[dm-crypt] LUKS2 resizing

Ondrej Kozina okozina at redhat.com
Mon Dec 18 10:41:27 CET 2017


On 12/18/2017 10:30 AM, Ondrej Kozina wrote:
> On 12/14/2017 08:22 PM, Andrius Štikonas wrote:
>> So if I understand correctly it will never ask for passphrase in LUKS1
>> case but it will always ask in LUKS2 case.
> 
> Not always for every LUKS2 device. It will always ask for a passphrase
> if the volume key is passed via kernel keyring (hence the cryptsetup
> status cmd for detection).
> 
> LUKS1 devices doesn't use kernel keyring for volume key (backward
> compatibility)
> 
> LUKS2 devices use kernel keyring for volume key by default, but user may
> have overridden the default by --disable-keyring option during
> cryptsetup open command.
> 

And don't forget not every kernel has dm-crypt kernel keyring support 
available. We detect dm-crypt version runtime so you may encounter LUKS2 
devices with hexbyte key in dm table directly, especially in enterprise 
or more conservative distributions. I'd recommend to stick with 
cryptsetup status cmd for detection though.

O.


More information about the dm-crypt mailing list