Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Tasks

Upgrade from SafeNet ProtectApp LUKS 8.4.0 to SafeNet ProtectApp LUKS 8.5.0

search

We're moving!

A new home for CipherTrust documentation will be introduced on December 02, 2025! Visit https://docs-cybersec.thalesgroup.com for a preview.

Please Note:

Upgrade from SafeNet ProtectApp LUKS 8.4.0 to SafeNet ProtectApp LUKS 8.5.0

Perform the steps mentioned below to upgrade tfrom SafeNet ProtectApp LUKS 8.4.0 to SafeNet ProtectApp LUKS 8.5.0.

  1. Run the following command to verify the status of the encrypted volume:

    cryptsetup -v status backup

    Output:

    /dev/mapper/backup is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/sdb
  offset:  4096 sectors
  size:    33550336 sectors
  mode:    read/write
Command successful.

  2. Dump the existing header information of the LUKS device.

    cryptsetup luksDump /dev/diskname

    Output:

    LUKS header information for /dev/diskname
    Version:        1
    Cipher name:    aes
    Cipher mode:    xts-plain64
    Hash spec:      sha256
    Payload offset: 4096
    MK bits:        256
    MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
    MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                    a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
    MK iterations:  97750
    UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

    Key Slot 0: ENABLED
            Iterations:             779298
            Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                    ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
            Key material offset:    8
            AF stripes:             4000
    Key Slot 1: DISABLED
    Key Slot 2: DISABLED
    Key Slot 3: DISABLED
    Key Slot 4: DISABLED
    Key Slot 5: DISABLED
    Key Slot 6: DISABLED
    Key Slot 7: DISABLED

  3. To add a backup key and provide the existing LUKS passphrase (LUKS key) to /dev/<diskname> LUKS encrypted partition, run the following command:

    cryptsetup luksAddKey /dev/diskname

    Output:

    Enter any existing passphrase:<enter passphrase of 8.4.0>

  4. In a new terminal, open /etc/ks_user_config file, and change the parameter 'enable'='yes' to 'no' and provide a new passphrase.

    Enter new passphrase for key slot:<any passphrase>
Verify passphrase:<enter the same password>

  5. To verify if the cryptsetup is working.

    1. Close the encrypted disk.

      cryptsetup luksClose backup

    2. Check the status.

      cryptsetup -v status backup

      Output:

      /dev/mapper/backup is inactive.

    3. Open the encrypted disk.

      cryptsetup luksOpen /dev/diskname backup

      Output:

      Enter passphrase for /dev/diskname:

      Note

      Enter the new passphrase which you have provided previously in step 4.

    4. Check status.

      cryptsetup -v status backup

      Output:

      /dev/mapper/backup is active.
    type:    LUKS1
    cipher:  aes-xts-plain64
    keysize: 256 bits
    device:  /dev/sdb
    offset:  4096 sectors
    size:    33550336 sectors
    mode:    read/write
Command successful.

  6. To verify the header information of the LUKS device, run the following command:

    cryptsetup luksDump /dev/diskname

    Output:

    LUKS header information for /dev/diskname

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
MK iterations:  97750
UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

Key Slot 0: ENABLED
        Iterations:             779298
        Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             780486
        Salt:                   7d d0 ed f4 39 90 97 20 7d 89 d4 40 4b f3 8b 73
                                27 f9 5c b6 d9 96 83 3c 8d 56 ef c9 b3 a2 13 1f
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

  7. Now install the LUKS 8.5.0 build, and configure both ks_user_config and ks_config files with the same configuration used in LUKS 8.4.0 in /etc directory. Keep the parameter 'enable'= no in the ks_user_config file.

  8. To add a key with an existing passphrase, run the following command:

    cryptsetup luksAddKey /dev/diskname

    Output

    Enter any existing passphrase:<Enter the cryptsetup password>

  9. In a new terminal, open /etc/ks_user_config file, and change the parameter 'enable'=no to 'yes' and provide a new passphrase.

    Enter new passphrase for key slot:<Passphrase of the CM>
Verify passphrase:<Passphrase of the CM>

This completes the upgrade from LUKS 8.4.0 to LUKS 8.5.0.

If you want to remove a key slot, perform the folowing steps:

  1. View Key slot ID.

    cryptsetup luksDump /dev/diskname

    Output:

    LUKS header information for /dev/sdb
Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
MK iterations:  97750
UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

Key Slot 0: ENABLED
        Iterations:             779298
        Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             781677
        Salt:                   c7 cd b7 df 85 6c 04 4f 66 b3 77 48 8f 17 b3 e7
                                01 5a 54 93 0a 1f 91 92 a1 0d 75 1d 8d 4e dc fd
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: ENABLED
        Iterations:             800438
        Salt:                   4c d2 34 b2 a6 85 cc 1f af bb 8b 19 1d bd f2 7b
                                9a 47 aa e1 8a 49 5a 0e a5 ba 62 ea 46 34 03 23
        Key material offset:    520
        AF stripes:             4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

  2. To remove a key from the key slot, open /etc/ks_user_config file, and change the parameter 'enable'=yes to 'no'. Run the following command and enter the pasphrase. 

    cryptsetup luksRemoveKey /dev/diskname

    Output

    Enter passphrase to be deleted:<Enter the cryptsetup password of the Keyslot to be removed>

  3. View Key slot ID.

    cryptsetup luksDump /dev/diskname

    Output

    LUKS header information for /dev/sdb
Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
MK iterations:  97750
UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

Key Slot 0: ENABLED
        Iterations:             779298
        Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: ENABLED
        Iterations:             800438
        Salt:                   4c d2 34 b2 a6 85 cc 1f af bb 8b 19 1d bd f2 7b
                                9a 47 aa e1 8a 49 5a 0e a5 ba 62 ea 46 34 03 23
        Key material offset:    520
        AF stripes:             4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

    Tip

    In the above output, you can observe that Keyslot 1 is successfuly removed after running the cryptsetup luksRemoveKey /dev/diskname command.

On this page