Re-encrypting a LUKS volume from clear key to secure key on the same volume

This use case demonstrates how to convert a LUKS1 or LUKS2 volume that is encrypted with a clear key only, into a secure-key encrypted LUKS2 volume.

Before you begin

The described procedure is only possible with cryptsetup version 2.0.4 or later.
Note: At the time of writing, the LUKS2 online reencryption feature, that was added to cryptsetup with version 2.2.0, did not work with PAES cipher.

Important: Ensure that you have a backup copy of the volume that you want to re-encrypt. If the system crashes or a media error occurs during re-encryption, your original data might be destroyed.

About this task

You can either have the encrypted volume as a stand-alone volume or as a physical volume as part of an LVM volume group. In this use case, it is assumed that the volume is already protected by a clear key managed by LUKS1 or LUKS2.

Procedure

  1. If your volume uses the LUKS1 format, you must convert it to LUKS2.
    Use the cryptsetup convert command for this purpose. This requires that the volume is not mounted and not opened. Close it first using cryptsetup luksClose.
    Important: Always create a header backup before performing this operation. Refer to the cryptsetup man page for more information.
    
# cryptsetup convert --type luks2 /dev/mapper/disk9

WARNING!
========
This operation will convert /dev/mapper/disk9 to LUKS2 format.


Are you sure? (Type uppercase yes): YES

# cryptsetup luksDump /dev/mapper/disk9
LUKS header information
Version:        2
Epoch:          2
Metadata area:  12288 bytes
UUID:           5d6495ba-b6f9-43c5-883f-dff56f10c72a
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)
...
  2. Generate a secure key for /dev/mapper/disk9 in the secure key repository. See step 1 from Creating a volume for pervasive encryption. 
    # zkey generate --name secure_xtskey9 --key-type CCA-AESCIPHER --keybits 256 --xts \
--volumes /dev/mapper/disk9:enc-disk9 --volume-type LUKS2 \
--apqns 03.0039,04.0039
    This creates the secure key file secure_xtskey9.skey as an AES CIPHER key in the directory of the secure key repository: /etc/zkey/repository/.
  3. Re-encrypt the volume with the generated secure key and the PAES cipher. 
    
# cryptsetup-reencrypt /dev/mapper/disk9 --cipher paes-xts-plain64 \ 
  --master-key-file /etc/zkey/repository/secure_xtskey9.skey --key-size 2176
Enter passphrase for key slot 0: disk9pw
...
Progress:  63.7%, ETA 03:43, 13004 MiB written, speed  34.2 MiB/s
...
Finished, time 11:22.750, 20478 MiB written, speed  30.0 MiB/s
  4. Set the verification pattern into the LUKS2 header using the zkey-cryptsetup command. 
    # zkey-cryptsetup setvp /dev/mapper/disk9

Results

You now have the original volume re-encrypted with a secure key using the LUKS2 format.