[dm-crypt] cryptsetup from aes-cbc to aes-xts

Michael Kjörling michael at kjorling.se
Fri Oct 30 22:31:23 CET 2015

On 29 Oct 2015 17:28 -0500, from xxiao8 at fosiao.com (xxiao8):
> I had a one liner change in my cryptsetup script (see below), as
> long as the key-file is the same, I can keep using the content on
> the hard-drive, which is a surprise to me. Doesn't
> switch-to-aes-xts-plain64 mandate a reformat of the hard drive? am I
> missing something?

What do you mean by "keep using the content"?

If the luksFormat is run while the container is unmounted, I don't see
how you could retain access to the encrypted content in any meaningful
way, even if you were to use the same algorithm, unless you are using
an external LUKS header; even if you use the same key file and/or
passphrase, the luksFormat causes the header to be rewritten with a
different encryption key, which will all but ensure that the data will
no longer make any sense whatsoever.

> Changing from
> cryptsetup -v -c "aes-cbc-essiv:sha256" --key-size 256 --key-file
> /etc/keys/sda1.key luksFormat --use-random /dev/sda1
> to
> cryptsetup -v -c "aes-xts-plain64" --hash sha256 --key-size 512
> --key-file /etc/keys/sda1.key luksFormat --use-random /dev/sda1

Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the dm-crypt mailing list