nbergont - 2025-12-03

Hello,

I am using Clonezilla for Linux deployment on multiple machines with one reference image with LUKS encryption (works very well). The idea is to change LUKS default passphrase after the first boot (so each machine has unique passphrase).

BUT, Clonezilla recover LUKS header with the same “master key” which is a safety issue for me. (Knowing the “master key” you can decrypt all machine, even if passphrase is changed).

As quick & dirty solution I am using patch in attachment (I have to input passphrase twice)

It could be a useful to have an official option “Regenerate LUKS master key” or “Create LUKS header from scratch (new passphrase)” for image restoration.

Thanks.

 
patch_luks_header.diff