[Pkg-cryptsetup-devel] key rollover page: cryptsetup
jmm at inutil.org
Fri May 16 14:14:27 UTC 2008
please ack if this information from the wiki is alright to be
merged into the main key rollover web site:
Cryptsetup itself does not use openssl for encryption (this applies to
both LUKS and dm-crypt devices).
*If* cryptsetup has been configured to use SSL-encrypted keyfiles (a
non-default setup which must be explicitly configured by the user)
and a broken version of openssl was used to generate the keyfile, the
keyfile encryption may be weaker than expected (as the salt is not
The solution is either to re-encrypt the keyfile (if you are
reasonably certain that the encrypted key has not been disclosed to to
any third parties) or to wipe and reinstall the affected partition(s)
using a new key.
Instructions for re-encrypting a keyfile:
Do the following for each SSL-encrypted keyfile, replacing
<ssl_encrypted_key_path> with the path to the actual keyfile:
openssl enc -aes-256-cbc -d -salt -in <ssl_encrypted_key_path> -out "$tmpkey"
shred -uz <ssl_encrypted_key_path>
openssl enc -aes-256-cbc -e -salt -in "$tmpkey" -out <ssl_encrypted_key_path>
shred -uz "$tmpkey"
More information about the Pkg-cryptsetup-devel