User Tools

Site Tools


other:encryption:lukspass

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

other:encryption:lukspass [2020/02/28 00:57] (current)
rodolico created
Line 1: Line 1:
 +====== Change/Add LUKS Passphrase ======
  
 +LUKS is used for Full Disk Encryption, among other things. Sometimes, after you have set this up, you find you need a second passphrase, or you need to replace an existing passphrase. One recent example for me was when I retasked a laptop with an encrypted file system for another employee. They really needed most of the stuff on there, and it was a recent install, so I did not want to rebuild from scratch. However, I did not want to give her my passphrase either.
 +
 +Another scenario is when you want a user to have a passphrase, but you also want a separate passphrase that IT can use to get in if necessary.
 +
 +Following assumes you have a disk set up with LUKS, and you want to add or change the passphrase for it. This is based on a Devuan system install, though it should work for any Linux based system.
 +
 +===== Change LUKS Passphrase =====
 +
 +The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)
 +
 +  - Find the partition you need to change<​code bash>​blkid -t TYPE=crypto_LUKS -o device</​code>​
 +  - Determine which key slots are populated<​code bash>​cryptsetup luksDump /dev/sda5 | grep Key.Slot</​code>​
 +  - Change the key (assumes above showed key 2 was the one to change)<​code bash>​cryptsetup luksChangeKey /dev/sda5 -S 2</​code>​
 +
 +===== Add a new LUKS Passphrase =====
 +
 +The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)
 +
 +  - Find the partition you need to change<​code bash>​blkid -t TYPE=crypto_LUKS -o device</​code>​
 +  - Make sure you have an empty key slot<​code bash>​cryptsetup luksDump /dev/sda5 | grep Key.Slot</​code>​
 +  - Add the key<code bash>​cryptsetup luksAddKey /​dev/​sda5</​code>​
 +
 +===== Delete a LUKS key =====
 +
 +The following assumes /dev/sda5 is the partition that is encrypted (discover in step 1)
 +
 +  - Find the partition you need to change<​code bash>​blkid -t TYPE=crypto_LUKS -o device</​code>​
 +  - Make sure you have an empty key slot<​code bash>​cryptsetup luksDump /dev/sda5 | grep Key.Slot</​code>​
 +  - Delete key 2<code bash>​cryptsetup luksKillSlot /dev/sda5 2</​code>​
 +
 +
 +
 +===== Links =====
 +  * [[https://​www.linuxexperten.com/​content/​change-my-luks-encryption-password-etc]]
 +  * [[https://​manpages.debian.org/​stretch/​cryptsetup-bin/​cryptsetup.8.en.html]]
other/encryption/lukspass.txt ยท Last modified: 2020/02/28 00:57 by rodolico