Changing pass-phrase on dm-crypt'ed disks
I recently set up a Debian Squeeze system, using the installer's option to
encrypt the hard disk. It's working very well :-)
Good practice dictates that I should change the pass-phrase for this disk from
time to time, but my research ([1],[2]) suggests this is is not
straightforward because of the scheme used by the installer.
The installer uses 'dm-crypt' to encrypt the drive, rather than the full LUKS
system - and 'dm-crypt' generates the encryption key directly from the pass-
phrase, rather than storing the encryption key in an on-volume "header"
protected by the pass-phrase. Therefore, changing the pass-phrase requires
all data to be decrypted and re-encrypted - a slow and cumbersome process.
This must be done either in situ (which is dangerous) or using a second
filesystem (which is expensive on disk space).
Just to put my mind at rest (...), can anyone here confirm my understanding:
the passphrase on a Debian-6.0 installer-encrypted disk volume can't currently
be changed unless you unload all the data, re-create the volume with a new
pass-phrase, and reload the data ?
Refs:
[1] http://www.saout.de/misc/dm-crypt/
(FAQ section)
Q: What if I want to change my passphrase?
A: At the moment you'll need to reencrypt your device because the passphrase
is directly tied to the key .... If you want to reencrypt your filesystem
you'll have to recreate a new one and move your files.
[2] http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
(question 6.11)
Q: What does the on-disk structure of dm-crypt look like?
A: There is none. dm-crypt takes a block device and gives encrypted access to
each of its blocks with a key derived from the passphrase given ... If you
want to change the password, you basically have to create a second encrypted
device with the new passphrase and copy your data over
Thanks in advance,
Nick Boyce
--
Never FDISK after midnight
Reply to: