From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FbZS0zwvFX1u for ; Wed, 16 Jan 2013 21:33:53 +0100 (CET) Received: from mail-wg0-f45.google.com (mail-wg0-f45.google.com [74.125.82.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Wed, 16 Jan 2013 21:33:53 +0100 (CET) Received: by mail-wg0-f45.google.com with SMTP id dq12so1179773wgb.12 for ; Wed, 16 Jan 2013 12:33:52 -0800 (PST) Message-ID: <50F70EAD.9080607@gmail.com> Date: Wed, 16 Jan 2013 21:33:49 +0100 From: Milan Broz MIME-Version: 1.0 References: <50F6F2BE.9080203@strike.wu.ac.at> <50F7063B.9090607@strike.wu.ac.at> <20130116201455.GB9508@tansi.org> <20130116201912.GC9508@tansi.org> In-Reply-To: <20130116201912.GC9508@tansi.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] migrate luks key-slots to another luks container List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 01/16/2013 09:19 PM, Arno Wagner wrote: > Come to think of it, here is a very dirty way to do this: > Have the people accessing this map the old container (header+ > keyslot area is enough, use, e.g. a loop file), then read the > master key (see FAQ) and use that in a script to open your > second (new) container. And what to do if the master key is longer for the new container? No, really, LUKS is a simple standard for a reason :) The master key in keyslot is always encrypted with the same algorithm as the data. cryptsetup-reencrypt requires entering all passphrases or alternatively use only one (destroying others) and allow add them later. Surely we can create some "hack" script, but then I would expect people doing this exactly understand (not only security) consequences. Milan