How to change cipher, key-size, hash, master key of existing LUKS device

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6.6+
  • cryptsetup-reencrypt package

Issue

  • How can I change or rotate the master key (also called volume key) on an existing LUKS device?

  • How can I change the encryption cipher on an existing LUKS container?

Resolution

When faced with the need to change anything about a LUKS device other than the size or key slots, there are two choices: backup, re-format, restore or cryptsetup-reencrypt.

Preamble

  • Before doing anything, the device in question must be identified
    The findmnt, lsblk, and/or blkid tools can be helpful for this, for example:

        [root:~]# blkid -t TYPE=crypto_LUKS
    /dev/mapper/sawz-cryptbox: UUID="12c8c122-3fd9-4aee-b8d2-3901d0535074" TYPE="crypto_LUKS" 

    [root:~]# lsblk --fs /dev/mapper/sawz-cryptbox
    NAME              FSTYPE      LABEL UUID                                 MOUNTPOINT
    sawz-cryptbox     crypto_LUKS       12c8c122-3fd9-4aee-b8d2-3901d0535074 
    └─opened_cryptbox ext4              8db7d21e-eb58-4f5d-befe-0005423847f2 /mnt/box

  • If the main concern is changing the master key (or volume key), then for the sake of verification, it also might be useful to note either the digest of the master key (using cryptsetup luksDump) or the master key itself (using dmsetup), e.g.:

        [root:~]# cryptsetup luksDump /dev/mapper/sawz-cryptbox | grep MK.digest
    MK digest:     	d6 ef ef 6a c1 05 70 8d 9b 93 e4 fd 49 34 26 b3 93 9d c6 4d 

    [root:~]# dmsetup table --target crypt --showkey /dev/mapper/opened_cryptbox 
    0 520192 crypt aes-xts-plain64 8c76bab5bac4c1d4bceb1092eace5d3706a1b678954ae6ddddbdc0674b07f545 0 253:14 4096

 

Option 1: Backup, Re-format, Restore

Prior to RHEL 6.6, this is the only option. Steps would be as follows:

  1. Backup the device in question using the decrypted map
    What to use depends on what the LUKS device contains -- typical choices: rsync, tar, dump
    The example in the Preamble would require something like this:

    [root:~]# rsync -aXv /mnt/box/ /backups/cryptbox/
    <output truncated>

  2. Unmount and close the LUKS device in question
    Example:

    [root:~]# umount /mnt/box
[root:~]# cryptsetup luksClose opened_cryptbox

  3. Re-format the LUKS container (WHICH WILL COMPLETELY DESTROY ANY DATA ON IT)
    If the goal is simply to change the volume/master key, no special options will be required; otherwise, options like --cipher, --key-size, and/or --hash might be desired
    Example:

    [root:~]# cryptsetup luksFormat /dev/mapper/sawz-cryptbox
     <output truncated>

  4. Open the newly-formatted LUKS device and recreate any necessary structures
    What to recreate depends on what used to be there but this would typically be a filesystem
    Example:

        [root:~]# cryptsetup luksOpen /dev/mapper/sawz-cryptbox opened_cryptbox
        <output truncated>

    [root:~]# mkfs.ext4 /dev/mapper/opened_cryptbox 
        <output truncated>
        
    [root:~]# mount /dev/mapper/opened_cryptbox /mnt/box

  5. Restore the original data
    Example:

    [root:~]# rsync -aXv /backups/cryptbox/ /mnt/box/
    <output truncated>

  6. Optional: use cryptsetup luksDump to confirm changes made to the LUKS device (e.g., a new master key digest, a different cipher type, etc)
     

Option 2 for RHEL 6.6+ or RHEL 7: Use cryptsetup-reencrypt

Currently the only version of RHEL that ships with the cryptsetup-reencrypt package is RHEL 6.6 and above. Steps:

  1. Install the package:

    [root:~]# yum install -y cryptsetup-reencrypt
    <output truncated>

  2. Backup the device in question (e.g., at the block level)
    WARNING: cryptsetup-reencrypt is a new experimental tool; ensure there is a backup available before using it
    The example in the Preamble would require something like this:

    [root:~]# umount /mnt/box
[root:~]# dd if=/dev/mapper/opened_cryptbox bs=4K of=/backups/cryptbox.img
    <output truncated>

  3. Ensure the LUKS device in question is closed
    Example:

    [root:~]# cryptsetup luksClose opened_cryptbox

  4. Use cryptsetup-reencrypt --help and man cryptsetup-reencrypt to determine which options are needed, if any, and then execute cryptsetup-reencrypt against the relevant LUKS device
    If the goal is simply to change the volume/master key, no special options will be required; otherwise, options like --cipher, --key-size, and/or --hash might be desired
    Example:

    [root:~]# cryptsetup-reencrypt /dev/mapper/sawz-cryptbox
WARNING: this is experimental code, it can completely break your data.
Progress: 100.0%, ETA 00:00,  254 MiB written, speed  97.2 MiB/s

  5. Re-open and mount the device in question by rebooting or manually invoking cryptsetup luksOpen and mount
    Example:

    [root:~]# cryptsetup luksOpen /dev/mapper/sawz-cryptbox opened_cryptbox
[root:~]# mount /dev/mapper/opened_cryptbox /mnt/box

  6. Optional: use cryptsetup luksDump to confirm changes made to the LUKS device (e.g., a new master key digest, a different cipher type, etc)

SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.