Hi Martin, afaik the hash is solely used for key cndidate verfification and dos not really take part in the encryption itself. So yes, switching the hash algorithm should be as easy as updating the whole luks header. Regards -Sven P.S.: I am not sure, but I think you might need to resupply all keyslots again too, but I could be wrong about that. On Sat, July 18, 2009 06:31, martin f. krafft wrote: > also sprach Roscoe <eocsor@xxxxxxxxx> [2009.07.18.0303 +0200]: >> No, it's not possible to use two different hashes, this is simply >> because there is only one hash spec field. To do so would require >> using a different on disk format to LUKS. > > Hm, sounds a bit like a design shortcoming. > >> It would be possible to change from sha1 to another hash for all your >> key slots, it would merely require decrypting each keyslot using >> PBKDF2/sha1, and then re-encrypting using PBKDF2/newhash. >> >> That's a bit of screwing around coding a niche functionality. > > cryptsetup cannot do this though, right? > >> What I'd like to see is -h support for LUKS in cryptsetup, the >> ability to print the bulk payload key and the ability to specify >> the bulk payload key with luksFormat (which is useful in other >> circumstances too). That way one could achieve what you desire >> pretty easily.. > > I don't understand. Are you saying that I'd use luksFormat just to > install a new header for an existing crypted filesystem, and since > I am supplying the same old key (this time hashed differently), it > should just work? > > -- > martin | http://madduck.net/ | http://two.sentenc.es/ > > when everything is coming your way, you're in the wrong lane. > > spamtraps: madduck.bogus@xxxxxxxxxxx > --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
