Hi, Thanks a lot! My tests around your commands look really promising : This is exactly what I've looked for. Best Regards, Le mer. 30 juin 2021 à 11:10, Ondrej Kozina a écrit : > Hi, > > On 6/18/21 10:22 AM, Yoann CONGAL wrote: > > > > From what I understood of the internals of cryptsetup, it knows how to > > build the LUKS header but rely on the dm-crypt module of the kernel to > > do the actual data encryption. (Please correct me if I'm wrong) > > Yes, dm-crypt is usually only necessary to access data when LUKS device > is activated (unlocked). That said, there are some exceptions. For > example when crypto backend used in libcryptsetup (or kernel crypto API) > does not support used cipher/mode for some reason. In that case we > fallback to use dm-crypt to perform encryption/decryption of LUKS > keyslots. It also requires root privs in this corner case. > > > > > So, I have two questions : > > * Do you know of a tool that does the full LUKS image (header and > > data) fully in userland? (I did search for it and found nothing) > > * If the above answer is "It does not exist yet", would you be open to > > its inclusion in cryptsetup? My guess is that a tightly managed intern > > may handle this. > With default cipher (aes) you can use new LUKS2 reencryption code for > that. LUKS2 header (cryptsetup format) can be created fully without need > to use dm-crypt already, but If you need to encrypt existing data you > can use following command: > > This should work without root privs. It will create separate detached > LUKS2 header in : > > cryptsetup reencrypt --encrypt --header > --disable-locks > > For header put in the beginning of the data file you can use: > > cryptsetup reencrypt --encrypt --reduce-device-size 32M > --disable-locks > > just bear in mind that my_data_file must have 32MiB spare space at the > end (iow there should be no useful data at the end of the file). > > With root privs, you can drop --disable-locks parameter and also use > block devices in place of . > > Look for more information related to online encryption under "reencrypt" > action of cryptsetup. > > Kind regards > Ondrej K. > > -- Yoann Congal Smile ECS - Expert technique yoann.congal@smile.fr