On 12/18/2013 05:13 PM, Arno Wagner wrote: > DO NOT EDIT THE HEADER. This will make your LUKS container > inaccessible until you reverse the changes. What you now > have is an aes-xts-plain64:sha512 container. You do not have > ESSIV anywhere in there, XTS is an alternative to CBC-ESSIV. > > That said, if you want aother cipher or mode, easiest way is > to re-create the container. A bit harder and risky without > backup is to use Milan's reencryption tool. Well, I fully agree.. but this case is kind of special. The dmcrypt plain64 IV doesn't take additional arguments (kernel should probably not allow to use them and not silently ignore it...) so plain64 is exactly the same as plain64:sha512. So properly editing header should help, but you have to be very careful. (Use backup file, allow write access to it and edit in some good hexa editor and restore it). Eveb one bit mistake in keyslot area and your data are gone... Really, if you can recreate whole device it could be better. (Reecryption using cryptsetup-reencrypt is an option as well, but it will take long time.) Milan > > Arno > > On Wed, Dec 18, 2013 at 12:45:39 CET, FLD wrote: >> I accidentally created a luks container using option --cipher >> aes-xts-plain64:sha512. Everything seems to be working correctly and >> luksDump shows: "Cipher mode: xts-plain64:sha512". I wonder if I >> should hexedit the header manually and replace the ":sha512" part with >> nulls since the proper format would be just "xts-plain64" since the >> cipher does not need a hash for the ESSIV? >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> http://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
