I recently set up a Debian Squeeze system, using the installer's option to encrypt the hard disk. It's working very well :-)
Good practice dictates that I should change the pass-phrase for this disk from time to time, but my research ([1],[2]) suggests this is is not straightforward because of the scheme used by the installer. The installer uses 'dm-crypt' to encrypt the drive, rather than the full LUKS system - and 'dm-crypt' generates the encryption key directly from the pass- phrase, rather than storing the encryption key in an on-volume "header" protected by the pass-phrase. Therefore, changing the pass-phrase requires all data to be decrypted and re-encrypted - a slow and cumbersome process. This must be done either in situ (which is dangerous) or using a second filesystem (which is expensive on disk space). Just to put my mind at rest (...), can anyone here confirm my understanding: the passphrase on a Debian-6.0 installer-encrypted disk volume can't currently be changed unless you unload all the data, re-create the volume with a new pass-phrase, and reload the data ? Refs: [1] http://www.saout.de/misc/dm-crypt/ (FAQ section) Q: What if I want to change my passphrase? A: At the moment you'll need to reencrypt your device because the passphrase is directly tied to the key .... If you want to reencrypt your filesystem you'll have to recreate a new one and move your files. [2] http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions (question 6.11) Q: What does the on-disk structure of dm-crypt look like? A: There is none. dm-crypt takes a block device and gives encrypted access to each of its blocks with a key derived from the passphrase given ... If you want to change the password, you basically have to create a second encrypted device with the new passphrase and copy your data over Thanks in advance, Nick Boyce -- Never FDISK after midnight -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201206250349.14318.n...@glimmer.adsl24.co.uk
