[dm-crypt] migrate luks key-slots to another luks container

Milan Broz gmazyland at gmail.com
Wed Jan 16 21:33:49 CET 2013


On 01/16/2013 09:19 PM, Arno Wagner wrote:
> Come to think of it, here is a very dirty way to do this:
> Have the people accessing this map the old container (header+
> keyslot area is enough, use, e.g. a loop file), then read the
> master key (see FAQ) and use that in a script to open your
> second (new) container. 

And what to do if the master key is longer for the new container?

No, really, LUKS is a simple standard for a reason :)
The master key in keyslot is always encrypted with the same algorithm
as the data. cryptsetup-reencrypt requires entering all passphrases
or alternatively use only one (destroying others) and allow add them later.

Surely we can create some "hack" script, but then I would expect
people doing this exactly understand (not only security) consequences.

Milan


More information about the dm-crypt mailing list