In this article I will share the steps to change LUKS device master key, cipher, hash and key-size. Now due to security reasons you may get a requirement to change LUKS device master key or other values such as encryption cipher.
Below are some more articles on LUKS based Disk Encryption
- How to Encrypt Hard Disk (partition) using LUKS in Linux
- How to auto mount LUKS encrypted partition using fstab at boot in Linux
- How to encrypt root partition and entire file system using LUKS in Linux
- How to resize LUKS partition (shrink or extend encrypted luks volume) in Linux
- Configure LUKS Network Bound Disk Encryption with clevis & tang server to boot without password
When creating a new LUKS-encrypted volume, there are basically 4 "knobs" that can be tweaked.
- symmetric encryption cipher
- cipher block mode
- IV (Initial Vector) for the cipher block mode
- encryption key size
Supported list of ciphers
While changing the default encryption cipher cannot be recommended, it is an option and here are some of the choices:
- AES - Advanced Encryption Standard - FIPS PUB 197
- Twofish
- Serpent
- cast5 - RFC 2144
- cast6 - RFC 2612
Check /proc/crypto
which contains supported ciphers and modes but note it contains only currently loaded crypto API modules.
Change LUKS Device Master Key, Ciphers, Hash, Key-Size
There are two methods to change LUKS device master key or other related values:
- backup, re-format, restore
- cryptsetup-reencrypt
Identify LUKS Encrypted Device
Before starting you must identify the file system or LUKS device for which you wish to change master key or other values.
[root@centos-8 ~]# blkid -t TYPE=crypto_LUKS
/dev/mapper/rhel-test_vol: UUID="61b1c0f8-522f-4792-98f7-29ef904943cf" TYPE="crypto_LUKS"
So here our LUKS device is /dev/mapper/rhel-test_vol
Open new encrypted disk with cryptsetup luksOpen DEV MAPPING
, where MAPPING is an arbitrary name to use for the device-mapper target that will provide read/write access to the decrypted device
[root@centos-8 ~]# cryptsetup luksOpen /dev/rhel/test_vol secret Enter passphrase for /dev/rhel/test_vol:
Method 1: Backup, Re-format, Restore
This option can be used on RHEL 5 and 6.6 as with these OS variants cryptsetup-reencrypt
was not available. I have any how validated these steps on RHEL/CentOS 8 and I didn't find any issues, although this is a lengthy process so on a later OS variant you should opt for Method 2 using cryptsetup-reencrypt
Backup content of LUKS Device
Backup the device in question using the decrypted map, you can use various tools to backup such as tar, dump, rsync. I will create a backup location on the same node.
[root@centos-8 ~]# mkdir -p /backups/cryptokeys
Since my LUKS device is unmounted, will mount it to access the LUKS device content
[root@centos-8 ~]# mount /dev/mapper/secret /secret/
I have few dummy keys for the sake of this article.
[root@centos-8 secret]# ls -l total 24 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 16384 Nov 25 22:28 lost+found
Next I will copy this data to my backup folder using rsync
[root@centos-8 ~]# rsync -aXv /secret/ /backups/cryptokeys/ sending incremental file list ./ encrypted_keys_1 encrypted_keys_2 lost+found/ sent 234 bytes received 61 bytes 590.00 bytes/sec total size is 8 speedup is 0.03
Verify the content inside backup folder
[root@centos-8 ~]# ls -l /backups/cryptokeys/ total 12 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 4096 Nov 25 22:28 lost+found
Next unmount the LUKS device
[root@centos-8 ~]# umount /secret
Close your LUKS device
[root@centos-8 ~]# cryptsetup luksClose secret
Change LUKS Device Master Key and Cipher
By default the cipher for LUKS encrypted volume is as below. But for my internal testing I had changed my LUKS device cipher key to aes-xts-essiv:sha256
. So as part of this article let's change LUKS device master key and cipher to it's default value.
LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
To view cipher, hash, key-size and master-key of an existing LUKS device you can use cryptsetup or dmsetup command.
[root@centos-8 ~]# cryptsetup luksDump /dev/rhel/test_vol | grep cipher cipher: aes-xts-essiv:sha256 [root@centos-8 ~]# dmsetup table --target crypt --showkey /dev/mapper/secret 0 4177920 crypt aes-xts-essiv:sha256 :32:logon:cryptsetup:1fbf9936-ff5b-4847-9b2d-3da3044d5195-d0 0 253:2 16384
Here,
- aes - Encryption block cipher. For example: twofish, serpent
- xts - Block cipher encryption mode referred as chainmode. Example: cbc, xts.
- plain64 - the initial vector is the 64-bit little-endian version of the sector number, padded with zeros if necessary.
- essiv: "encrypted sector|salt initial vector", the sector number is encrypted with the bulk cipher using a salt as key.
More information can be collected from:
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
If the goal is simply to change LUKS Device master key, no special options will be required; otherwise, options like --cipher
, --key-size
, and/or --hash
might be desired. Here since I am also changing my cipher value I will use -c
which is short abbreviation for --cipher
[root@centos-8 ~]# cryptsetup -c aes-xts-plain64 luksFormat /dev/rhel/test_vol
WARNING: Device /dev/rhel/test_vol already contains a 'crypto_LUKS' superblock signature.
WARNING!
