Re: Changing pass-phrase on dm-crypt'ed disks

To: debian-user@lists.debian.org
Subject: Re: Changing pass-phrase on dm-crypt'ed disks
From: Nick Boyce <nick@glimmer.adsl24.co.uk>
Date: Mon, 25 Jun 2012 21:54:22 +0100
Message-id: <[🔎] 201206252154.23102.nick@glimmer.adsl24.co.uk>
In-reply-to: <[🔎] 20120625101623.6018da5b@ares.home.chubig.net>
References: <[🔎] 201206250349.14318.nick@glimmer.adsl24.co.uk> <[🔎] 20120625101623.6018da5b@ares.home.chubig.net>

On Monday 25 Jun 2012 09:16:23 Claudius Hubig wrote:

> Nick Boyce <nick@glimmer.adsl24.co.uk> wrote:
> 
> > The installer uses 'dm-crypt' to encrypt the drive, rather than the full
> > LUKS system - and 'dm-crypt' generates the encryption key directly from
> > the pass- phrase, rather than storing the encryption key in an on-volume
> > "header" protected by the pass-phrase.
> 
> Are you sure about that? I’ve set up quite a few systems and it
> always used LUKS. 

No, I'm not sure - but I picked up that understanding from reading a lot of 
forum threads about setting up new systems with encrypted disks.

I gained the distinct impression that current distribution installers use 'dm-
crypt' for simplicity, and that this is the same as 'cryptsetup' in "plain" 
mode as opposed to 'LUKS' mode..

Now that I've been reading more in-depth history of Linux filesystem crypto 
tools, I think the problem is that quite a lot of the documentation out there 
is old, obsolete and misleading :)

Many pages report the home of dm-crypt as being :
http://www.saout.de/misc/dm-crypt/
but I now think that site is woefully out of date, and consequently somewhat 
misleading. Among other things, it says this :
   "Clemens Fruhwirth is maintaining an enhanced version 
   of cryptsetup with the LUKS extension that allows you to
   have an on-disk block of metadata which is superior to
   the current mechanism and was my long term plan
   anyway but I didn't find the time to implement that yet"
and this :
   "Because the way using dmsetup directly is too 
   complicated for most people I'm currently writing a
   native cryptsetup program to behave like one of the
   patched losetup's out there"

The Debian Installation Manual [3] says :
   "debian-installer supports several encryption methods. 
   The default method is dm-crypt"

I think it all needs updating and clarifying ...

Anyway, I was concerned not to attempt to do a 'cryptsetup 
luksDelKey/luksAddKey' if there isn't actually an on-disk LUKS header to be 
manipulated (for fear of corrupting the start of a "plain-mode" encrypted 
volume).

> You can check with
> # cryptsetup luksDump <device>

Hmm .. well thanks for that command (I'm a novice) ... which confirms what you 
say - my single encrypted raw disk partition (containing the LVM mapped system 
volumes) does indeed have a LUKS header, with 8 keyslots;  slot 0 is marked 
"ENABLED", while the other 7 are "DISABLED".

I think I'll proceed by doing a 'luksHeaderBackup', and then trying a pass-
phrase change.  The subject will be 350Gb of data which has taken two months 
to set up, so I'll be holding my breath :-/

Thanks a lot for the clues !

[3] http://www.debian.org/releases/stable/amd64/ch06s03.html.en#partman-crypto

Cheers
Nick
-- 
Never FDISK after midnight

Reply to:

Follow-Ups:
- Re: Changing pass-phrase on dm-crypt'ed disks
  - From: Claudius Hubig <debian_1206@chubig.net>
- Re: Changing pass-phrase on dm-crypt'ed disks
  - From: Celejar <celejar@gmail.com>

References:
- Changing pass-phrase on dm-crypt'ed disks
  - From: Nick Boyce <nick@glimmer.adsl24.co.uk>
- Re: Changing pass-phrase on dm-crypt'ed disks
  - From: Claudius Hubig <debian_1206@chubig.net>

Prev by Date: Re: How to find list of backports for Debian squeeze?
Next by Date: Re: How to find list of backports for Debian squeeze?
Previous by thread: Re: Changing pass-phrase on dm-crypt'ed disks
Next by thread: Re: Changing pass-phrase on dm-crypt'ed disks
Index(es):
- Date
- Thread