Re: Changing pass-phrase on dm-crypt'ed disks
On Monday 25 Jun 2012 09:16:23 Claudius Hubig wrote:
> Nick Boyce <nick@glimmer.adsl24.co.uk> wrote:
>
> > The installer uses 'dm-crypt' to encrypt the drive, rather than the full
> > LUKS system - and 'dm-crypt' generates the encryption key directly from
> > the pass- phrase, rather than storing the encryption key in an on-volume
> > "header" protected by the pass-phrase.
>
> Are you sure about that? I’ve set up quite a few systems and it
> always used LUKS.
No, I'm not sure - but I picked up that understanding from reading a lot of
forum threads about setting up new systems with encrypted disks.
I gained the distinct impression that current distribution installers use 'dm-
crypt' for simplicity, and that this is the same as 'cryptsetup' in "plain"
mode as opposed to 'LUKS' mode..
Now that I've been reading more in-depth history of Linux filesystem crypto
tools, I think the problem is that quite a lot of the documentation out there
is old, obsolete and misleading :)
Many pages report the home of dm-crypt as being :
http://www.saout.de/misc/dm-crypt/
but I now think that site is woefully out of date, and consequently somewhat
misleading. Among other things, it says this :
"Clemens Fruhwirth is maintaining an enhanced version
of cryptsetup with the LUKS extension that allows you to
have an on-disk block of metadata which is superior to
the current mechanism and was my long term plan
anyway but I didn't find the time to implement that yet"
and this :
"Because the way using dmsetup directly is too
complicated for most people I'm currently writing a
native cryptsetup program to behave like one of the
patched losetup's out there"
The Debian Installation Manual [3] says :
"debian-installer supports several encryption methods.
The default method is dm-crypt"
I think it all needs updating and clarifying ...
Anyway, I was concerned not to attempt to do a 'cryptsetup
luksDelKey/luksAddKey' if there isn't actually an on-disk LUKS header to be
manipulated (for fear of corrupting the start of a "plain-mode" encrypted
volume).
> You can check with
> # cryptsetup luksDump <device>
Hmm .. well thanks for that command (I'm a novice) ... which confirms what you
say - my single encrypted raw disk partition (containing the LVM mapped system
volumes) does indeed have a LUKS header, with 8 keyslots; slot 0 is marked
"ENABLED", while the other 7 are "DISABLED".
I think I'll proceed by doing a 'luksHeaderBackup', and then trying a pass-
phrase change. The subject will be 350Gb of data which has taken two months
to set up, so I'll be holding my breath :-/
Thanks a lot for the clues !
[3] http://www.debian.org/releases/stable/amd64/ch06s03.html.en#partman-crypto
Cheers
Nick
--
Never FDISK after midnight
Reply to: