I checked the "encryption" checkbox in the Anaconda installer during CentOS 6 installation, which encrypts at the PV (Physical Volume) partition level.
Now, for some security reasons, I want to change the current encryption key. Is there any way to do this?
The default encryption method uses LUKS, so issue:
# cryptsetup luksDump /dev/sda
LUKS header information for /dev/sda2
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 512
MK digest: ec 80 b6 a6 f4 b6 23 29 d6 22 53 2c af c6 a6 06 01 ca 7c 34
MK salt: 97 4c c5 fe 39 e5 ec f7 3c 7a a5 bd 98 34 56 b4
0d c4 cc c2 ab 74 fa 5c bd d3 0f e3 ae 65 c3 d7
MK iterations: 59625
UUID: d8bfb76f-fec3-4d6e-8801-5ab24517c081
Key Slot 0: ENABLED
Iterations: 238801
Salt: 42 37 13 4d 6f d5 eb e6 10 dc 78 c8 04 f9 10 74
48 15 4d e0 68 d5 dc 7f 6a 14 66 a2 88 83 4f 17
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
to see how many slots you are currently using. Replace /dev/sda with the appropriate block device.
Add a new key to a free slot using cryptsetup luksAddKey, check the possible options in the cryptsetup(8) manpage.
Afterwards, reboot and ensure you can access the machine using the new key. Then you can delete the old one (cryptsetup luksRemoveKey).
