eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-12 11:20:10 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ca0c9c765ec11673cd80def7cc0b39ed52c8b087
cryptsetup/man/cryptsetup-luksChangeKey.8.adoc
Ondrej Kozina ca0c9c765e Avoid overwritting LUKS2 keyslot area if possible. 
With LUKS2 crypt_keyslot_change_by_passphrase() call
does not have to overwrite binary keyslot
area in-place when user asked for specific keyslot id.

If there's enough free space in keyslot binary area
we can write new keyslot material in the the free area
(identified temporarily by new keyslot id) and switch
pointers (json metadata) to point to the new keyslot area after
the keyslot area write is complete. The old keyslot
area gets deleted after the new area write is finished.

Otherwise we needlesly risk to lose the existing keyslot
if the operation gets interupted.

With this patch LUKS2 crypt_keyslot_change_by_passphrase()
overwrites existing keyslot (including keyslot area)
only if there's no free space and therefore in-place update
is necessary.

Fixes: #839.
2023-09-29 11:30:53 +02:00

49 lines
1.9 KiB
Plaintext
Raw Blame History

= cryptsetup-luksChangeKey(8)
:doctype: manpage
:manmanual: Maintenance Commands
:mansource: cryptsetup {release-version}
:man-linkstyle: pass:[blue R < >]
:COMMON_OPTIONS:
:ACTION_LUKSCHANGEKEY:
== Name
cryptsetup-luksChangeKey - change an existing passphrase
== SYNOPSIS
*cryptsetup _luksChangeKey_ [<options>] <device> [<new key file>]*
== DESCRIPTION
Changes an existing passphrase. The passphrase to be changed must be
supplied interactively or via --key-file. The new passphrase can be
supplied interactively or in a file given as the positional argument.
If a key-slot is specified (via --key-slot), the passphrase for that
key-slot must be given and the new passphrase will overwrite the
specified key-slot. If no key-slot is specified and there is still a
free key-slot, then the new passphrase will be put into a free key-slot
before the key-slot containing the old passphrase is purged. If there is
no free key-slot, then the key-slot with the old passphrase is
overwritten directly.
*WARNING:* If a key-slot is overwritten, a media failure during this
operation can cause the overwrite to fail after the old passphrase has
been wiped and make the LUKS container inaccessible. LUKS2 mitigates
that by never overwritting existing keyslot area as long as there's
a free space in keyslots area at least for one more LUKS2 keyslot.
*NOTE:* some parameters are effective only if used with LUKS2 format
that supports per-keyslot parameters. For LUKS1, PBKDF type and hash
algorithm is always the same for all keyslots.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
--new-keyfile-offset, --iter-time, --pbkdf, --pbkdf-force-iterations,
--pbkdf-memory, --pbkdf-parallel, --new-keyfile-size, --key-slot,
--force-password, --hash, --header, --disable-locks, --type,
--keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]
Reference in New Issue View Git Blame Copy Permalink