On 29 Oct 2015 17:28 -0500, from xxiao8@xxxxxxxxxx (xxiao8): > I had a one liner change in my cryptsetup script (see below), as > long as the key-file is the same, I can keep using the content on > the hard-drive, which is a surprise to me. Doesn't > switch-to-aes-xts-plain64 mandate a reformat of the hard drive? am I > missing something? What do you mean by "keep using the content"? If the luksFormat is run while the container is unmounted, I don't see how you could retain access to the encrypted content in any meaningful way, even if you were to use the same algorithm, unless you are using an external LUKS header; even if you use the same key file and/or passphrase, the luksFormat causes the header to be rewritten with a different encryption key, which will all but ensure that the data will no longer make any sense whatsoever. > Changing from > cryptsetup -v -c "aes-cbc-essiv:sha256" --key-size 256 --key-file > /etc/keys/sda1.key luksFormat --use-random /dev/sda1 > > to > cryptsetup -v -c "aes-xts-plain64" --hash sha256 --key-size 512 > --key-file /etc/keys/sda1.key luksFormat --use-random /dev/sda1 -- Michael Kjörling • https://michael.kjorling.se • michael@xxxxxxxxxxx “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
