[dm-crypt] migrate luks key-slots to another luks container

[dm-crypt] migrate luks key-slots to another luks container

[Alexander 'Leo' Bergolth]

Hi!

Is it possible to move the passphrases from one luks container to a new
one with different cipher, size and payload offset? (There is currently
no data on the new container, I just want to keep the old passphrases.)

Do I need to transfer the master key and the key-slots or just the
key-slots?

Any hints?

Thanks,
--leo
-- 
e-mail   ::: Leo.Bergolth (at) wu.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria

Re: [dm-crypt] migrate luks key-slots to another luks container

[.. ink ..]

[-- Attachment #1: Type: text/plain, Size: 330 bytes --]

> Is it possible to move the passphrases from one luks container to a new
> one with different cipher, size and payload offset? (There is currently
> no data on the new container, I just want to keep the old passphrases.)
>
>
any reason why you dont want to just add those old passphrases to the new
container using "luksAddKey"?

[-- Attachment #2: Type: text/html, Size: 597 bytes --]

Re: [dm-crypt] migrate luks key-slots to another luks container

[Alexander 'Leo' Bergolth]

Am 16.01.2013 19:50, schrieb .. ink ..:
>     Is it possible to move the passphrases from one luks container to a new
>     one with different cipher, size and payload offset? (There is currently
>     no data on the new container, I just want to keep the old passphrases.)
>
> any reason why you dont want to just add those old passphrases to the
> new container using "luksAddKey"?

I'd like to transfer the key-slots so that the same passphrases can be 
used to unlock them.
I don't know the passphrases. (Just one of them.)

Cheers,
--leo
-- 
e-mail   ::: Leo.Bergolth (at) wu.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria

Re: [dm-crypt] migrate luks key-slots to another luks container

[Milan Broz]

On 01/16/2013 08:57 PM, Alexander 'Leo' Bergolth wrote:
> Am 16.01.2013 19:50, schrieb .. ink ..:
>>     Is it possible to move the passphrases from one luks container to a new
>>     one with different cipher, size and payload offset? (There is currently
>>     no data on the new container, I just want to keep the old passphrases.)
>>
>> any reason why you dont want to just add those old passphrases to the
>> new container using "luksAddKey"?
> 
> I'd like to transfer the key-slots so that the same passphrases can be 
> used to unlock them.
> I don't know the passphrases. (Just one of them.)

Then it is impossible (if you want to change encryption parameters
and master key).

New master key must be encrypted with the new algorithm and you cannot
do this for keyslots without passphrase knowledge for these keyslots.

Milan

Re: [dm-crypt] migrate luks key-slots to another luks container

[Arno Wagner]

Hmm.

I don't think that is possible at the moment. The experimental
"cryptsetup-reencrypt" requires all passphrases that should remain 
active. 

Any reason why you want to change the cipher? After all, you can
not enlarge the key and keep the keyslots.

As to size, just enlarge the partition. Offset, I don't know,
but if you do not need to keep any data, just changing the
repective fiels in the header should do it. But is there really
any reason to change the offset?

Arno


On Wed, Jan 16, 2013 at 08:57:47PM +0100, Alexander 'Leo' Bergolth wrote:
> Am 16.01.2013 19:50, schrieb .. ink ..:
> >    Is it possible to move the passphrases from one luks container to a new
> >    one with different cipher, size and payload offset? (There is currently
> >    no data on the new container, I just want to keep the old passphrases.)
> >
> >any reason why you dont want to just add those old passphrases to the
> >new container using "luksAddKey"?
> 
> I'd like to transfer the key-slots so that the same passphrases can
> be used to unlock them.
> I don't know the passphrases. (Just one of them.)
> 
> Cheers,
> --leo
> -- 
> e-mail   ::: Leo.Bergolth (at) wu.ac.at
> fax      ::: +43-1-31336-906050
> location ::: IT-Services | Vienna University of Economics | Austria
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell

Re: [dm-crypt] migrate luks key-slots to another luks container

[Arno Wagner]

Come to think of it, here is a very dirty way to do this:
Have the people accessing this map the old container (header+
keyslot area is enough, use, e.g. a loop file), then read the
master key (see FAQ) and use that in a script to open your
second (new) container. 

