tech:notes_luks_cryptsetup
Différences
Ci-dessous, les différences entre deux révisions de la page.
| Prochaine révision | Révision précédente | ||
| tech:notes_luks_cryptsetup [2025/03/24 15:06] – créée - modification externe 127.0.0.1 | tech:notes_luks_cryptsetup [2025/04/18 09:57] (Version actuelle) – Jean-Baptiste | ||
|---|---|---|---|
| Ligne 1: | Ligne 1: | ||
| - | {{tag> | + | < |
| + | {{tag> | ||
| - | = Notes luks cryptsetup | + | # Notes luks cryptsetup |
| Voir aussi : | Voir aussi : | ||
| * https:// | * https:// | ||
| * homectl | * homectl | ||
| + | * Clevis / Tang Server | ||
| Add a new passphrase | Add a new passphrase | ||
| - | < | + | ~~~bash |
| cryptsetup luksAddKey / | cryptsetup luksAddKey / | ||
| - | </ | + | ~~~ |
| - | < | + | ~~~bash |
| cryptsetup luksDump /dev/sda2 | cryptsetup luksDump /dev/sda2 | ||
| - | </ | + | ~~~ |
| - | == Upgrade your LUKS key derivation function | + | ## Upgrade your LUKS key derivation function |
| Source : | Source : | ||
| - | * [[https:// | + | * [Upgrade your LUKS key derivation function](https:// |
| - | ** https:// | + | * https:// |
| - | < | + | ~~~bash |
| lsblk | lsblk | ||
| sudo cryptsetup luksHeaderBackup / | sudo cryptsetup luksHeaderBackup / | ||
| - | </ | + | ~~~ |
| Copy that to a USB stick or something. If something goes wrong here you'll be able to boot a live image and run | Copy that to a USB stick or something. If something goes wrong here you'll be able to boot a live image and run | ||
| - | < | + | ~~~bash |
| sudo cryptsetup luksHeaderRestore / | sudo cryptsetup luksHeaderRestore / | ||
| - | </ | + | ~~~ |
| to restore it. | to restore it. | ||
| Ligne 38: | Ligne 40: | ||
| Next, run | Next, run | ||
| - | < | + | ~~~bash |
| sudo cryptsetup luksDump / | sudo cryptsetup luksDump / | ||
| - | </ | + | ~~~ |
| and look for the Version: line. If it's version 1, you need to update the header to LUKS2. Run | and look for the Version: line. If it's version 1, you need to update the header to LUKS2. Run | ||
| - | < | + | ~~~bash |
| sudo cryptsetup convert / | sudo cryptsetup convert / | ||
| - | </ | + | ~~~ |
| and follow the prompts. Make sure your system still boots, and if not go back and restore the backup of your header. Assuming everything is ok at this point, run | and follow the prompts. Make sure your system still boots, and if not go back and restore the backup of your header. Assuming everything is ok at this point, run | ||
| - | < | + | ~~~bash |
| sudo cryptsetup luksDump / | sudo cryptsetup luksDump / | ||
| - | </ | + | ~~~ |
| again and look for the PBKDF: line in each keyslot (pay attention only to the keyslots, ignore any references to pbkdf2 that come after the Digests: line). If the PBKDF is either **pbkdf2** or **argon2i** you should convert to **argon2id**. Run the following: | again and look for the PBKDF: line in each keyslot (pay attention only to the keyslots, ignore any references to pbkdf2 that come after the Digests: line). If the PBKDF is either **pbkdf2** or **argon2i** you should convert to **argon2id**. Run the following: | ||
| - | < | + | ~~~bash |
| sudo cryptsetup luksConvertKey / | sudo cryptsetup luksConvertKey / | ||
| - | </ | + | ~~~ |
| and follow the prompts. If you have multiple passwords associated with your drive you'll have multiple keyslots, and you'll need to repeat this for each password. | and follow the prompts. If you have multiple passwords associated with your drive you'll have multiple keyslots, and you'll need to repeat this for each password. | ||
tech/notes_luks_cryptsetup.1742825205.txt.gz · Dernière modification : de 127.0.0.1