User Tools

Site Tools


Sidebar

other:encryption:lukspass

Change/Add LUKS Passphrase

LUKS is used for Full Disk Encryption, among other things. Sometimes, after you have set this up, you find you need a second passphrase, or you need to replace an existing passphrase. One recent example for me was when I retasked a laptop with an encrypted file system for another employee. They really needed most of the stuff on there, and it was a recent install, so I did not want to rebuild from scratch. However, I did not want to give her my passphrase either.

Another scenario is when you want a user to have a passphrase, but you also want a separate passphrase that IT can use to get in if necessary.

Following assumes you have a disk set up with LUKS, and you want to add or change the passphrase for it. This is based on a Devuan system install, though it should work for any Linux based system.

Change LUKS Passphrase

The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)

  1. Find the partition you need to change
    blkid -t TYPE=crypto_LUKS -o device
  2. Determine which key slots are populated
    cryptsetup luksDump /dev/sda5 | grep Key.Slot
  3. Change the key (assumes above showed key 2 was the one to change)
    cryptsetup luksChangeKey /dev/sda5 -S 2

Add a new LUKS Passphrase

The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)

  1. Find the partition you need to change
    blkid -t TYPE=crypto_LUKS -o device
  2. Make sure you have an empty key slot
    cryptsetup luksDump /dev/sda5 | grep Key.Slot
  3. Add the key
    cryptsetup luksAddKey /dev/sda5

Delete a LUKS key

The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)

  1. Find the partition you need to change
    blkid -t TYPE=crypto_LUKS -o device
  2. Make sure you have an empty key slot
    cryptsetup luksDump /dev/sda5 | grep Key.Slot
  3. Delete key 2
    cryptsetup luksKillSlot /dev/sda5 2
other/encryption/lukspass.txt · Last modified: 2020/02/28 00:57 by rodolico