LUKS restore same master key
A partition and disk imaging/cloning program
Brought to you by:
steven_shiau
Menu
▾
▴
Hello,
I am using Clonezilla for Linux deployment on multiple machines with one reference image with LUKS encryption (works very well). The idea is to change LUKS default passphrase after the first boot (so each machine has unique passphrase).
BUT, Clonezilla recover LUKS header with the same “master key” which is a safety issue for me. (Knowing the “master key” you can decrypt all machine, even if passphrase is changed).
As quick & dirty solution I am using patch in attachment (I have to input passphrase twice)
It could be a useful to have an official option “Regenerate LUKS master key” or “Create LUKS header from scratch (new passphrase)” for image restoration.
Thanks.
Thanks for providing the patch. Yes, we will try to implement this in the future release.
One question before we patch it, why you assign the option "--device-size 1S"?
If you want to change the master key, the "cryptsetup " command should just be run like:
"cryptsetup reencrypt /dev/${lk_dev_}"
Isn't it?
Yes, but normal reencrypt is very long (entire partition is rewrite) and
useless because partition data is not valid a this moment.
With option "--device-size 1S" it force to reencrypt (change master key) on
luks header and first partition sector witch is very fast.
This is a crapy work around but I did not find a better way to do it.
Last edit: Steven Shiau 2026-01-10
Please give testing Clonezilla live a try, i.e., >= 3.3.1-26 or 20260112-*:
https://clonezilla.org/downloads.php
You can enter expert mode when restoring, and choose the option "-reluks".
Please let us know the results if you try it. Thanks.
Its works well. I have to input password twice but its not a big problem.
Maybe an improvment for future release.
Thank a lot for this quick integration
Le mar. 13 janv. 2026, 14:06, Steven Shiau steven_shiau@users.sourceforge.net a écrit :