add warning to order luksChangeKey and reencrypt

mbroz · Sep 29, 2024 · 3c00305 · 3c00305
1 parent 31bf986
commit 3c00305
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/man/cryptsetup-luksChangeKey.8.adoc b/man/cryptsetup-luksChangeKey.8.adoc
@@ -34,6 +34,10 @@ been wiped and make the LUKS container inaccessible. LUKS2 mitigates
 that by never overwriting existing keyslot area as long as there's
 a free space in keyslots area at least for one more LUKS2 keyslot.
 
+*WARNING:* If you need to use both luksChangeKey and reencrypt (e.g.
+to recover from a leak) you need to use them in that order to not leak
+the new volume key.
+
 *NOTE:* some parameters are effective only if used with LUKS2 format
 that supports per-keyslot parameters. For LUKS1, PBKDF type and hash
 algorithm is always the same for all keyslots.

diff --git a/man/cryptsetup-reencrypt.8.adoc b/man/cryptsetup-reencrypt.8.adoc
@@ -34,6 +34,9 @@ You can regenerate *volume key* (the real key used in on-disk encryption
 unlocked by passphrase), *cipher*, *cipher mode* or *encryption sector size*
 (LUKS2 only).
 
+*WARNING:* If you need to use both luksChangeKey and reencrypt (e.g. to recover
+from a leak) you need to use them in that order to not leak the new volume key.
+
 Reencryption process may be safely interrupted by a user via SIGINT
 signal (ctrl+c). Same applies to SIGTERM signal (i.e. issued by systemd
 during system shutdown).