it up.
You need to check the "use pim" box when you mount a volume to specify it, or type it during the boot process.
Now You: do you use drive encryption software?
In your article you wrote: “Type a PIM. The maximum value is”
What is the maximum value?
Thanks
I’m not aware of a maximum. I removed the part in the article.
Yes still supported.
Thanks Martin. Timely tutorial for me.
Is VeraCrypt still supported and developed? I thought the project was dropped.
That was Truecrypt.
Veracrypt is a “fork” of truecrypt, still maintained.