* [dm-crypt] migrate luks key-slots to another luks container @ 2013-01-16 18:34 Alexander 'Leo' Bergolth 2013-01-16 18:50 ` .. ink .. 0 siblings, 1 reply; 11+ messages in thread From: Alexander 'Leo' Bergolth @ 2013-01-16 18:34 UTC (permalink / raw) To: dm-crypt Hi! Is it possible to move the passphrases from one luks container to a new one with different cipher, size and payload offset? (There is currently no data on the new container, I just want to keep the old passphrases.) Do I need to transfer the master key and the key-slots or just the key-slots? Any hints? Thanks, --leo -- e-mail ::: Leo.Bergolth (at) wu.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [dm-crypt] migrate luks key-slots to another luks container 2013-01-16 18:34 [dm-crypt] migrate luks key-slots to another luks container Alexander 'Leo' Bergolth @ 2013-01-16 18:50 ` .. ink .. 2013-01-16 19:57 ` Alexander 'Leo' Bergolth 0 siblings, 1 reply; 11+ messages in thread From: .. ink .. @ 2013-01-16 18:50 UTC (permalink / raw) To: Alexander 'Leo' Bergolth; +Cc: dm-crypt [-- Attachment #1: Type: text/plain, Size: 330 bytes --] > Is it possible to move the passphrases from one luks container to a new > one with different cipher, size and payload offset? (There is currently > no data on the new container, I just want to keep the old passphrases.) > > any reason why you dont want to just add those old passphrases to the new container using "luksAddKey"? [-- Attachment #2: Type: text/html, Size: 597 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [dm-crypt] migrate luks key-slots to another luks container 2013-01-16 18:50 ` .. ink .. @ 2013-01-16 19:57 ` Alexander 'Leo' Bergolth 2013-01-16 20:05 ` Milan Broz 2013-01-16 20:14 ` Arno Wagner 0 siblings, 2 replies; 11+ messages in thread From: Alexander 'Leo' Bergolth @ 2013-01-16 19:57 UTC (permalink / raw) To: .. ink ..; +Cc: dm-crypt Am 16.01.2013 19:50, schrieb .. ink ..: > Is it possible to move the passphrases from one luks container to a new > one with different cipher, size and payload offset? (There is currently > no data on the new container, I just want to keep the old passphrases.) > > any reason why you dont want to just add those old passphrases to the > new container using "luksAddKey"? I'd like to transfer the key-slots so that the same passphrases can be used to unlock them. I don't know the passphrases. (Just one of them.) Cheers, --leo -- e-mail ::: Leo.Bergolth (at) wu.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [dm-crypt] migrate luks key-slots to another luks container 2013-01-16 19:57 ` Alexander 'Leo' Bergolth @ 2013-01-16 20:05 ` Milan Broz 2013-01-16 20:14 ` Arno Wagner 1 sibling, 0 replies; 11+ messages in thread From: Milan Broz @ 2013-01-16 20:05 UTC (permalink / raw) To: Alexander 'Leo' Bergolth; +Cc: dm-crypt On 01/16/2013 08:57 PM, Alexander 'Leo' Bergolth wrote: > Am 16.01.2013 19:50, schrieb .. ink ..: >> Is it possible to move the passphrases from one luks container to a new >> one with different cipher, size and payload offset? (There is currently >> no data on the new container, I just want to keep the old passphrases.) >> >> any reason why you dont want to just add those old passphrases to the >> new container using "luksAddKey"? > > I'd like to transfer the key-slots so that the same passphrases can be > used to unlock them. > I don't know the passphrases. (Just one of them.) Then it is impossible (if you want to change encryption parameters and master key). New master key must be encrypted with the new algorithm and you cannot do this for keyslots without passphrase knowledge for these keyslots. Milan ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [dm-crypt] migrate luks key-slots to another luks container 2013-01-16 19:57 ` Alexander 'Leo' Bergolth 2013-01-16 20:05 ` Milan Broz @ 2013-01-16 20:14 ` Arno Wagner 2013-01-16 20:19 ` Arno Wagner 2013-01-16 20:51 ` Alexander 'Leo' Bergolth 