[dm-crypt] Can you change the cipher without destroying your data

Michael Kjörling michael at kjorling.se
Fri Dec 18 22:34:27 CET 2015


On 18 Dec 2015 14:13 -0500, from doark at mail.com (David Niklas):
> I have a LUKS partition, aes-xts-plain64.
> I wanted to change it, can I?
> I can unmount the drive and do this, I'm not talking hot change here.

I believe this is exactly what cryptsetup-reencrypt was designed to
do. That tool is available in cryptsetup 1.5.0 and up.

http://asalor.blogspot.com/2012/08/re-encryption-of-luks-device-cryptsetup.html

https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Re-encrypting_devices

And yes, the reencryption is an offline operation.

And you really, _REALLY_ want to have a fresh backup of your data
before you even think about doing it.

But just out of curiosity, why do you want to migrate away from
aes-xts-plain64? I've said it before; that is the default for a
reason.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the dm-crypt mailing list