[dm-crypt] How to increase key size of existing volume

Milan Broz gmazyland at gmail.com
Tue Dec 11 16:48:00 CET 2012


On 12/11/2012 04:34 PM, Erik Logtenberg wrote:
> So there are at least two methods of extracting a master key. Now if I
> would suspect that a machine, that has a luks volume mounted, was
> compromised to the extent that someone had temporaryly gained root
> access, I would not only have to reset (all) passwords after fixing the
> security hole, but also I would have to create a new master key to be sure.

So attacker had already access to your mounted backup in plaintext
and could change anything there.

> 
> Is the cryptsetup-reencrypt tool also meant for that purpose?

yes, in fact changing volume (master) key was primary use for it.

Read http://asalor.blogspot.cz/2012/08/re-encryption-of-luks-device-cryptsetup.html

(But always be sure you have backup. Backup of backup in your case :)

Milan


More information about the dm-crypt mailing list