On Fri, Jun 12, 2020 at 12:49:04PM +0000, taran1s wrote: > - - set a higher encryption from qubes default to aes 512-bit full disk > encryption.
a) there is no "aes 512". b) the qubes default is aes-xts-512. (which is really aes-256 with two different keys since whoever implemented it for linux read the XTS paper wrong, but it doesnt matter for security) c) check "cryptsetup luksDump /dev/yourqubesluksdev" > Is this possible to do from within running qubes or will I need to > reinstall the QubesOS and do it all fresh? most likely for the "encryption" part no change is required. so just moving /boot + grub. > cryptsetup luksChangeKey /dev/sdX with sdX to be the luks partition > like for example sd3 in case of default qubes installation procedure. > Is that case from inside of qubes too? cryptsetup can be used from inside qubes dom0, yes. i recommend adding a new passphrase first, making sure it works, then removing the old one. luks default has 8 key slots. > Are there any pros/cons of this setup? make sure to have more than one boot device for redundancy. you will have to update them all for every kernel, xen or grub update. (or accept booting your system from an old grub/xen/kernel if you end up using an outdated boot stick) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200612130106.GC998%40priv-mua.
