[Pkg-cryptsetup-devel] key rollover page: cryptsetup

Moritz Muehlenhoff jmm at inutil.org
Fri May 16 14:14:27 UTC 2008

please ack if this information from the wiki is alright to be
merged into the main key rollover web site:


Cryptsetup itself does not use openssl for encryption (this applies to
both LUKS and dm-crypt devices).

*If* cryptsetup has been configured to use SSL-encrypted keyfiles (a
non-default setup which must be explicitly configured by the user)
and a broken version of openssl was used to generate the keyfile, the
keyfile encryption may be weaker than expected (as the salt is not
truly random).

The solution is either to re-encrypt the keyfile (if you are
reasonably certain that the encrypted key has not been disclosed to to
any third parties) or to wipe and reinstall the affected partition(s)
using a new key.

Instructions for re-encrypting a keyfile:

Do the following for each SSL-encrypted keyfile, replacing
<ssl_encrypted_key_path> with the path to the actual keyfile:

openssl enc -aes-256-cbc -d -salt -in <ssl_encrypted_key_path> -out "$tmpkey"
shred -uz <ssl_encrypted_key_path>
openssl enc -aes-256-cbc -e -salt -in "$tmpkey" -out <ssl_encrypted_key_path>
shred -uz "$tmpkey"


More information about the Pkg-cryptsetup-devel mailing list