Cryptsetup development
 help / color / mirror / Atom feed
From: Ondrej Kozina <okozina@redhat.com>
To: cryptsetup@lists.linux.dev
Cc: Frederic Hoerni <frederic.hoerni@canonical.com>
Subject: Re: reencryption with multi keyslots in batch mode
Date: Mon, 8 Jun 2026 11:55:00 +0200	[thread overview]
Message-ID: <b5e88240-b51b-4d6b-9eff-cda79448fc27@redhat.com> (raw)
In-Reply-To: <ac44ad4e-e9ec-4ab4-ac8d-6b545ece7d2d@canonical.com>

Hi,

On 03/06/2026 14:43, Frederic Hoerni wrote:
> Hello,
> 
> If we want to reencrypt a disk that has several keyslots (main and
> recovery keyslots), I believe the only way is to do it in interactive mode.

Correct.

> 
> But in some cases, we would like to do this in batch mode. We could
> imagine a scenario like this:
> 
> 1. Setup of the use case (no modification of cryptsetup needed so far)
> 
> # Initialize LUKS container
> dd if=/dev/zero count=200 of=disk.img bs=1M
> echo 0000 | sudo cryptsetup luksFormat --keyfile-size 4 \
>                                          --key-file - \
>                                          disk.img
> # Add two keyslots
> echo -n 0000x111111 | cryptsetup luksAddKey --key-file - \
>                                               --keyfile-size 4 \
>                                               disk.img
> echo -n 0000222     | cryptsetup luksAddKey --key-file - \
>                                               --keyfile-size 4 \
>                                               disk.img
> 
> 
> 2. Reencryption (this step needs modification of cryptsetup)
> 
> echo -n 0000x111111222 | \
>       sudo cryptsetup reencrypt --key-file - \
>                                 --keypipe-sizes "4,7,3" \
>                                 --batch-mode \
>                                 --force-offline-reencrypt \
>                                 disk.img
> 
> 3. Verify all keyslots
> 
> for passphrase in 0000 x111111 222; do
>       echo -n $passphrase | cryptsetup open disk.img --test-passphrase \
>                                                      --key-file -
> done
> 
> Do you have any on-going work in this direction?

No, currently I do not have any plans.

> Are you open to contribution for that? (I already have a proof of
> concept for the above scenario)

Of course! As with any other open source project feel free to contribute 
via a merge request in https://gitlab.com/cryptsetup/cryptsetup

> Do you have any particular caveat about developing this feature?

Me personally, I'd probably go with dropping the additional keyslots for 
the time of reencryption. The reencryption performance is more or less 
dependent on a free space in LUKS2 header keyslots area. The only 
exception from this rule is reencryption with datashift (reencrypt 
--encrypt --reduce-device-size XXX command for example).

And you can recreate additional (or recovery?) keyslots after the 
reencryption operation is completed.

With kind regards
O. Kozina


      reply	other threads:[~2026-06-08  9:55 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-03 12:43 reencryption with multi keyslots in batch mode Frederic Hoerni
2026-06-08  9:55 ` Ondrej Kozina [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b5e88240-b51b-4d6b-9eff-cda79448fc27@redhat.com \
    --to=okozina@redhat.com \
    --cc=cryptsetup@lists.linux.dev \
    --cc=frederic.hoerni@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox