John3-16: 1. Added 'See also': Setting up encrypted volumes with LUKS, LVM on LUKS, Full disk encryption secure boot; 2. Added Categories: Security, Storage

2025-12-22T04:23:13Z

1. Added 'See also': Setting up encrypted volumes with LUKS, LVM on LUKS, Full disk encryption secure boot; 2. Added Categories: Security, Storage

← Older revision		Revision as of 04:23, 22 December 2025
Line 42:		Line 42:
	Then run <code>grub-install</code>. The command line will differ depending on your setup (EFI vs. MBR). On MBR run		Then run <code>grub-install</code>. The command line will differ depending on your setup (EFI vs. MBR). On MBR run
	<pre> grub-install /dev/sdX </pre>		<pre> grub-install /dev/sdX </pre>

			== See also ==

			* [[Setting_up_encrypted_volumes_with_LUKS\|Setting up encrypted volumes with LUKS]]
			* [[LVM_on_LUKS\|LVM on LUKS]]
			* [[Full_disk_encryption_secure_boot\|Full disk encryption secure boot]]

			[[Category:Security]]
			[[Category:Storage]]

Mmhiro: Created page with "{{Draft}} See: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13004 OpenSSL 3.0 has desginated the whirlpool hash as [https://wiki.openssl.org/index.php/OpenSSL_3.0#Provider_implemented_digests legacy]. This means it may not be loaded by default by OpenSSL so you cannot decrypt partitions using whirlpool. This is an issue for Alpine users because since v3.17 OpenSSL 3.0 is default, and multiple articles on this wiki recommended the use of whirlpool. In some case..."

2022-12-02T08:10:40Z

Created page with "{{Draft}} See: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13004 OpenSSL 3.0 has desginated the whirlpool hash as [https://wiki.openssl.org/index.php/OpenSSL_3.0#Provider_implemented_digests legacy]. This means it may not be loaded by default by OpenSSL so you cannot decrypt partitions using whirlpool. This is an issue for Alpine users because since v3.17 OpenSSL 3.0 is default, and multiple articles on this wiki recommended the use of whirlpool. In some case..."

New page

{{Draft}}

See: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13004

OpenSSL 3.0 has desginated the whirlpool hash as [https://wiki.openssl.org/index.php/OpenSSL_3.0#Provider_implemented_digests legacy]. This means it may not be loaded by default by OpenSSL so you cannot decrypt partitions using whirlpool. This is an issue for Alpine users because since v3.17 OpenSSL 3.0 is default, and multiple articles on this wiki recommended the use of whirlpool. In some cases (i.e. with an encrypted boot partition) a user may not be able to boot their system at all.

== Migrate Away from Whirlpool ==

This has been tested on a LUKS1 partition. I am not responsible if you lose all your data.

'''If you suffer a power failure, kernel panic, or any interruption during the reencryption step, your data may be permanently lost.'''

First, get a LiveCD with cryptsetup (I used Fedora 37). Older versions of cryptsetup require <code>cryptsetup-reencrypt</code> to modify LUKS1 partitions, while newer versions (2.5.0 or 2.6.0 or later) use <code>cryptsetup reencrypt</code>.

Then backup your drive. At the minimum, dump the headers using
<pre>cryptsetup --header-backup-file=backup_file_location.bin luksHeaderBackup /dev/partition</pre>
You should store the header on a USB stick or some other form of persistent media.

If you have keys that cannot be typed in (i.e. keyfiles) then you will have to either
# find '''one''' key that you want to preserve (you must know the keyslot, in this document it will be called N)
# or remove all keyfiles using <code>luksRemoveKey</code>

I removed my keyfile slot using <code>luksRemoveKey</code> and then confirmed that my password still worked using <code>cryptsetup luksOpen --test-passphrase /dev/partition</code>. If you mess up, you can try recovering your keys using <code>luksHeaderRestore</code>.

Make sure that the device is not opened (if you had to get files off of it, run <code>cryptsetup luksClose device_name</code>). If you are preserving keyslot N, run
<pre>cryptsetup reencrypt --keep-key --key-slot N --key-file keyfile.bin --hash sha512 /dev/partition
</pre>
If you are not specifying a keyfile, run
<pre>cryptsetup reencrypt --keep-key --key-slot N --hash sha512 /dev/partition
</pre>
and enter all passwords into the prompts. You can specify another hash if you want to, but sha512 is probably your best choice right now.

Once the command is done (should take a few seconds), verify that you can successfully open and mount your partition.

'''If you use an encrypted boot''', then you must also reinstall grub. Open your partition with cryptsetup and mount it. Enter the directory and run
<pre>
mount -t proc /proc proc/
mount -t sysfs /sys sys/
mount --rbind /dev dev/
chroot . /bin/ash
</pre>
Then run <code>grub-install</code>. The command line will differ depending on your setup (EFI vs. MBR). On MBR run
<pre> grub-install /dev/sdX </pre>

Migrating from whirlpool hash for LUKS partitions - Revision history

John3-16: 1. Added 'See also': Setting up encrypted volumes with LUKS, LVM on LUKS, Full disk encryption secure boot; 2. Added Categories: Security, Storage