Table of Contents
Change/Add LUKS Passphrase
LUKS is used for Full Disk Encryption, among other things. Sometimes, after you have set this up, you find you need a second passphrase, or you need to replace an existing passphrase. One recent example for me was when I retasked a laptop with an encrypted file system for another employee. They really needed most of the stuff on there, and it was a recent install, so I did not want to rebuild from scratch. However, I did not want to give her my passphrase either.
Another scenario is when you want a user to have a passphrase, but you also want a separate passphrase that IT can use to get in if necessary.
Following assumes you have a disk set up with LUKS, and you want to add or change the passphrase for it. This is based on a Devuan system install, though it should work for any Linux based system.
Change LUKS Passphrase
The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)
- Find the partition you need to change
blkid -t TYPE=crypto_LUKS -o device
- Determine which key slots are populated
cryptsetup luksDump /dev/sda5 | grep Key.Slot
- Change the key (assumes above showed key 2 was the one to change)
cryptsetup luksChangeKey /dev/sda5 -S 2
Add a new LUKS Passphrase
The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)
- Find the partition you need to change
blkid -t TYPE=crypto_LUKS -o device
- Make sure you have an empty key slot
cryptsetup luksDump /dev/sda5 | grep Key.Slot
- Add the key
cryptsetup luksAddKey /dev/sda5
Delete a LUKS key
The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)
- Find the partition you need to change
blkid -t TYPE=crypto_LUKS -o device
- Make sure you have an empty key slot
cryptsetup luksDump /dev/sda5 | grep Key.Slot
- Delete key 2
cryptsetup luksKillSlot /dev/sda5 2