Security News > 2022 > January > Serious Security: Linux full-disk encryption bug fixed – patch now!
With FDE, everything gets encrypted, including unused parts of the disk, deleted sectors, filenames, swapfile data, the apps you're using, the operating system files you've installed, and even the disk space you've deliberately zeroed out to forcibly overwrite what was there before.
Did you use the right cryptographic algorithm? Did you generate the encryption keys reliably? Did you handle the issue of data integrity properly? Can you change passwords safely and quickly? How easy is it to lock yourself out by mistake? What if you want to adjust the encryption parameters as your corporate policies evolve?
As mentioned above, you sometimes need to change the master encryption settings on a device, especially if you need to adjust some of the parameters you used to keep up with changing encryption recommendations, such as switching to a larger key size.
Cryptsetup allows you to streamline the re-encryption process by keeping some of the disk encrypted with the old key, and the rest of it encrypted with the new key, while carefully keeping track of how far it's got in case the process breaks half way through, or the computer needs to be shut down before the process has finished.
At the end, the old master key is wiped out, and the new one committed as the sole encryption key for the underlying data.
That's the risk here: that you could end up with a disk that seems to be encrypted; that still needs a valid password to mount; that behaves as if it's encrypted; that might satisfy your auditors that it is encrypted.