From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YLkLtxlk2f0m for ; Tue, 11 Dec 2012 16:48:05 +0100 (CET) Received: from mail-wg0-f46.google.com (mail-wg0-f46.google.com [74.125.82.46]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Tue, 11 Dec 2012 16:48:05 +0100 (CET) Received: by mail-wg0-f46.google.com with SMTP id dr13so2544682wgb.1 for ; Tue, 11 Dec 2012 07:48:05 -0800 (PST) Message-ID: <50C755B0.8070902@gmail.com> Date: Tue, 11 Dec 2012 16:48:00 +0100 From: Milan Broz MIME-Version: 1.0 References: <50C7473B.5090208@logtenberg.eu> <20121211150918.GB2194@tansi.org> <50C75290.1060003@logtenberg.eu> In-Reply-To: <50C75290.1060003@logtenberg.eu> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] How to increase key size of existing volume List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Erik Logtenberg Cc: dm-crypt@saout.de On 12/11/2012 04:34 PM, Erik Logtenberg wrote: > So there are at least two methods of extracting a master key. Now if I > would suspect that a machine, that has a luks volume mounted, was > compromised to the extent that someone had temporaryly gained root > access, I would not only have to reset (all) passwords after fixing the > security hole, but also I would have to create a new master key to be sure. So attacker had already access to your mounted backup in plaintext and could change anything there. > > Is the cryptsetup-reencrypt tool also meant for that purpose? yes, in fact changing volume (master) key was primary use for it. Read http://asalor.blogspot.cz/2012/08/re-encryption-of-luks-device-cryptsetup.html (But always be sure you have backup. Backup of backup in your case :) Milan