Table of Contents
In this article I will share the steps to change LUKS device master key, cipher, hash and key-size. Now due to security reasons you may get a requirement to change LUKS device master key or other values such as encryption cipher.
Below are some more articles on LUKS based Disk Encryption
- How to Encrypt Hard Disk (partition) using LUKS in Linux
- How to auto mount LUKS encrypted partition using fstab at boot in Linux
- How to encrypt root partition and entire file system using LUKS in Linux
- How to resize LUKS partition (shrink or extend encrypted luks volume) in Linux
- Configure LUKS Network Bound Disk Encryption with clevis & tang server to boot without password
When creating a new LUKS-encrypted volume, there are basically 4 "knobs" that can be tweaked.
- symmetric encryption cipher
- cipher block mode
- IV (Initial Vector) for the cipher block mode
- encryption key size
Supported list of ciphers
While changing the default encryption cipher cannot be recommended, it is an option and here are some of the choices:
- AES - Advanced Encryption Standard - FIPS PUB 197
- Twofish
- Serpent
- cast5 - RFC 2144
- cast6 - RFC 2612
Check /proc/crypto
which contains supported ciphers and modes but note it contains only currently loaded crypto API modules.
Change LUKS Device Master Key, Ciphers, Hash, Key-Size
There are two methods to change LUKS device master key or other related values:
- backup, re-format, restore
- cryptsetup-reencrypt
cryptsetup
and the Anaconda installer have their own safe & sane defaults. It is not necessary to explicitly tweak the above settings when creating a new encrypted volume indeed, unless you know what you're doing, it's actually discouraged.
Identify LUKS Encrypted Device
Before starting you must identify the file system or LUKS device for which you wish to change master key or other values.
[root@centos-8 ~]# blkid -t TYPE=crypto_LUKS
/dev/mapper/rhel-test_vol: UUID="61b1c0f8-522f-4792-98f7-29ef904943cf" TYPE="crypto_LUKS"
So here our LUKS device is /dev/mapper/rhel-test_vol
Open new encrypted disk with cryptsetup luksOpen DEV MAPPING
, where MAPPING is an arbitrary name to use for the device-mapper target that will provide read/write access to the decrypted device
[root@centos-8 ~]# cryptsetup luksOpen /dev/rhel/test_vol secret Enter passphrase for /dev/rhel/test_vol:
Method 1: Backup, Re-format, Restore
This option can be used on RHEL 5 and 6.6 as with these OS variants cryptsetup-reencrypt
was not available. I have any how validated these steps on RHEL/CentOS 8 and I didn't find any issues, although this is a lengthy process so on a later OS variant you should opt for Method 2 using cryptsetup-reencrypt
Backup content of LUKS Device
Backup the device in question using the decrypted map, you can use various tools to backup such as tar, dump, rsync. I will create a backup location on the same node.
[root@centos-8 ~]# mkdir -p /backups/cryptokeys
Since my LUKS device is unmounted, will mount it to access the LUKS device content
[root@centos-8 ~]# mount /dev/mapper/secret /secret/
I have few dummy keys for the sake of this article.
[root@centos-8 secret]# ls -l total 24 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 16384 Nov 25 22:28 lost+found
Next I will copy this data to my backup folder using rsync
[root@centos-8 ~]# rsync -aXv /secret/ /backups/cryptokeys/ sending incremental file list ./ encrypted_keys_1 encrypted_keys_2 lost+found/ sent 234 bytes received 61 bytes 590.00 bytes/sec total size is 8 speedup is 0.03
Verify the content inside backup folder
[root@centos-8 ~]# ls -l /backups/cryptokeys/ total 12 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 4096 Nov 25 22:28 lost+found
Next unmount the LUKS device
[root@centos-8 ~]# umount /secret
Close your LUKS device
[root@centos-8 ~]# cryptsetup luksClose secret
Change LUKS Device Master Key and Cipher
By default the cipher for LUKS encrypted volume is as below. But for my internal testing I had changed my LUKS device cipher key to aes-xts-essiv:sha256
. So as part of this article let's change LUKS device master key and cipher to it's default value.
LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
To view cipher, hash, key-size and master-key of an existing LUKS device you can use cryptsetup or dmsetup command.
[root@centos-8 ~]# cryptsetup luksDump /dev/rhel/test_vol | grep cipher cipher: aes-xts-essiv:sha256 [root@centos-8 ~]# dmsetup table --target crypt --showkey /dev/mapper/secret 0 4177920 crypt aes-xts-essiv:sha256 :32:logon:cryptsetup:1fbf9936-ff5b-4847-9b2d-3da3044d5195-d0 0 253:2 16384
Here,
- aes - Encryption block cipher. For example: twofish, serpent
- xts - Block cipher encryption mode referred as chainmode. Example: cbc, xts.
- plain64 - the initial vector is the 64-bit little-endian version of the sector number, padded with zeros if necessary.
- essiv: "encrypted sector|salt initial vector", the sector number is encrypted with the bulk cipher using a salt as key.
More information can be collected from:
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
If the goal is simply to change LUKS Device master key, no special options will be required; otherwise, options like --cipher
, --key-size
, and/or --hash
might be desired. Here since I am also changing my cipher value I will use -c
which is short abbreviation for --cipher
[root@centos-8 ~]# cryptsetup -c aes-xts-plain64 luksFormat /dev/rhel/test_vol
WARNING: Device /dev/rhel/test_vol already contains a 'crypto_LUKS' superblock signature.
