[dm-crypt] pashphrase management question

Robert Nichols rnicholsNOSPAM at comcast.net
Thu Oct 27 15:46:22 CEST 2016

On 10/27/2016 05:24 AM, Sven Eschenberg wrote:
> Am 27.10.2016 um 09:55 schrieb Arno Wagner:
>> Regular passphrase changes on storage-encryption make
>> absolutely no sense and gives you absolutely no
>> protection benefit (unless you have told somebody
>> that should not know, in which case you need to change
>> them immediately).
> I might be wrong, but changing the passphrase could make sense if (and only if) you switch the
> actual encryption key along with it by reencrypting the whole device. Aside from that changing
> passphrases seems a little pointless.

You are correct, but cryptsetup-reencrypt is a lengthy process,
during which the slightest glitch can cause you to lose everything.
It's not the sort of thing you want to be doing routinely.

Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

More information about the dm-crypt mailing list