Please Note:

Upgrade from SafeNet ProtectApp LUKS 8.4.0 to SafeNet ProtectApp LUKS 8.5.0

Perform the steps mentioned below to upgrade tfrom SafeNet ProtectApp LUKS 8.4.0 to SafeNet ProtectApp LUKS 8.5.0.

Run the following command to verify the status of the encrypted volume:

cryptsetup -v status backup

Output:

/dev/mapper/backup is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/sdb
  offset:  4096 sectors
  size:    33550336 sectors
  mode:    read/write
Command successful.

Dump the existing header information of the LUKS device.

cryptsetup luksDump /dev/diskname

Output:

LUKS header information for /dev/diskname
    Version:        1
    Cipher name:    aes
    Cipher mode:    xts-plain64
    Hash spec:      sha256
    Payload offset: 4096
    MK bits:        256
    MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
    MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                    a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
    MK iterations:  97750
    UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

    Key Slot 0: ENABLED
            Iterations:             779298
            Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                    ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
            Key material offset:    8
            AF stripes:             4000
    Key Slot 1: DISABLED
    Key Slot 2: DISABLED
    Key Slot 3: DISABLED
    Key Slot 4: DISABLED
    Key Slot 5: DISABLED
    Key Slot 6: DISABLED
    Key Slot 7: DISABLED

To add a backup key and provide the existing LUKS passphrase (LUKS key) to /dev/<diskname> LUKS encrypted partition, run the following command:
```
cryptsetup luksAddKey /dev/diskname
```
Output:
```
Enter any existing passphrase:<enter passphrase of 8.4.0>
```
In a new terminal, open /etc/ks_user_config file, and change the parameter 'enable'='yes' to 'no' and provide a new passphrase.
```
Enter new passphrase for key slot:<any passphrase>
Verify passphrase:<enter the same password>
```

To verify if the cryptsetup is working.

Close the encrypted disk.
```
cryptsetup luksClose backup
```

Check the status.

cryptsetup -v status backup

Output:

/dev/mapper/backup is inactive.

Open the encrypted disk.
```
cryptsetup luksOpen /dev/diskname backup
```
Output:
```
Enter passphrase for /dev/diskname:
```
Note
Enter the new passphrase which you have provided previously in step 4.

Check status.

cryptsetup -v status backup

Output:

/dev/mapper/backup is active.
    type:    LUKS1
    cipher:  aes-xts-plain64
    keysize: 256 bits
    device:  /dev/sdb
    offset:  4096 sectors
    size:    33550336 sectors
    mode:    read/write
Command successful.

To verify the header information of the LUKS device, run the following command:

cryptsetup luksDump /dev/diskname

Output:

LUKS header information for /dev/diskname

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
MK iterations:  97750
UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

Key Slot 0: ENABLED
        Iterations:             779298
        Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             780486
        Salt:                   7d d0 ed f4 39 90 97 20 7d 89 d4 40 4b f3 8b 73
                                27 f9 5c b6 d9 96 83 3c 8d 56 ef c9 b3 a2 13 1f
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Now install the LUKS 8.5.0 build, and configure both ks_user_config and ks_config files with the same configuration used in LUKS 8.4.0 in /etc directory. Keep the parameter 'enable'= no in the ks_user_config file.

To add a key with an existing passphrase, run the following command:

cryptsetup luksAddKey /dev/diskname

Output

Enter any existing passphrase:<Enter the cryptsetup password>

In a new terminal, open /etc/ks_user_config file, and change the parameter 'enable'=no to 'yes' and provide a new passphrase.
```
Enter new passphrase for key slot:<Passphrase of the CM>
Verify passphrase:<Passphrase of the CM>
```

This completes the upgrade from LUKS 8.4.0 to LUKS 8.5.0.

If you want to remove a key slot, perform the folowing steps:

View Key slot ID.

cryptsetup luksDump /dev/diskname

Output:

LUKS header information for /dev/sdb
Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
MK iterations:  97750
UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

Key Slot 0: ENABLED
        Iterations:             779298
        Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             781677
        Salt:                   c7 cd b7 df 85 6c 04 4f 66 b3 77 48 8f 17 b3 e7
                                01 5a 54 93 0a 1f 91 92 a1 0d 75 1d 8d 4e dc fd
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: ENABLED
        Iterations:             800438
        Salt:                   4c d2 34 b2 a6 85 cc 1f af bb 8b 19 1d bd f2 7b
                                9a 47 aa e1 8a 49 5a 0e a5 ba 62 ea 46 34 03 23
        Key material offset:    520
        AF stripes:             4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

To remove a key from the key slot, open /etc/ks_user_config file, and change the parameter 'enable'=yes to 'no'. Run the following command and enter the pasphrase.
```
cryptsetup luksRemoveKey /dev/diskname
```
Output
```
Enter passphrase to be deleted:<Enter the cryptsetup password of the Keyslot to be removed>
```

View Key slot ID.

cryptsetup luksDump /dev/diskname

Output

LUKS header information for /dev/sdb
Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
MK iterations:  97750
UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

Key Slot 0: ENABLED
        Iterations:             779298
        Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: ENABLED
        Iterations:             800438
        Salt:                   4c d2 34 b2 a6 85 cc 1f af bb 8b 19 1d bd f2 7b
                                9a 47 aa e1 8a 49 5a 0e a5 ba 62 ea 46 34 03 23
        Key material offset:    520
        AF stripes:             4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Tip

In the above output, you can observe that Keyslot 1 is successfuly removed after running the cryptsetup luksRemoveKey /dev/diskname command.

Suggest A Change

Upgrade from SafeNet ProtectApp LUKS 8.4.0 to SafeNet ProtectApp LUKS 8.5.0

On this page