WARNING!
========
This will overwrite data on /dev/rhel/test_vol irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/rhel/test_vol:
Verify passphrase:
Restore content
Now since we successfully change LUKS device master key and cipher, Open the newly-formatted LUKS device and recreate any necessary structures
[root@centos-8 ~]# cryptsetup luksOpen /dev/mapper/rhel-test_vol secret Enter passphrase for /dev/mapper/rhel-test_vol:
Assign a file system to the LUKS device
[root@centos-8 ~]# mkfs.ext4 /dev/mapper/secret mke2fs 1.44.3 (10-July-2018) Creating filesystem with 522240 4k blocks and 130560 inodes Filesystem UUID: 93f1e562-323e-4f8a-bafc-cdd5f7d4025a Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912 Allocating group tables: done Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done
Mount the LUKS device on a mount point and restore the data from the backup folder
[root@centos-8 ~]# mount /dev/mapper/secret /secret/
[root@centos-8 ~]# rsync -aXv /backups/cryptokeys/ /secret/
sending incremental file list
./
encrypted_keys_1
encrypted_keys_2
lost+found/
sent 234 bytes received 65 bytes 598.00 bytes/sec
total size is 8 speedup is 0.03
Verify your data
[root@centos-8 ~]# ls -l /secret/ total 24 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 16384 Nov 25 22:28 lost+found
Verify the new Master Key and Cipher
You can also verify your master key which now must be different compared to what we had earlier.
[root@centos-8 ~]# dmsetup table --target crypt --showkey /dev/mapper/secret 0 4177920 crypt aes-xts-plain64 :32:logon:cryptsetup:61b1c0f8-522f-4792-98f7-29ef904943cf-d0 0 253:2 16384
Also verify the new cipher for your LUKS encrypted device
[root@centos-8 ~]# cryptsetup luksDump /dev/rhel/test_vol | grep cipher
cipher: aes-xts-plain64
Method 2: Use cryptsetup-reencrypt
/usr/sbin/cryptsetup-reencrypt
is part of cryptsetup-reencrypt
rpm which you can install using yum. This rpm is part of all RHEL 6.6 and higher variants. I am using CentOS 8 to verify these steps.
[root@centos-8 ~]# yum install -y cryptsetup-reencrypt
Backup the LUKS device
We have the same content as we had earlier for /secret
MAPPING
[root@centos-8 secret]# ls -l /secret/ total 24 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 16384 Nov 25 22:28 lost+found
Before we backup our LUKS device, we must un-mount it.
[root@centos-8 ~]# umount /secret
Take the backup of LUKS device at block level using dd
command
[root@centos-8 ~]# dd if=/dev/mapper/secret bs=4k of=/backups/cryptofile.img 522240+0 records in 522240+0 records out 2139095040 bytes (2.1 GB, 2.0 GiB) copied, 13.5232 s, 158 MB/s
Make sure the respective LUKS device is closed
[root@centos-8 ~]# cryptsetup luksClose secret
[root@centos-8 ~]# cryptsetup status secret
/dev/mapper/secret is inactive.
Change LUKS Device Master Key
Execute cryptsetup-reencrypt
against the relevant LUKS device, If the goal is simply to change the volume/master key, no special options will be required; otherwise, options like --cipher
, --key-size
, and/or --hash
might be desired
[root@centos-8 ~]# cryptsetup-reencrypt /dev/mapper/rhel-test_vol Enter passphrase for key slot 0: Finished, time 00:09.210, 2040 MiB written, speed 221.5 MiB/s
Re-open and mount the respective LUKS device by rebooting or manually invoking cryptsetup luksOpen
and mount
[root@centos-8 ~]# cryptsetup luksOpen /dev/mapper/rhel-test_vol secret Enter passphrase for /dev/mapper/rhel-test_vol: [root@centos-8 ~]# mount /dev/mapper/secret /secret/
Verify the LUKS device content
[root@centos-8 ~]# ls -l /secret/ total 24 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 16384 Nov 25 22:28 lost+found
Restore Content
If there are any issues with the LUKS encrypted volume, then you can clear out the content of /secret
unmount the LUKS volume and restore the content from backup using dd
[root@centos-8 ~]# dd if=/backups/cryptofile.img of=/dev/mapper/secret bs=4k 522240+0 records in 522240+0 records out 2139095040 bytes (2.1 GB, 2.0 GiB) copied, 6.81704 s, 314 MB/s
Next mount the LUKS encrypted volume and verify the files
[root@centos-8 ~]# mount /dev/mapper/secret /secret/ [root@centos-8 ~]# ls -l /secret/ total 24 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_1 -rw-r--r-- 1 root root 4 Nov 25 22:28 encrypted_keys_2 drwx------ 2 root root 16384 Nov 25 22:28 lost+found
Verify the new Master Key
In the last use cryptsetup luksDump
or dmsetup
to confirm changes made to the LUKS device (e.g., a new master key digest, a different cipher type, etc)
[root@centos-8 ~]# dmsetup table --target crypt --showkey /dev/mapper/secret
0 4177920 crypt aes-xts-plain64 :32:logon:cryptsetup:61b1c0f8-522f-4792-98f7-29ef904943cf-d0 0 253:2 16384
Lastly I hope the steps from the article to change LUKS device master key, cipher, hash, key-size in Linux was helpful. So, let me know your suggestions and feedback using the comment section.
References:
All about LUKS, cryptsetup, and dm-crypt
How to change cipher, key-size, hash, master key of existing LUKS device