[dm-crypt] cryptsetup FAQ section 6.10, master keys and cryptsetup-reencrypt

Michael Kjörling michael at kjorling.se
Thu Jan 5 19:10:29 CET 2017


I was poking around the cryptsetup FAQ, mostly out of idle curiosity,
and noticed that section 6.10 (How do I recover the master key from a
mapped LUKS container?) states that

> Changing the master key requires a full data backup, luksFormat and
> then restore of the backup.

But as far as I understand it, this isn't the case any longer;
https://gitlab.com/cryptsetup/cryptsetup/commits/master/src/cryptsetup_reencrypt.c
says that cryptsetup-reencrypt was born in mid-2012, and my
understanding is that changing the master key is one of the major use
cases for cryptsetup-reencrypt (the other being to change from one
cipher or set of cipher settings to another).

Isn't it time that the FAQ is updated to at least point out the
existence of cryptsetup-reencrypt?

A backup would still very much be advised, but unless I'm mistaken,
changing the master key is now merely an offline operation rather than
a luks(re)Format operation.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the dm-crypt mailing list