Please Note:

Upgrade

Perform the steps mentioned below to upgrade ProtectApp LUKS:

Run the following command to verify the status of the encrypted volume:

cryptsetup -v status backup

Output:

/dev/mapper/backup is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/sdb
  offset:  4096 sectors
  size:    33550336 sectors
  mode:    read/write
Command successful.

Dump the existing header information of the ProtectApp LUKS device.

cryptsetup luksDump /dev/diskname

Output:

LUKS header information for /dev/diskname
    Version:        1
    Cipher name:    aes
    Cipher mode:    xts-plain64
    Hash spec:      sha256
    Payload offset: 4096
    MK bits:        256
    MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
    MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                    a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
    MK iterations:  97750
    UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

    Key Slot 0: ENABLED
            Iterations:             779298
            Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                    ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
            Key material offset:    8
            AF stripes:             4000
    Key Slot 1: DISABLED
    Key Slot 2: DISABLED
    Key Slot 3: DISABLED
    Key Slot 4: DISABLED
    Key Slot 5: DISABLED
    Key Slot 6: DISABLED
    Key Slot 7: DISABLED

To add a backup key and provide the existing ProtectApp LUKS passphrase (ProtectApp LUKS key) to /dev/<diskname> ProtectApp LUKS encrypted partition, run the following command:
```
cryptsetup luksAddKey /dev/diskname
```
Output:
```
Enter any existing passphrase:<enter passphrase of 8.4.0>
```
In a new terminal, open /etc/ks_user_config file, and change the parameter 'enable'='yes' to 'no' and provide a new passphrase.
```
Enter new passphrase for key slot:<any passphrase>
Verify passphrase:<enter the same password>
```

To verify if the cryptsetup is working.

Close the encrypted disk.
```
cryptsetup luksClose backup
```

Check the status.

cryptsetup -v status backup

Output:

/dev/mapper/backup is inactive.

Open the encrypted disk.
```
cryptsetup luksOpen /dev/diskname backup
```
Output:
```
Enter passphrase for /dev/diskname:
```
Note
Enter the new passphrase which you have provided previously in step 4.

Check status.

cryptsetup -v status backup

Output:

/dev/mapper/backup is active.
    type:    LUKS1
    cipher:  aes-xts-plain64
    keysize: 256 bits
    device:  /dev/sdb
    offset:  4096 sectors
    size:    33550336 sectors
    mode:    read/write
Command successful.

To verify the header information of the ProtectApp LUKS device, run the following command:

cryptsetup luksDump /dev/diskname

Output:

LUKS header information for /dev/diskname

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
MK iterations:  97750
UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

Key Slot 0: ENABLED
        Iterations:             779298
        Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             780486
        Salt:                   7d d0 ed f4 39 90 97 20 7d 89 d4 40 4b f3 8b 73
                                27 f9 5c b6 d9 96 83 3c 8d 56 ef c9 b3 a2 13 1f
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Now, install the ProtectApp LUKS build, and configure both ks_user_config and ks_config files available in /etc directory with the same configuration that is used in existing ProtectApp LUKS. Keep the parameter 'enable'= no in ks_user_config file.

To add a key with an existing passphrase, run the following command:

cryptsetup luksAddKey /dev/diskname

Output

Enter any existing passphrase:<Enter the cryptsetup password>

In a new terminal, open /etc/ks_user_config file, and change the parameter 'enable'=no to 'yes' and provide a new passphrase.
```
Enter new passphrase for key slot:<Passphrase of the CM>
Verify passphrase:<Passphrase of the CM>
```

This completes the upgrade to ProtectApp LUKS.

If you want to remove a key slot, perform the folowing steps:

View Key slot ID.

cryptsetup luksDump /dev/diskname

Output:

LUKS header information for /dev/sdb
Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
MK iterations:  97750
UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

Key Slot 0: ENABLED
        Iterations:             779298
        Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             781677
        Salt:                   c7 cd b7 df 85 6c 04 4f 66 b3 77 48 8f 17 b3 e7
                                01 5a 54 93 0a 1f 91 92 a1 0d 75 1d 8d 4e dc fd
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: ENABLED
        Iterations:             800438
        Salt:                   4c d2 34 b2 a6 85 cc 1f af bb 8b 19 1d bd f2 7b
                                9a 47 aa e1 8a 49 5a 0e a5 ba 62 ea 46 34 03 23
        Key material offset:    520
        AF stripes:             4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

To remove a key from the key slot, open /etc/ks_user_config file, and change the parameter 'enable'=yes to 'no'. Run the following command and enter the pasphrase.
```
cryptsetup luksRemoveKey /dev/diskname
```
Output
```
Enter passphrase to be deleted:<Enter the cryptsetup password of the Keyslot to be removed>
```

View Key slot ID.

cryptsetup luksDump /dev/diskname

Output

LUKS header information for /dev/sdb
Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      d3 8f 2d 67 55 45 6e ae fe 23 2f 74 81 12 c7 3e ff 13 19 71
MK salt:        29 bf bb af 33 09 f6 48 b4 49 7f cc 2f e7 ab 0c
                a2 5d d9 23 11 a3 67 a9 4b 6a f2 72 99 b4 77 61
MK iterations:  97750
UUID:           4ab93e73-a3b0-451e-912f-80229a9904df

Key Slot 0: ENABLED
        Iterations:             779298
        Salt:                   0e 18 89 f3 8a 80 21 ce c8 72 3b f5 63 1e 43 ff
                                ad 00 72 24 63 ff 08 0a a3 fe 17 1a 73 5b 9d 0e
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: ENABLED
        Iterations:             800438
        Salt:                   4c d2 34 b2 a6 85 cc 1f af bb 8b 19 1d bd f2 7b
                                9a 47 aa e1 8a 49 5a 0e a5 ba 62 ea 46 34 03 23
        Key material offset:    520
        AF stripes:             4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Tip

In the above output, you can observe that Keyslot 1 is successfuly removed after running the cryptsetup luksRemoveKey /dev/diskname command.

Suggest A Change

Upgrade

On this page