1 sibling, 2 replies; 11+ messages in thread From: Arno Wagner @ 2013-01-16 20:14 UTC (permalink / raw) To: dm-crypt Hmm. I don't think that is possible at the moment. The experimental "cryptsetup-reencrypt" requires all passphrases that should remain active. Any reason why you want to change the cipher? After all, you can not enlarge the key and keep the keyslots. As to size, just enlarge the partition. Offset, I don't know, but if you do not need to keep any data, just changing the repective fiels in the header should do it. But is there really any reason to change the offset? Arno On Wed, Jan 16, 2013 at 08:57:47PM +0100, Alexander 'Leo' Bergolth wrote: > Am 16.01.2013 19:50, schrieb .. ink ..: > > Is it possible to move the passphrases from one luks container to a new > > one with different cipher, size and payload offset? (There is currently > > no data on the new container, I just want to keep the old passphrases.) > > > >any reason why you dont want to just add those old passphrases to the > >new container using "luksAddKey"? > > I'd like to transfer the key-slots so that the same passphrases can > be used to unlock them. > I don't know the passphrases. (Just one of them.) > > Cheers, > --leo > -- > e-mail ::: Leo.Bergolth (at) wu.ac.at > fax ::: +43-1-31336-906050 > location ::: IT-Services | Vienna University of Economics | Austria > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [dm-crypt] migrate luks key-slots to another luks container 2013-01-16 20:14 ` Arno Wagner @ 2013-01-16 20:19 ` Arno Wagner 2013-01-16 20:33 ` Milan Broz 2013-01-16 20:51 ` Alexander 'Leo' Bergolth 1 sibling, 1 reply; 11+ messages in thread From: Arno Wagner @ 2013-01-16 20:19 UTC (permalink / raw) To: dm-crypt Come to think of it, here is a very dirty way to do this: Have the people accessing this map the old container (header+ keyslot area is enough, use, e.g. a loop file), then read the master key (see FAQ) and use that in a script to open your second (new) container. A bit like "decrypt-derived". And a possible nighmare to maintain ;-) Arno On Wed, Jan 16, 2013 at 09:14:55PM +0100, Arno Wagner wrote: > Hmm. > > I don't think that is possible at the moment. The experimental > "cryptsetup-reencrypt" requires all passphrases that should remain > active. > > Any reason why you want to change the cipher? After all, you can > not enlarge the key and keep the keyslots. > > As to size, just enlarge the partition. Offset, I don't know, > but if you do not need to keep any data, just changing the > repective fiels in the header should do it. But is there really > any reason to change the offset? > > Arno > > > On Wed, Jan 16, 2013 at 08:57:47PM +0100, Alexander 'Leo' Bergolth wrote: > > Am 16.01.2013 19:50, schrieb .. ink ..: > > > Is it possible to move the passphrases from one luks container to a new > > > one with different cipher, size and payload offset? (There is currently > > > no data on the new container, I just want to keep the old passphrases.) > > > > > >any reason why you dont want to just add those old passphrases to the > > >new container using "luksAddKey"? > > > > I'd like to transfer the key-slots so that the same passphrases can > > be used to unlock them. > > I don't know the passphrases. (Just one of them.) > > > > Cheers, > > --leo > > -- > > e-mail ::: Leo.Bergolth (at) wu.ac.at > > fax ::: +43-1-31336-906050 > > location ::: IT-Services | Vienna University of Economics | Austria > > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 > ---- > One of the painful things about our time is that those who feel certainty > are stupid, and those with any imagination and understanding are filled > with doubt and indecision. -- Bertrand Russell > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [dm-crypt] migrate luks key-slots to another luks container 2013-01-16 20:19 ` Arno Wagner @ 2013-01-16 20:33 ` Milan Broz 0 siblings, 0 replies; 11+ messages