* reencryption with multi keyslots in batch mode
@ 2026-06-03 12:43 Frederic Hoerni
2026-06-08 9:55 ` Ondrej Kozina
0 siblings, 1 reply; 2+ messages in thread
From: Frederic Hoerni @ 2026-06-03 12:43 UTC (permalink / raw)
To: cryptsetup
Hello,
If we want to reencrypt a disk that has several keyslots (main and
recovery keyslots), I believe the only way is to do it in interactive mode.
But in some cases, we would like to do this in batch mode. We could
imagine a scenario like this:
1. Setup of the use case (no modification of cryptsetup needed so far)
# Initialize LUKS container
dd if=/dev/zero count=200 of=disk.img bs=1M
echo 0000 | sudo cryptsetup luksFormat --keyfile-size 4 \
--key-file - \
disk.img
# Add two keyslots
echo -n 0000x111111 | cryptsetup luksAddKey --key-file - \
--keyfile-size 4 \
disk.img
echo -n 0000222 | cryptsetup luksAddKey --key-file - \
--keyfile-size 4 \
disk.img
2. Reencryption (this step needs modification of cryptsetup)
echo -n 0000x111111222 | \
sudo cryptsetup reencrypt --key-file - \
--keypipe-sizes "4,7,3" \
--batch-mode \
--force-offline-reencrypt \
disk.img
3. Verify all keyslots
for passphrase in 0000 x111111 222; do
echo -n $passphrase | cryptsetup open disk.img --test-passphrase \
--key-file -
done
Do you have any on-going work in this direction?
Are you open to contribution for that? (I already have a proof of
concept for the above scenario)
Do you have any particular caveat about developing this feature?
Thank you
Frederic
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: reencryption with multi keyslots in batch mode
2026-06-03 12:43 reencryption with multi keyslots in batch mode Frederic Hoerni
@ 2026-06-08 9:55 ` Ondrej Kozina
0 siblings, 0 replies; 2+ messages in thread
From: Ondrej Kozina @ 2026-06-08 9:55 UTC (permalink / raw)
To: cryptsetup; +Cc: Frederic Hoerni
Hi,
On 03/06/2026 14:43, Frederic Hoerni wrote:
> Hello,
>
> If we want to reencrypt a disk that has several keyslots (main and
> recovery keyslots), I believe the only way is to do it in interactive mode.
Correct.
>
> But in some cases, we would like to do this in batch mode. We could
> imagine a scenario like this:
>
> 1. Setup of the use case (no modification of cryptsetup needed so far)
>
> # Initialize LUKS container
> dd if=/dev/zero count=200 of=disk.img bs=1M
> echo 0000 | sudo cryptsetup luksFormat --keyfile-size 4 \
> --key-file - \
> disk.img
> # Add two keyslots
> echo -n 0000x111111 | cryptsetup luksAddKey --key-file - \
> --keyfile-size 4 \
> disk.img
> echo -n 0000222 | cryptsetup luksAddKey --key-file - \
> --keyfile-size 4 \
> disk.img
>
>
> 2. Reencryption (this step needs modification of cryptsetup)
>
> echo -n 0000x111111222 | \
> sudo cryptsetup reencrypt --key-file - \
> --keypipe-sizes "4,7,3" \
> --batch-mode \
> --force-offline-reencrypt \
> disk.img
>
> 3. Verify all keyslots
>
> for passphrase in 0000 x111111 222; do
> echo -n $passphrase | cryptsetup open disk.img --test-passphrase \
> --key-file -
> done
>
> Do you have any on-going work in this direction?
No, currently I do not have any plans.
> Are you open to contribution for that? (I already have a proof of
> concept for the above scenario)
Of course! As with any other open source project feel free to contribute
via a merge request in https://gitlab.com/cryptsetup/cryptsetup
> Do you have any particular caveat about developing this feature?
Me personally, I'd probably go with dropping the additional keyslots for
the time of reencryption. The reencryption performance is more or less
dependent on a free space in LUKS2 header keyslots area. The only
exception from this rule is reencryption with datashift (reencrypt
--encrypt --reduce-device-size XXX command for example).
And you can recreate additional (or recovery?) keyslots after the
reencryption operation is completed.
With kind regards
O. Kozina
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-08 9:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-03 12:43 reencryption with multi keyslots in batch mode Frederic Hoerni
2026-06-08 9:55 ` Ondrej Kozina
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox