add warning to order luksChangeKey and reencrypt

2025-12-05 16:00:05 +01:00 · 2024-09-26 16:09:49 +02:00
parent 31bf986084
commit 3c00305156
2 changed files with 7 additions and 0 deletions
--- a/man/cryptsetup-luksChangeKey.8.adoc
+++ b/man/cryptsetup-luksChangeKey.8.adoc
@@ -34,6 +34,10 @@ been wiped and make the LUKS container inaccessible. LUKS2 mitigates
 that by never overwriting existing keyslot area as long as there's
 a free space in keyslots area at least for one more LUKS2 keyslot.

+*WARNING:* If you need to use both luksChangeKey and reencrypt (e.g.
+to recover from a leak) you need to use them in that order to not leak
+the new volume key.
+
 *NOTE:* some parameters are effective only if used with LUKS2 format
 that supports per-keyslot parameters. For LUKS1, PBKDF type and hash
 algorithm is always the same for all keyslots.
--- a/man/cryptsetup-reencrypt.8.adoc
+++ b/man/cryptsetup-reencrypt.8.adoc
@@ -34,6 +34,9 @@ You can regenerate *volume key* (the real key used in on-disk encryption
 unlocked by passphrase), *cipher*, *cipher mode* or *encryption sector size*
 (LUKS2 only).

+*WARNING:* If you need to use both luksChangeKey and reencrypt (e.g. to recover
+from a leak) you need to use them in that order to not leak the new volume key.
+
 Reencryption process may be safely interrupted by a user via SIGINT
 signal (ctrl+c). Same applies to SIGTERM signal (i.e. issued by systemd
 during system shutdown).