From f25a1c92ece5336fdeb938088e3302453d7b59ed Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Tue, 16 Feb 2021 17:08:53 +0100 Subject: [PATCH] Prefer default cipher when reencrypting cipher_null device. By default when reencrypting LUKS2 device we regenerate only the volume key. But if the device was 'encrypted' by cipher_null this change did not make sense. The key was always empty. Change the behaviour so that unless user specifies --cipher parameter on command line, we change data encryption cipher to default when old segment cipher was cipher_null. --- src/cryptsetup.c | 5 +++++ tests/luks2-reencryption-test | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/cryptsetup.c b/src/cryptsetup.c index bf8bf278..9366f806 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -3194,6 +3194,11 @@ static int action_reencrypt_luks2(struct crypt_device *cd) _set_reencryption_flags(¶ms.flags); + if (!opt_cipher && crypt_is_cipher_null(crypt_get_cipher(cd))) { + opt_cipher = strdup(DEFAULT_CIPHER(LUKS1)); + log_std(_("Switching data encryption cipher to %s.\n"), opt_cipher); + } + if (!opt_cipher) { strncpy(cipher, crypt_get_cipher(cd), MAX_CIPHER_LEN - 1); strncpy(mode, crypt_get_cipher_mode(cd), MAX_CIPHER_LEN - 1); diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test index 353085ad..014330cd 100755 --- a/tests/luks2-reencryption-test +++ b/tests/luks2-reencryption-test @@ -1406,9 +1406,9 @@ $CRYPTSETUP close $DEV_NAME echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF2 $DEV || fail $CRYPTSETUP convert -q --type luks2 $DEV || fail wipe $PWD1 -echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail +echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON >/dev/null || fail check_hash $PWD1 $HASH1 -# both keyslot and segment cipher must not be null +# both keyslot and segment cipher must not be null after reencryption with default params $CRYPTSETUP luksDump $DEV | grep -q "cipher_null" && fail remove_mapping