A bit like "decrypt-derived". And a possible nighmare to maintain ;-)

Arno


On Wed, Jan 16, 2013 at 09:14:55PM +0100, Arno Wagner wrote:
> Hmm.
> 
> I don't think that is possible at the moment. The experimental
> "cryptsetup-reencrypt" requires all passphrases that should remain 
> active. 
> 
> Any reason why you want to change the cipher? After all, you can
> not enlarge the key and keep the keyslots.
> 
> As to size, just enlarge the partition. Offset, I don't know,
> but if you do not need to keep any data, just changing the
> repective fiels in the header should do it. But is there really
> any reason to change the offset?
> 
> Arno
> 
> 
> On Wed, Jan 16, 2013 at 08:57:47PM +0100, Alexander 'Leo' Bergolth wrote:
> > Am 16.01.2013 19:50, schrieb .. ink ..:
> > >    Is it possible to move the passphrases from one luks container to a new
> > >    one with different cipher, size and payload offset? (There is currently
> > >    no data on the new container, I just want to keep the old passphrases.)
> > >
> > >any reason why you dont want to just add those old passphrases to the
> > >new container using "luksAddKey"?
> > 
> > I'd like to transfer the key-slots so that the same passphrases can
> > be used to unlock them.
> > I don't know the passphrases. (Just one of them.)
> > 
> > Cheers,
> > --leo
> > -- 
> > e-mail   ::: Leo.Bergolth (at) wu.ac.at
> > fax      ::: +43-1-31336-906050
> > location ::: IT-Services | Vienna University of Economics | Austria
> > 
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 
> -- 
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> One of the painful things about our time is that those who feel certainty
> are stupid, and those with any imagination and understanding are filled
> with doubt and indecision. -- Bertrand Russell
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell

Re: [dm-crypt] migrate luks key-slots to another luks container

[Milan Broz]

On 01/16/2013 09:19 PM, Arno Wagner wrote:
> Come to think of it, here is a very dirty way to do this:
> Have the people accessing this map the old container (header+
> keyslot area is enough, use, e.g. a loop file), then read the
> master key (see FAQ) and use that in a script to open your
> second (new) container. 

And what to do if the master key is longer for the new container?

No, really, LUKS is a simple standard for a reason :)
The master key in keyslot is always encrypted with the same algorithm
as the data. cryptsetup-reencrypt requires entering all passphrases
or alternatively use only one (destroying others) and allow add them later.

Surely we can create some "hack" script, but then I would expect
people doing this exactly understand (not only security) consequences.

Milan

Re: [dm-crypt] migrate luks key-slots to another luks container

[Alexander 'Leo' Bergolth]

Am 16.01.2013 21:14, schrieb Arno Wagner:
> Any reason why you want to change the cipher? After all, you can
> not enlarge the key and keep the keyslots.
>
> As to size, just enlarge the partition. Offset, I don't know,
> but if you do not need to keep any data, just changing the
> repective fiels in the header should do it. But is there really
> any reason to change the offset?

The motivation behind this is because I'd like to migrate the data to 
another system using a different raid layout.
To ensure correct data alignment with the new stripe size, I need to 
change the payload-offset using --align-payload.
Besides, I'd like to change cipher from aes-cbc-essiv:sha256 to 
aes-xts-plain. (Key size is 256 bit on both.)

The source system is currently mounted, so my plan is to create a new 
luks container (preferrably using the same keyslots) and then just rsync 
the data.

