[dm-crypt] migrate luks key-slots to another luks container

Arno Wagner arno at wagner.name
Wed Jan 16 21:19:12 CET 2013


Come to think of it, here is a very dirty way to do this:
Have the people accessing this map the old container (header+
keyslot area is enough, use, e.g. a loop file), then read the
master key (see FAQ) and use that in a script to open your
second (new) container. 

A bit like "decrypt-derived". And a possible nighmare to maintain ;-)

Arno


On Wed, Jan 16, 2013 at 09:14:55PM +0100, Arno Wagner wrote:
> Hmm.
> 
> I don't think that is possible at the moment. The experimental
> "cryptsetup-reencrypt" requires all passphrases that should remain 
> active. 
> 
> Any reason why you want to change the cipher? After all, you can
> not enlarge the key and keep the keyslots.
> 
> As to size, just enlarge the partition. Offset, I don't know,
> but if you do not need to keep any data, just changing the
> repective fiels in the header should do it. But is there really
> any reason to change the offset?
> 
> Arno
> 
> 
> On Wed, Jan 16, 2013 at 08:57:47PM +0100, Alexander 'Leo' Bergolth wrote:
> > Am 16.01.2013 19:50, schrieb .. ink ..:
> > >    Is it possible to move the passphrases from one luks container to a new
> > >    one with different cipher, size and payload offset? (There is currently
> > >    no data on the new container, I just want to keep the old passphrases.)
> > >
> > >any reason why you dont want to just add those old passphrases to the
> > >new container using "luksAddKey"?
> > 
> > I'd like to transfer the key-slots so that the same passphrases can
> > be used to unlock them.
> > I don't know the passphrases. (Just one of them.)
> > 
> > Cheers,
> > --leo
> > -- 
> > e-mail   ::: Leo.Bergolth (at) wu.ac.at
> > fax      ::: +43-1-31336-906050
> > location ::: IT-Services | Vienna University of Economics | Austria
> > 
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt at saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 
> -- 
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> One of the painful things about our time is that those who feel certainty
> are stupid, and those with any imagination and understanding are filled
> with doubt and indecision. -- Bertrand Russell
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell


More information about the dm-crypt mailing list