[dm-crypt] pashphrase management question

Robert Nichols rnicholsNOSPAM at comcast.net
Thu Oct 27 15:46:22 CEST 2016


On 10/27/2016 05:24 AM, Sven Eschenberg wrote:
>
>
> Am 27.10.2016 um 09:55 schrieb Arno Wagner:
>> Regular passphrase changes on storage-encryption make
>> absolutely no sense and gives you absolutely no
>> protection benefit (unless you have told somebody
>> that should not know, in which case you need to change
>> them immediately).
>
> I might be wrong, but changing the passphrase could make sense if (and only if) you switch the
> actual encryption key along with it by reencrypting the whole device. Aside from that changing
> passphrases seems a little pointless.

You are correct, but cryptsetup-reencrypt is a lengthy process,
during which the slightest glitch can cause you to lose everything.
It's not the sort of thing you want to be doing routinely.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.



More information about the dm-crypt mailing list