Tue 07 of Sep, 2010 [00:17 UTC]  
Menu
 Home
 Contact us
 Stats
[-] Wiki [+]
 Wiki Home
 Last Changes
 Dump
 Rankings
 List pages
 Orphan pages
 Sandbox
 Print
[-] Articles [+]
 Articles home
 List articles
 Rankings
 Submit article
 View submissions
[-] File Galleries [+]
 List galleries
 Rankings
[-] FAQs [+]
 List FAQs

ChangePassword

How to change password on a device
 edit print PDF
Changing Password on device
Changin the password on a device/file can be done by creating two mappings, one mapping with the old password and one mapping with the new password. Both these mappings point to the same device, so by reading from the first mapping we get the unencrypted data and by writing this data to the new mapping the data is written to disk encrypted by the new password.

Steps:
  • Setting up two crypto mappings, one for the old password and one for the new password.
  • re-encrypting all the data.

Example

First I fill my 50Mb test device with files

For this example I use a 50MB encrypted partition /dev/sda1

berbara root # cryptsetup -c twofish create demo /dev/sda1
Enter passphrase: test
berbara root # mkfs.ext3 /dev/mapper/demo
<snip>
berbara root # mount /dev/mapper/demo /mnt/crypt
berbara root # cp -R /usr/src/linux/ /mnt/crypt
cp: writing `/mnt/crypt/linux/net/irda/irnet/irnet.h': No space left on device
<snip>
berbara root # umount /mnt/crypt
berbara root # cryptsetup remove demo



Create the read mapping

berbara root # cryptsetup -c twofish create reencrypt-from /dev/sda1
Enter passphrase: test
berbara root # fsck.ext3 -f /dev/mapper/reencrypt-from
e2fsck 1.35 (28-Feb-2004)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mapper/reencrypt-from: 3544/13216 files (1.5% non-contiguous), 52667/52668 blocks


Create the write mapping

berbara root # cryptsetup -y -c aes create reencrypt-to /dev/sda1
Enter passphrase: newpass
Verify passphrase: newpass

Note: the -y switch makes cryptsetup ask for the password twice, which is important here!! I also changed to the AES chipher which isn't a problem


Now we are ready to move the data

Warning; if the machine looses power or it locks up during reencryption your data is in trouble!!!

berbara root # dd if=/dev/mapper/reencrypt-from of=/dev/mapper/reencrypt-to bs=4k
13167+1 records in
13167+1 records out
berbara root # cryptsetup remove reencrypt-from
berbara root # cryptsetup remove reencrypt-to

Done!

Note that "dd" step can take long time when device is large (all data is read from disk, decrypted then encrypted and written), so don't interrupt it with Ctrl+C. You can check progress by sending USR1 signal to dd process (on another console find pid of dd process with ps -fC dd, then send signal with kill -USR1 pid)


Remount with the new password

berbara root # cryptsetup -c aes create demo /dev/sda1
Enter passphrase: newpass
berbara root # fsck.ext3 -f /dev/mapper/demo
e2fsck 1.35 (28-Feb-2004)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mapper/demo: 3544/13216 files (1.5% non-contiguous), 52667/52668 blocks
berbara root # mount /dev/mapper/demo /mnt/crypt


That's it!
Logo Design



Help


Contact:
Naked Chat Nude Chat Webcam Chat Online Chat Live Chat

Created by: alex last modification: Friday 30 of July, 2010 [11:56:04 UTC] by Anonymous

edit
rename
history
similar
undo
slides
attach file
translation