Cheers,
--leo

> On Wed, Jan 16, 2013 at 08:57:47PM +0100, Alexander 'Leo' Bergolth wrote:
>> Am 16.01.2013 19:50, schrieb .. ink ..:
>>>     Is it possible to move the passphrases from one luks container to a new
>>>     one with different cipher, size and payload offset? (There is currently
>>>     no data on the new container, I just want to keep the old passphrases.)
>>>
>>> any reason why you dont want to just add those old passphrases to the
>>> new container using "luksAddKey"?
>>
>> I'd like to transfer the key-slots so that the same passphrases can
>> be used to unlock them.
>> I don't know the passphrases. (Just one of them.)
>>
>> Cheers,
>> --leo
>> --
>> e-mail   ::: Leo.Bergolth (at) wu.ac.at
>> fax      ::: +43-1-31336-906050
>> location ::: IT-Services | Vienna University of Economics | Austria
>>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>


-- 
e-mail   ::: Leo.Bergolth (at) wu.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria

Re: [dm-crypt] migrate luks key-slots to another luks container

[Arno Wagner]

On Wed, Jan 16, 2013 at 09:51:36PM +0100, Alexander 'Leo' Bergolth wrote:
> Am 16.01.2013 21:14, schrieb Arno Wagner:
> >Any reason why you want to change the cipher? After all, you can
> >not enlarge the key and keep the keyslots.
> >
> >As to size, just enlarge the partition. Offset, I don't know,
> >but if you do not need to keep any data, just changing the
> >repective fiels in the header should do it. But is there really
> >any reason to change the offset?
> 
> The motivation behind this is because I'd like to migrate the data
> to another system using a different raid layout.
> To ensure correct data alignment with the new stripe size, I need to
> change the payload-offset using --align-payload.

Ah, that makes sense. However, do you actually need this
alignment? If yor filesystem has, say, 4kB blocks and your
stripe-size is a multiple of that, it will be aligned anyways.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell

Re: [dm-crypt] migrate luks key-slots to another luks container

[Alexander 'Leo' Bergolth]

Am 16.01.2013 22:08, schrieb Arno Wagner:
> On Wed, Jan 16, 2013 at 09:51:36PM +0100, Alexander 'Leo' Bergolth wrote:
>> Am 16.01.2013 21:14, schrieb Arno Wagner:
>>> Any reason why you want to change the cipher? After all, you can
>>> not enlarge the key and keep the keyslots.
>>>
>>> As to size, just enlarge the partition. Offset, I don't know,
>>> but if you do not need to keep any data, just changing the
>>> repective fiels in the header should do it. But is there really
>>> any reason to change the offset?
>>
>> The motivation behind this is because I'd like to migrate the data
>> to another system using a different raid layout.
>> To ensure correct data alignment with the new stripe size, I need to
>> change the payload-offset using --align-payload.
>
> Ah, that makes sense. However, do you actually need this
> alignment? If yor filesystem has, say, 4kB blocks and your
> stripe-size is a multiple of that, it will be aligned anyways.

Unfortunately this isn't easy to achieve if you are using raid5 or 6.
I am moving to a raid6 with 5 disks using 64k chunksize. 64k chunks 
multiplied by the number of data bearing disks (3) results in a stripe 
width of 192k (=384 blocks). Thus I guess I should use 
--align-payload=384. The current setting is different and even the 
default of 1MiB isn't a multiple of that value.

Anyway, is the migration of keyslots possible in my case?

Thanks,
--leo
-- 
e-mail   ::: Leo.Bergolth (at) wu.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria

Re: [dm-crypt] migrate luks key-slots to another luks container

[Arno Wagner]

On Wed, Jan 16, 2013 at 10:29:31PM +0100, Alexander 'Leo' Bergolth wrote:
> Am 16.01.2013 22:08, schrieb Arno Wagner:
> >Ah, that makes sense. However, do you actually need this
> >alignment? If yor filesystem has, say, 4kB blocks and your
> >stripe-size is a multiple of that, it will be aligned anyways.
> 
> Unfortunately this isn't easy to achieve if you are using raid5 or 6.
> I am moving to a raid6 with 5 disks using 64k chunksize. 64k chunks
> multiplied by the number of data bearing disks (3) results in a
> stripe width of 192k (=384 blocks). Thus I guess I should use
> --align-payload=384. The current setting is different and even the
> default of 1MiB isn't a multiple of that value.
> 
> Anyway, is the migration of keyslots possible in my case?

As Milan said, no.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell