[dm-crypt] cryptsetup-reencrypt additional options

Milan Broz gmazyland at gmail.com
Thu Aug 3 11:45:12 CEST 2017


On 08/03/2017 06:17 AM, Perry Thompson wrote:
> Hello there,
> 
> I had a quick question about the possibility of getting additional
> features added to cryptsetup-reencrypt. This may be asking for too much
> and I might be better off getting a second drive, putting LUKS on it,
> and transferring my files to it instead, but I thought I would ask
> anyways.
> 
> I have a drive with LUKS set up on it. The LUKS header is on a USB
> drive, and my data has an offset of 4096 512-byte sectors.
> 
> I was looking to encrypt a non-encrypted drive that I have on another
> machine. I was thinking of using cryptsetup-reencrypt, however because
> I have a detached header and an offset for the data, the current
> cryptsetup-reencrypt wouldn't work for me.
> 
> Would maybe adding --align-payload and --header options be something
> that might be possible? Even having a way to have it put the header at
> the start of the disk and use up those "free" 2MiB where my GPT stuff
> is, I could then manually extract the header and then overwrite it
> later.
> 
> I was just curious on thoughts about adding such options to the
> program, although now that I'm typing all of this out, I'm thinking
> that getting a second drive and copying the data to a freshly-encrypted
> drive might save me a lot of hassle.

In principle it can be done (in fact it uses "detached" header internally).

Just not sure if it is worth to support it... It should have full set
of options (not only for your use case) - iow reencrypt with both detached header
and then alternate on-disk/detached.

Milan


More information about the dm-crypt mailing list