[dm-crypt] "re-encrypting" ?

Wolfgang Aigner wolfgang.aigner at gmx.de
Sun Aug 14 19:57:24 CEST 2011


Hello Steve,

> What would
> > dd if=/dev/mapper/[cryptdevice] of=/dev/[device] conv=notrunc
> Actually do then ?
> Would it revert back to no encryption ? How would i convert the 256 bit
> encrypt to 128 ?

Ok, sorry for not be clear in the first mail. I thought you'd like to unencrypt 
the whole thing.

To reencrypt you get two cryptdevices for the same device:

 /dev/mapper/[cryptdevice-AES128]
 /dev/mapper/[cryptdevice-AES256]

and then do an 
dd if=/dev/mapper/[cryptdevice-AES256] of=/dev/[cryptdevice-AES128] \ 
conv=notrunc

And as wrote before, DON'T DO THIS IF DATA LOSS IS A PROBLEM for you. Ive done 
this many times and most times it worked fine, but you can't be sure.


> Hein Diehl wrote
> Actually, you can't. You'll have to backup your data somewhere and
> luksFormat the partition with the new parameters. Besides, I doubt that
> 128 bit gives noticeably more speed than 256 bit, even if your system is
> somewhat old.

Be aware, that doesn't work with LUKS devices, only with plain dm-crypt 
devices.

> Roscoe wrote
> This strikes me as poor advice for the following reasons:
> 
> - It's writing out plaintext directly to his hard disk, the exact
> thing he doesn't want to happen

you are right, as I wrote on top I thought he would like to unencrypt the 
whole device.

> - It's riskier than it has to be, you're not even backing up the master
> key...

As Heinz Diehl wrote, it doesn't work with LUKS Headers. Don't bother to make 
a backup for the keys ;-)
For dm-crypt devices you don't need a backup of you master key.

cheers 

Wolfgang


More information about the dm-crypt mailing list