How to change LUKS device master key, cipher, hash, key-size in Linux

In this article I will share the steps to change LUKS device master key, cipher, hash and key-size. Now due to security reasons you may get a requirement to change LUKS device master key or other values such as encryption cipher.

Below are some more articles on LUKS based Disk Encryption

 

When creating a new LUKS-encrypted volume, there are basically 4 "knobs" that can be tweaked.

  • symmetric encryption cipher
  • cipher block mode
  • IV (Initial Vector) for the cipher block mode
  • encryption key size

 

Supported list of ciphers

While changing the default encryption cipher cannot be recommended, it is an option and here are some of the choices:

Check /proc/crypto which contains supported ciphers and modes but note it contains only currently loaded crypto API modules.

 

Change LUKS Device Master Key, Ciphers, Hash, Key-Size

There are two methods to change LUKS device master key or other related values:

  1. backup, re-format, restore
  2. cryptsetup-reencrypt
WARNING:

Note that cryptsetup and the Anaconda installer have their own safe & sane defaults. It is not necessary to explicitly tweak the above settings when creating a new encrypted volume indeed, unless you know what you're doing, it's actually discouraged.

 

Identify LUKS Encrypted Device

Before starting you must identify the file system or LUKS device for which you wish to change master key or other values.

[root@centos-8 ~]# blkid -t TYPE=crypto_LUKS
/dev/mapper/rhel-test_vol: UUID="61b1c0f8-522f-4792-98f7-29ef904943cf" TYPE="crypto_LUKS"

So here our LUKS device is /dev/mapper/rhel-test_vol

Open new encrypted disk with cryptsetup luksOpen DEV MAPPING, where MAPPING is an arbitrary name to use for the device-mapper target that will provide read/write access to the decrypted device

[root@centos-8 ~]# cryptsetup luksOpen /dev/rhel/test_vol secret
Enter passphrase for /dev/rhel/test_vol:

 

Method 1: Backup, Re-format, Restore

This option can be used on RHEL 5 and 6.6 as with these OS variants cryptsetup-reencrypt was not available. I have any how validated these steps on RHEL/CentOS 8 and I didn't find any issues, although this is a lengthy process so on a later OS variant you should opt for Method 2 using cryptsetup-reencrypt

 

Backup content of LUKS Device

Backup the device in question using the decrypted map, you can use various tools to backup such as tar, dump, rsync. I will create a backup location on the same node.

[root@centos-8 ~]# mkdir -p /backups/cryptokeys

Since my LUKS device is unmounted, will mount it to access the LUKS device content

[root@centos-8 ~]# mount /dev/mapper/secret /secret/

I have few dummy keys for the sake of this article.

[root@centos-8 secret]# ls -l
total 24
-rw-r--r-- 1 root root     4 Nov 25 22:28 encrypted_keys_1
-rw-r--r-- 1 root root     4 Nov 25 22:28 encrypted_keys_2
drwx------ 2 root root 16384 Nov 25 22:28 lost+found

Next I will copy this data to my backup folder using rsync

[root@centos-8 ~]# rsync -aXv /secret/  /backups/cryptokeys/
sending incremental file list
./
encrypted_keys_1
encrypted_keys_2
lost+found/

sent 234 bytes  received 61 bytes  590.00 bytes/sec
total size is 8  speedup is 0.03

Verify the content inside backup folder

[root@centos-8 ~]# ls -l /backups/cryptokeys/
total 12
-rw-r--r-- 1 root root    4 Nov 25 22:28 encrypted_keys_1
-rw-r--r-- 1 root root    4 Nov 25 22:28 encrypted_keys_2
drwx------ 2 root root 4096 Nov 25 22:28 lost+found

Next unmount the LUKS device

[root@centos-8 ~]# umount /secret

Close your LUKS device

[root@centos-8 ~]# cryptsetup luksClose secret

 

Change LUKS Device Master Key and Cipher

By default the cipher for LUKS encrypted volume is as below. But for my internal testing I had changed my LUKS device cipher key to aes-xts-essiv:sha256. So as part of this article let's change LUKS device master key and cipher to it's default value.

LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom

To view cipher, hash, key-size and master-key of an existing LUKS device you can use cryptsetup or dmsetup command.

[root@centos-8 ~]# cryptsetup luksDump /dev/rhel/test_vol | grep cipher
        cipher: aes-xts-essiv:sha256
					
[root@centos-8 ~]# dmsetup table --target crypt --showkey /dev/mapper/secret
0 4177920 crypt aes-xts-essiv:sha256 :32:logon:cryptsetup:1fbf9936-ff5b-4847-9b2d-3da3044d5195-d0 0 253:2 16384

Here,

  • aes - Encryption block cipher. For example: twofish, serpent
  • xts - Block cipher encryption mode referred as chainmode. Example: cbc, xts.
  • plain64 - the initial vector is the 64-bit little-endian version of the sector number, padded with zeros if necessary.
  • essiv: "encrypted sector|salt initial vector", the sector number is encrypted with the bulk cipher using a salt as key.

More information can be collected from:
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt

 

If the goal is simply to change LUKS Device master key, no special options will be required; otherwise, options like --cipher, --key-size, and/or --hash might be desired. Here since I am also changing my cipher value I will use -c which is short abbreviation for --cipher

WARNING:

This will completely destroy any data available in the LUKS Device.
[root@centos-8 ~]# cryptsetup -c aes-xts-plain64 luksFormat /dev/rhel/test_vol
WARNING: Device /dev/rhel/test_vol already contains a 'crypto_LUKS' superblock signature.

WARNING!
========
This will overwrite data on /dev/rhel/test_vol irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/rhel/test_vol:
Verify passphrase:

 

Restore content

Now since we successfully change LUKS device master key and cipher, Open the newly-formatted LUKS device and recreate any necessary structures

[root@centos-8 ~]# cryptsetup luksOpen /dev/mapper/rhel-test_vol secret
Enter passphrase for /dev/mapper/rhel-test_vol:

Assign a file system to the LUKS device

[root@centos-8 ~]# mkfs.ext4 /dev/mapper/secret
mke2fs 1.44.3 (10-July-2018)
Creating filesystem with 522240 4k blocks and 130560 inodes
Filesystem UUID: 93f1e562-323e-4f8a-bafc-cdd5f7d4025a
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912

Allocating group tables: done
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done

Mount the LUKS device on a mount point and restore the data from the backup folder

[root@centos-8 ~]# mount /dev/mapper/secret /secret/

[root@centos-8 ~]# rsync -aXv /backups/cryptokeys/ /secret/
sending incremental file list
./
encrypted_keys_1
encrypted_keys_2
lost+found/

sent 234 bytes  received 65 bytes  598.00 bytes/sec
total size is 8  speedup is 0.03

Verify your data

[root@centos-8 ~]# ls -l /secret/
total 24
-rw-r--r-- 1 root root     4 Nov 25 22:28 encrypted_keys_1
-rw-r--r-- 1 root root     4 Nov 25 22:28 encrypted_keys_2
drwx------ 2 root root 16384 Nov 25 22:28 lost+found

 

Verify the new Master Key and Cipher

You can also verify your master key which now must be different compared to what we had earlier.

[root@centos-8 ~]# dmsetup table --target crypt --showkey /dev/mapper/secret
0 4177920 crypt aes-xts-plain64 :32:logon:cryptsetup:61b1c0f8-522f-4792-98f7-29ef904943cf-d0 0 253:2 16384

Also verify the new cipher for your LUKS encrypted device

[root@centos-8 ~]# cryptsetup luksDump /dev/rhel/test_vol | grep cipher
        cipher: aes-xts-plain64

 

Method 2: Use cryptsetup-reencrypt

/usr/sbin/cryptsetup-reencrypt is part of cryptsetup-reencrypt rpm which you can install using yum. This rpm is part of all RHEL 6.6 and higher variants. I am using CentOS 8 to verify these steps.

