On 12/11/2012 04:34 PM, Erik Logtenberg wrote: > So there are at least two methods of extracting a master key. Now if I > would suspect that a machine, that has a luks volume mounted, was > compromised to the extent that someone had temporaryly gained root > access, I would not only have to reset (all) passwords after fixing the > security hole, but also I would have to create a new master key to be sure. So attacker had already access to your mounted backup in plaintext and could change anything there. > > Is the cryptsetup-reencrypt tool also meant for that purpose? yes, in fact changing volume (master) key was primary use for it. Read http://asalor.blogspot.cz/2012/08/re-encryption-of-luks-device-cryptsetup.html (But always be sure you have backup. Backup of backup in your case :) Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt