Manage LUKS Passphrase
Table of Contents
This is just a simple reference for changing passwords on a LUKS-encrypted volume. There are plenty of places you could go to find this information, but I have it here for my own reference more than anything.
For the sake of this guide, I’m going to be using /dev/nvme0n1p3
for the LUKS encrypted volume.
If you don’t know how to identify the disk you’re trying to change the passphrase to, you can do one of the following:
Check the crypttab
file to see which encrypted disks are mounted:
cat /etc/crypttab
If you’ve got a UUID in the crypttab
, you can just reverse look it up by UUID:
ls -l /dev/disk/by-uuid/
Which should give you back the symlink
to the actual disk we’re trying to edit.
If you know which physical disk it is you can check fdisk
to see which disk it is using:
fdisk -l
Locate the disk by device, size, or other info to determine which one you’re trying to change.
Now that we know which partition we’re trying to change, we can get info about the LUKS volume:
cryptsetup luksDump /dev/nvme0n1p3
Under the Keyslots
section you’ll see some info about the keys that are currently able to unlock
the disk. You can have up to 8 (0-7) keys on a disk.
We can determine which keyslot that we’re trying to change with:
cryptsetup open --verbose --test-passphrase /dev/nvme0n1p3
Enter passphrase for /dev/nvme0n1p3: Key slot 0 unlocked. Command successful.
--verbose
in order for it to log which keyslot opened the device.After we have determined the keyslot, we can change the passphrase for the
keyslot that was unlocked (in my case it’s keyslot 0
):
cryptsetup luksChangeKey /dev/nvme0n1p3 -S 0
Enter passphrase to be changed: Enter new passphrase: Verify passphrase:
Test the new key after you’ve added it to be sure it was changed correctly:
cryptsetup --verbose open --test-passphrase /dev/nvme0n1p3
As an alternative, you can just reboot your system.
Once we have determined the keyslot, we can remove the key from the disk
(in my case it will be keyslot 0
):
cryptsetup luksRemoveKey -S 0