[root@centos-8 ~]# yum install -y cryptsetup-reencrypt

 

Backup the LUKS device

We have the same content as we had earlier for /secret MAPPING

[root@centos-8 secret]# ls -l /secret/
total 24
-rw-r--r-- 1 root root     4 Nov 25 22:28 encrypted_keys_1
-rw-r--r-- 1 root root     4 Nov 25 22:28 encrypted_keys_2
drwx------ 2 root root 16384 Nov 25 22:28 lost+found

Before we backup our LUKS device, we must un-mount it.

[root@centos-8 ~]# umount /secret

Take the backup of LUKS device at block level using dd command

[root@centos-8 ~]# dd if=/dev/mapper/secret bs=4k of=/backups/cryptofile.img
522240+0 records in
522240+0 records out
2139095040 bytes (2.1 GB, 2.0 GiB) copied, 13.5232 s, 158 MB/s

Make sure the respective LUKS device is closed

[root@centos-8 ~]# cryptsetup luksClose secret

[root@centos-8 ~]# cryptsetup status secret
/dev/mapper/secret is inactive.

 

Change LUKS Device Master Key

Execute cryptsetup-reencrypt against the relevant LUKS device, If the goal is simply to change the volume/master key, no special options will be required; otherwise, options like --cipher, --key-size, and/or --hash might be desired

[root@centos-8 ~]# cryptsetup-reencrypt /dev/mapper/rhel-test_vol
Enter passphrase for key slot 0:
Finished, time 00:09.210, 2040 MiB written, speed 221.5 MiB/s

Re-open and mount the respective LUKS device by rebooting or manually invoking cryptsetup luksOpen and mount

[root@centos-8 ~]# cryptsetup luksOpen /dev/mapper/rhel-test_vol secret
Enter passphrase for /dev/mapper/rhel-test_vol:

[root@centos-8 ~]# mount /dev/mapper/secret /secret/

Verify the LUKS device content

[root@centos-8 ~]# ls -l /secret/
total 24
-rw-r--r-- 1 root root     4 Nov 25 22:28 encrypted_keys_1
-rw-r--r-- 1 root root     4 Nov 25 22:28 encrypted_keys_2
drwx------ 2 root root 16384 Nov 25 22:28 lost+found

 

Restore Content

If there are any issues with the LUKS encrypted volume, then you can clear out the content of /secret

unmount the LUKS volume and restore the content from backup using dd

[root@centos-8 ~]# dd if=/backups/cryptofile.img of=/dev/mapper/secret bs=4k
522240+0 records in
522240+0 records out
2139095040 bytes (2.1 GB, 2.0 GiB) copied, 6.81704 s, 314 MB/s

Next mount the LUKS encrypted volume and verify the files

[root@centos-8 ~]# mount /dev/mapper/secret /secret/

[root@centos-8 ~]# ls -l /secret/
total 24
-rw-r--r-- 1 root root     4 Nov 25 22:28 encrypted_keys_1
-rw-r--r-- 1 root root     4 Nov 25 22:28 encrypted_keys_2
drwx------ 2 root root 16384 Nov 25 22:28 lost+found

 

Verify the new Master Key

In the last use cryptsetup luksDump or dmsetup to confirm changes made to the LUKS device (e.g., a new master key digest, a different cipher type, etc)

[root@centos-8 ~]# dmsetup table --target crypt --showkey /dev/mapper/secret
0 4177920 crypt aes-xts-plain64 :32:logon:cryptsetup:61b1c0f8-522f-4792-98f7-29ef904943cf-d0 0 253:2 16384

 

Lastly I hope the steps from the article to change LUKS device master key, cipher, hash, key-size in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
All about LUKS, cryptsetup, and dm-crypt
How to change cipher, key-size, hash, master key of existing LUKS device

 

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.