========
This will overwrite data on /dev/rhel/test_vol irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/rhel/test_vol:
Verify passphrase:
Restore content
Now since we successfully change LUKS device master key and cipher, Open the newly-formatted LUKS device and recreate any necessary structures
[root@centos-8 ~]# cryptsetup luksOpen /dev/mapper/rhel-test_vol secret Enter passphrase for /dev/mapper/rhel-test_vol:
Assign a file system to the LUKS device
[root@centos-8 ~]# mkfs.ext4 /dev/mapper/secret mke2fs 1.44.3 (10-July-2018) Creating filesystem with 522240 4k blocks and 130560 inodes Filesystem UUID: 93f1e562-323e-4f8a-bafc-cdd5f7d4025a Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912 Allocating group tables: done Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done
Mount the LUKS device on a mount point and restore the data from the backup folder
[root@centos-8 ~]# mount /dev/mapper/secret /secret/
[root@centos-8 ~]# rsync -aXv /backups/cryptokeys/ /secret/
sending incremental file list
./
encrypted_keys_1
encrypted_keys_2
lost+found/
sent 234 bytes received 65 bytes 598.00 bytes/sec
total size is 8 speedup is 0.03
Verify your data
[root@centos-8 ~]# ls -l /secret/ total 24 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 16384 Nov 25 22:28 lost+found
Verify the new Master Key and Cipher
You can also verify your master key which now must be different compared to what we had earlier.
[root@centos-8 ~]# dmsetup table --target crypt --showkey /dev/mapper/secret 0 4177920 crypt aes-xts-plain64 :32:logon:cryptsetup:61b1c0f8-522f-4792-98f7-29ef904943cf-d0 0 253:2 16384
Also verify the new cipher for your LUKS encrypted device
[root@centos-8 ~]# cryptsetup luksDump /dev/rhel/test_vol | grep cipher
cipher: aes-xts-plain64
Method 2: Use cryptsetup-reencrypt
/usr/sbin/cryptsetup-reencrypt
is part of cryptsetup-reencrypt
rpm which you can install using yum. This rpm is part of all RHEL 6.6 and higher variants. I am using CentOS 8 to verify these steps.
[root@centos-8 ~]# yum install -y cryptsetup-reencrypt
Backup the LUKS device
We have the same content as we had earlier for /secret
MAPPING
[root@centos-8 secret]# ls -l /secret/ total 24 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 16384 Nov 25 22:28 lost+found
Before we backup our LUKS device, we must un-mount it.
[root@centos-8 ~]# umount /secret
Take the backup of LUKS device at block level using dd
command
[root@centos-8 ~]# dd if=/dev/mapper/secret bs=4k of=/backups/cryptofile.img 522240+0 records in 522240+0 records out 2139095040 bytes (2.1 GB, 2.0 GiB) copied, 13.5232 s, 158 MB/s
Make sure the respective LUKS device is closed
[root@centos-8 ~]# cryptsetup luksClose secret
[root@centos-8 ~]# cryptsetup status secret
/dev/mapper/secret is inactive.
Change LUKS Device Master Key
Execute cryptsetup-reencrypt
against the relevant LUKS device, If the goal is simply to change the volume/master key, no special options will be required; otherwise, options like --cipher
, --key-size
, and/or --hash
might be desired
[root@centos-8 ~]# cryptsetup-reencrypt /dev/mapper/rhel-test_vol Enter passphrase for key slot 0: Finished, time 00:09.210, 2040 MiB written, speed 221.5 MiB/s
Re-open and mount the respective LUKS device by rebooting or manually invoking cryptsetup luksOpen
and mount
[root@centos-8 ~]# cryptsetup luksOpen /dev/mapper/rhel-test_vol secret Enter passphrase for /dev/mapper/rhel-test_vol: [root@centos-8 ~]# mount /dev/mapper/secret /secret/
Verify the LUKS device content
[root@centos-8 ~]# ls -l /secret/ total 24 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 16384 Nov 25 22:28 lost+found
Restore Content
If there are any issues with the LUKS encrypted volume, then you can clear out the content of /secret
unmount the LUKS volume and restore the content from backup using dd
[root@centos-8 ~]# dd if=/backups/cryptofile.img of=/dev/mapper/secret bs=4k 522240+0 records in 522240+0 records out 2139095040 bytes (2.1 GB, 2.0 GiB) copied, 6.81704 s, 314 MB/s
Next mount the LUKS encrypted volume and verify the files
[root@centos-8 ~]# mount /dev/mapper/secret /secret/ [root@centos-8 ~]# ls -l /secret/ total 24 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 16384 Nov 25 22:28 lost+found
Verify the new Master Key
In the last use cryptsetup luksDump
or dmsetup
to confirm changes made to the LUKS device (e.g., a new master key digest, a different cipher type, etc)
[root@centos-8 ~]# dmsetup table --target crypt --showkey /dev/mapper/secret
0 4177920 crypt aes-xts-plain64 :32:logon:cryptsetup:61b1c0f8-522f-4792-98f7-29ef904943cf-d0 0 253:2 16384
Lastly I hope the steps from the article to change LUKS device master key, cipher, hash, key-size in Linux was helpful. So, let me know your suggestions and feedback using the comment section.
References:
All about LUKS, cryptsetup, and dm-crypt
How to change cipher, key-size, hash, master key of existing LUKS device