Replacing with a different master key

In this scenario, the old cryptographic coprocessor still exists. All the secure keys generated on this coprocessor were generated from random keys.

Before you begin

As an alternative to the procedure described here, you can create a new encrypted volume and migrate the data there (see Migrating to an encrypted LVM physical volume or Migrating data to a new encrypted volume.
Important: If you use the approach described in this task, be sure to have a backup of the data on your volume in case the system crashes or a media error occurs during the re-encryption. In contrast to the mentioned alternatives, this re-encryption works on the volume in-place.

Procedure

  1. Generate a new secure key on the new cryptographic coprocessor using zkey generate.
    Store the new secure key in the secure key repository.

    To generate a secure key on a specific APQN, use option --apqns with the zkey generate command and specify the desired APQN. This is only possible when generating secure keys in the secure key repository. For example, enter:

    # zkey generate --name new_secure_xtskey --keybits 256 --xts \
    --apqns <card.domain>

    Because the new secure key now also contains a new effective key, a next step for re-encrypting is required.

  2. Use the cryptsetup-reencrypt command to re-encipher all LUKS2 volumes that use the old secure key, with the new secure key from the secure key repository.
    The new LUKS2 volume key is stored in the LUKS2 header of the volumes at the end of the re-encryption.

    For example, enter:

    # cryptsetup reencrypt /dev/mapper/disk<n>  \
      --new-volume-key-file '/etc/zkey/repository/new_secure_xtskey.skey' \
      --new-key-size 1024   --cipher paes-xts-plain64 --pbkdf argon2i     \
      --pbkdf-memory 32 --pbkdf-force-iterations 4 /dev/loop0
    
    You can retrieve information about the just-created secure key file using the zkey list command. To limit the returned list to the desired secure key, use option --name to specify the secure key name. You find the secure key file name indicated by: Key file name (see Listing AES secure keys contained in the secure key repository).
    Note: The sample is shown for the LUKS2 online reencryption feature version 2.8.0 or later. Previous versions need to use parameters --volume-key-file and --key-size instead of --new-volume-key-file and --new-key-size.
    Important: Ensure that you have a backup copy of the volume that you want to re-encrypt. In case the system crashes or a media error occurs during re-encryption, your original data might be destroyed.
  3. Set the verification pattern into the LUKS2 header using the zkey-cryptsetup command.
    Issue a command similar to the following:
    # zkey-cryptsetup setvp /dev/mapper/disk<n>
  4. Remove the old cryptographic coprocessor and start using the new one.
    If you previously stored the old secure key in the secure key repository, remove it now and associate the new secure key with the re-encrypted volume. For example, enter:
    # zkey remove --name old_secure_xtskey
    # zkey change --name new_secure_xtskey --volumes /dev/mapper/disk<n>:enc-disk<n> \
       --volume-type LUKS2 --sector-size 4096
    Note: Ensure that the sector size for encryption or decryption of the volume is the same for the old and the new secure key. The example assumes that a sector size of 4096 bytes was used for encrypting or decrypting the volume with both the old and the new secure key.

    For details see Removing AES secure keys and Changing AES secure keys.