in thread From: Milan Broz @ 2013-01-16 20:33 UTC (permalink / raw) To: dm-crypt On 01/16/2013 09:19 PM, Arno Wagner wrote: > Come to think of it, here is a very dirty way to do this: > Have the people accessing this map the old container (header+ > keyslot area is enough, use, e.g. a loop file), then read the > master key (see FAQ) and use that in a script to open your > second (new) container. And what to do if the master key is longer for the new container? No, really, LUKS is a simple standard for a reason :) The master key in keyslot is always encrypted with the same algorithm as the data. cryptsetup-reencrypt requires entering all passphrases or alternatively use only one (destroying others) and allow add them later. Surely we can create some "hack" script, but then I would expect people doing this exactly understand (not only security) consequences. Milan ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [dm-crypt] migrate luks key-slots to another luks container 2013-01-16 20:14 ` Arno Wagner 2013-01-16 20:19 ` Arno Wagner @ 2013-01-16 20:51 ` Alexander 'Leo' Bergolth 2013-01-16 21:08 ` Arno Wagner 1 sibling, 1 reply; 11+ messages in thread From: Alexander 'Leo' Bergolth @ 2013-01-16 20:51 UTC (permalink / raw) To: Arno Wagner; +Cc: dm-crypt Am 16.01.2013 21:14, schrieb Arno Wagner: > Any reason why you want to change the cipher? After all, you can > not enlarge the key and keep the keyslots. > > As to size, just enlarge the partition. Offset, I don't know, > but if you do not need to keep any data, just changing the > repective fiels in the header should do it. But is there really > any reason to change the offset? The motivation behind this is because I'd like to migrate the data to another system using a different raid layout. To ensure correct data alignment with the new stripe size, I need to change the payload-offset using --align-payload. Besides, I'd like to change cipher from aes-cbc-essiv:sha256 to aes-xts-plain. (Key size is 256 bit on both.) The source system is currently mounted, so my plan is to create a new luks container (preferrably using the same keyslots) and then just rsync the data. Cheers, --leo > On Wed, Jan 16, 2013 at 08:57:47PM +0100, Alexander 'Leo' Bergolth wrote: >> Am 16.01.2013 19:50, schrieb .. ink ..: >>> Is it possible to move the passphrases from one luks container to a new >>> one with different cipher, size and payload offset? (There is currently >>> no data on the new container, I just want to keep the old passphrases.) >>> >>> any reason why you dont want to just add those old passphrases to the >>> new container using "luksAddKey"? >> >> I'd like to transfer the key-slots so that the same passphrases can >> be used to unlock them. >> I don't know the passphrases. (Just one of them.) >> >> Cheers, >> --leo >> -- >> e-mail ::: Leo.Bergolth (at) wu.ac.at >> fax ::: +43-1-31336-906050 >> location ::: IT-Services | Vienna University of Economics | Austria >> >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> http://www.saout.de/mailman/listinfo/dm-crypt > -- e-mail ::: Leo.Bergolth (at) wu.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [dm-crypt] migrate luks key-slots to another luks container 2013-01-16 20:51 ` Alexander 'Leo' Bergolth @ 2013-01-16 21:08 ` Arno Wagner 2013-01-16 21:29 ` Alexander 'Leo' Bergolth 0 siblings, 1 reply; 11+ messages in thread From: Arno Wagner @ 2013-01-16 21:08 UTC (permalink / raw) To: dm-crypt On Wed, Jan 16, 2013 at 09:51:36PM +0100, Alexander 'Leo' Bergolth wrote: > Am 16.01.2013 21:14, schrieb Arno Wagner: > >Any reason why you want to change the cipher? After all, you can > >not enlarge the key and keep the keyslots. > > > >As to size, just enlarge the partition. Offset, I don't know, > >but if you do not need to keep any data, just changing the > >repective fiels in the header should do it. But is there really > >any reason to change the offset? > > The motivation behind this is because I'd like to migrate the data > to another system using a different raid layout. > To ensure correct data alignment with the new stripe size, I need to > change the payload-offset using --align-payload. Ah, that makes sense. However, do you actually need this alignment? If yor filesystem has, say, 4kB blocks and your stripe-size is a multiple of that, it will be aligned anyways. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [dm-crypt] migrate luks key-slots to another luks container 2013-01-16 21:08 ` Arno Wagner @ 2013-01-16 21:29 ` Alexander 'Leo' Bergolth 2013-01-16 21:54 ` Arno Wagner 0 siblings, 1 reply; 11+ messages in thread From: Alexander 'Leo' Bergolth @ 2013-01-16 21:29 UTC (permalink / raw) To: Arno Wagner; +Cc: dm-crypt Am 16.01.2013 22:08, schrieb Arno Wagner: > On Wed, Jan 16, 2013 at 09:51:36PM +0100, Alexander 'Leo' Bergolth wrote: >> Am 16.01.2013 21:14, schrieb Arno Wagner: >>> Any reason why you want to change the cipher? After all, you can >>> not enlarge the key and keep the keyslots. >>> >>> As to size, just enlarge the partition. Offset, I don't know, >>> but if you do not need to keep any data, just changing the >>> repective fiels in the header should do it. But is there really >>> any reason to change the offset? >> >> The motivation behind this is because I'd like to migrate the data >> to another system using a different raid layout. >> To ensure correct data alignment with the new stripe size, I need to >> change the payload-offset using --align-payload. > > Ah, that makes sense. However, do you actually need this > alignment? If yor filesystem has, say, 4kB blocks and your > stripe-size is a multiple of that, it will be aligned anyways. Unfortunately this isn't easy to achieve if you are using raid5 or 6. I am moving to a raid6 with 5 disks using 64k chunksize. 64k chunks multiplied by the number of data bearing disks (3) results in a stripe width of 192k (=384 blocks). Thus I guess I should use --align-payload=384. The current setting is different and even the default of 1MiB isn't a multiple of that value. Anyway, is the migration of keyslots possible in my case? Thanks, --leo -- e-mail ::: Leo.Bergolth (at) wu.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [dm-crypt] migrate luks key-slots to another luks container 2013-01-16 21:29 ` Alexander 'Leo' Bergolth @ 2013-01-16 21:54 ` Arno Wagner 0 siblings, 0 replies; 11+ messages in thread From: Arno Wagner @ 2013-01-16 21:54 UTC (permalink / raw) To: dm-crypt On Wed, Jan 16, 2013 at 10:29:31PM +0100, Alexander 'Leo' Bergolth wrote: > Am 16.01.2013 22:08, schrieb Arno Wagner: > >Ah, that makes sense. However, do you actually need this > >alignment? If yor filesystem has, say, 4kB blocks and your > >stripe-size is a multiple of that, it will be aligned anyways. > > Unfortunately this isn't easy to achieve if you are using raid5 or 6. > I am moving to a raid6 with 5 disks using 64k chunksize. 64k chunks > multiplied by the number of data bearing disks (3) results in a > stripe width of 192k (=384 blocks). Thus I guess I should use > --align-payload=384. The current setting is different and even the > default of 1MiB isn't a multiple of that value. > > Anyway, is the migration of keyslots possible in my case? As Milan said, no. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2013-01-16 21:54 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-01-16 18:34 [dm-crypt] migrate luks key-slots to another luks container Alexander 'Leo' Bergolth 2013-01-16 18:50 ` .. ink .. 2013-01-16 19:57 ` Alexander 'Leo' Bergolth 2013-01-16 20:05 ` Milan Broz 2013-01-16 20:14 ` Arno Wagner 2013-01-16 20:19 ` Arno Wagner 2013-01-16 20:33 ` Milan Broz 2013-01-16 20:51 ` Alexander 'Leo' Bergolth 2013-01-16 21:08 ` Arno Wagner 2013-01-16 21:29 ` Alexander 'Leo' Bergolth 2013-01-16 21:54 ` Arno Wagner
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.