[dm-crypt] cryptsetup FAQ section 6.10, master keys and cryptsetup-reencrypt (resend)
michael at kjorling.se
Fri Jan 6 13:53:37 CET 2017
For some reason this e-mail has failed to show up on the list, so I'm
sending it again. If this ends up being a duplicate, please accept my
apologies in advance and feel free to delete this copy.
I was poking around the cryptsetup FAQ, mostly out of idle curiosity,
and noticed that section 6.10 (How do I recover the master key from a
mapped LUKS container?) states that
> Changing the master key requires a full data backup, luksFormat and
> then restore of the backup.
But as far as I understand it, this isn't the case any longer;
says that cryptsetup-reencrypt was born in mid-2012, and my
understanding is that changing the master key is one of the major use
cases for cryptsetup-reencrypt (the other being to change from one
cipher or set of cipher settings to another).
Isn't it time that the FAQ is updated to at least point out the
existence of cryptsetup-reencrypt?
A backup would still very much be advised, but unless I'm mistaken,
changing the master key is now merely an offline operation rather than
a luks(re)Format operation.
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
“People who think they know everything really annoy
those of us who know we don’t.” (Bjarne Stroustrup)
More information about the dm-crypt