• Off Topic
  • The security of changing full disk encryption password.

I tried to research this, but i haven't found many resources to learn from. I'm turning to this community, because some of you guys know a lot about security by nature.
My Linux system is encrypted using LUKS except for the boot partition. I want to have a more secure password. I have hard disks and SSDs in my system. I was wondering if someone with physical access was theoretically able to unlock the filesystems with the old password after i changed it. (Maybe by cracking the old one first.)

Should i erase and overwrite the disks before creating a new filesystem to copy my data? I want to avoid that, because its a really big hassle with many terabytes of data.

AdamE So by adding a new key, and removing the old one. There should not be any way to bruteforce t he old key and gain access.
Sould i use cryptsetup-reencrypt instead to be certain?

    [deleted]

    So by adding a new key, and removing the old one. There should not be any way to bruteforce t he old key and gain access.

    Correct, so long as the key is removed from all copies of the header file (in case you made backups, it must be removed from those as well) there should be no way to gain access using that key.

    Sould i use cryptsetup-reencrypt instead to be certain?

    I don't think its necessary unless you believe that your keys may have been compromised. EDIT: It should be used if you feel like your current encryption options are not sufficient, say you want to move to AES-XTS from AES-CBC . I've never attempted that so can't comment on stability, but you may want to test it in a virtual machine. Also, it will need to be done while the LUKS container is at rest.

      • [deleted]

      • Edited

      AdamE Yessir. Ill even make a copy of my disk first, for my sanity.