Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
other:encryption:lukspass
no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


other:encryption:lukspass [2020/02/28 00:57] (current) – created rodolico
Line 1: Line 1:
 +====== Change/Add LUKS Passphrase ======
  
 +LUKS is used for Full Disk Encryption, among other things. Sometimes, after you have set this up, you find you need a second passphrase, or you need to replace an existing passphrase. One recent example for me was when I retasked a laptop with an encrypted file system for another employee. They really needed most of the stuff on there, and it was a recent install, so I did not want to rebuild from scratch. However, I did not want to give her my passphrase either.
 +
 +Another scenario is when you want a user to have a passphrase, but you also want a separate passphrase that IT can use to get in if necessary.
 +
 +Following assumes you have a disk set up with LUKS, and you want to add or change the passphrase for it. This is based on a Devuan system install, though it should work for any Linux based system.
 +
 +===== Change LUKS Passphrase =====
 +
 +The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)
 +
 +  - Find the partition you need to change<code bash>blkid -t TYPE=crypto_LUKS -o device</code>
 +  - Determine which key slots are populated<code bash>cryptsetup luksDump /dev/sda5 | grep Key.Slot</code>
 +  - Change the key (assumes above showed key 2 was the one to change)<code bash>cryptsetup luksChangeKey /dev/sda5 -S 2</code>
 +
 +===== Add a new LUKS Passphrase =====
 +
 +The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)
 +
 +  - Find the partition you need to change<code bash>blkid -t TYPE=crypto_LUKS -o device</code>
 +  - Make sure you have an empty key slot<code bash>cryptsetup luksDump /dev/sda5 | grep Key.Slot</code>
 +  - Add the key<code bash>cryptsetup luksAddKey /dev/sda5</code>
 +
 +===== Delete a LUKS key =====
 +
 +The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)
 +
 +  - Find the partition you need to change<code bash>blkid -t TYPE=crypto_LUKS -o device</code>
 +  - Make sure you have an empty key slot<code bash>cryptsetup luksDump /dev/sda5 | grep Key.Slot</code>
 +  - Delete key 2<code bash>cryptsetup luksKillSlot /dev/sda5 2</code>
 +
 +
 +
 +===== Links =====
 +  * [[https://www.linuxexperten.com/content/change-my-luks-encryption-password-etc]]
 +  * [[https://manpages.debian.org/stretch/cryptsetup-bin/cryptsetup.8.en.html]]
other/encryption/lukspass.txt · Last modified: 2020/02/28 00:57 by rodolico