{{tag>Brouillon Crypt FS}} # Notes luks cryptsetup Voir aussi : * https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#6-backup-and-data-recovery * homectl * Clevis / Tang Server Add a new passphrase ~~~bash cryptsetup luksAddKey /dev/nvme0n1p3 ~~~ ~~~bash cryptsetup luksDump /dev/sda2 ~~~ ## Upgrade your LUKS key derivation function Source : * [Upgrade your LUKS key derivation function](https://mjg59.dreamwidth.org/66429.html) * https://nantes.indymedia.org/posts/87395/une-lettre-divan-enferme-a-la-prison-de-villepinte-perquisitions-et-disques-durs-dechiffres/ ~~~bash lsblk sudo cryptsetup luksHeaderBackup /dev/whatever --header-backup-file /tmp/luksheader ~~~ Copy that to a USB stick or something. If something goes wrong here you'll be able to boot a live image and run ~~~bash sudo cryptsetup luksHeaderRestore /dev/whatever --header-backup-file luksheader ~~~ to restore it. (Edit to add: Once everything is working, delete this backup! It contains the old weak key, and someone with it can potentially use that to brute force your disk encryption key using the old KDF even if you've updated the on-disk KDF.) Next, run ~~~bash sudo cryptsetup luksDump /dev/whatever ~~~ and look for the Version: line. If it's version 1, you need to update the header to LUKS2. Run ~~~bash sudo cryptsetup convert /dev/whatever --type luks2 ~~~ and follow the prompts. Make sure your system still boots, and if not go back and restore the backup of your header. Assuming everything is ok at this point, run ~~~bash sudo cryptsetup luksDump /dev/whatever ~~~ again and look for the PBKDF: line in each keyslot (pay attention only to the keyslots, ignore any references to pbkdf2 that come after the Digests: line). If the PBKDF is either **pbkdf2** or **argon2i** you should convert to **argon2id**. Run the following: ~~~bash sudo cryptsetup luksConvertKey /dev/whatever --pbkdf argon2id ~~~ and follow the prompts. If you have multiple passwords associated with your drive you'll have multiple keyslots, and you'll need to repeat this for each password. Distributions! You should really be handling this sort of thing on upgrade. People who installed their systems with your encryption defaults several years ago are now much less secure than people who perform a fresh install today. Please please please do something about this.