Need help adding a LUKS key to 3 partitions [Solved]

[Amandaville]

I want to add a LUKS key, however when I run

Code: Select all

sudo cryptsetup luksDump /dev/nvme0n1p4 | grep Slot

, it returns nothing. That makes me nervous to then run

Code: Select all

sudo cryptsetup luksAddKey /dev/nvme0n1p4

. Also, the original key was created when I ran the MX initial installation and is applied to 3 partitions so I would have to repeat the process with all 3 partitions.

Is there a reason that the 8 key slots are not displayed when I run the first command? Is it still safe to run the luksAddKey command to the 3 partitions?

[Stuart_M]

The reason you do not see an output is because "Slot" does not appear in the output of LUKS2 which is, I presume, what you are using. There is no reason to grep the output, in my opinion.

A number of years ago LUKS1 was used and "Slot" appeared in the output to identify every keyslot as being either enabled or disabled but LUKS2 only outputs keyslots that are used ("Slot", "ENABLED", or "DISABLED" do not appear in the output of LUKS2).

The solution to your proplem is to remove the pipe and everything to the right of it in the command you used.

Running the command in the below code window, as derived from your command, will (should) output the keyslots that are in use, beginning with "0":

Code: Select all

sudo cryptsetup luksDump /dev/nvme0n1p4

The first encrypted partition creates the initial keyslot as "key slot 0", presuming there were not any others that were created manually, so if you have three passphrases then you should see keyslots 0-2 in use. This is not true - see the third paragraph in my Post #5 below.



FYI-1, You can force a keyslot to be used by a passphrase by using "-S <0-31>" at the end of the command to add a LUKS key (without quotes and without "<" and ">" - just a single number). If you do not specify a keyslot number (at the end of the command), then the next available, or next lowest number, will be used.

FYI-2, LUKS2 has a maximum of 32 passphrases (keyslots 0-31) that can be set up for each device, based on the keyslot area size and the key size. (The old LUKS1 has a maximum of 8 [keyslots 0-7].)

FYI-3, if you want to display a keyslot number by its passphrase, enter the below command which will:

• search all the keyslots until it identifies the keyslot that matches the passphrase you enter
• identify the key slot number for that passphrase, and
• if the identified keyslot was successfully opened.

The first line in the below code window is the command and the three lines below that is the output of a test passphrase I used with "sda3" on my system - change for your device:

Code: Select all

sudo cryptsetup -v open --test-passphrase /dev/sda3
Enter passphrase for /dev/sda3: (passphrase for key slot 7 was used)
Key slot 7 unlocked.
Command successful.

Another way to do the above test but force the passphrase to a specific keyslot is to identify the keyslot to use as shown in the below command (choose a keyslot 0-31 and without the greater-than or less-then symbols so there is just a number following "-S"):

Code: Select all

sudo cryptsetup -v open --test-passphrase /dev/sda3 -S <0-31>

For example, if you wanted to use keyslot 5, the command would be:
sudo cryptsetup -v open --test-passphrase /dev/sda3 -S 5

Edit 2: strikeout sentence above.

[Amandaville]

Thank you Stuart, that is very helpful. I was obviously looking at a tutorial for luks1, not realizing there was a significant difference from the current version.

I quoted one line below where you mentioned 3 passphrases, but I have only one passphrase that works on all 3 encrypted partitions. It was created upon initial installation of MX and applied to root, home and swap partitions. Once I manually add the new passphrase to each partition, then I still only need to enter it once at boot for all three to unlock simultaneously, right?

The first encrypted partition creates the initial keyslot as "key slot 0", presuming there were not any others that were created manually, so if you have three passphrases then you should see keyslots 0-2 in use.

[Amandaville]

I just ran the following commands to add the new passphrase to all 3 encrypted partitions and then rebooted.

Code: Select all

sudo cryptsetup -v luksAddKey /dev/nvme0n1p3
sudo cryptsetup -v luksAddKey /dev/nvme0n1p4
sudo cryptsetup -v luksAddKey /dev/nvme0n1p5

The new passphrase worked at boot to unlock all 3 partitions.

Thank you for your help.

[Stuart_M]

Good to hear it worked!

Since the issue is solved, the below are my thoughts on how different encrypted partitions are linked together to the same LUKS key so multiple partitions will use the same passphrase.

First, in response to your Post #3 quoting me about having three passphrases (keyslots) on your system, what I stated is not correct to how your system is configured. I would not have posted that had I remembered what you wrote in your Post #1 that showed only one passphrase was used to open all three encrypted partitions at bootup.


Regarding adding a new keyslot to each of the three partitions, all of which use the same passphrase (during bootup). I have a hunch that that was not necessary and that only one partition would have been necessary to run the "luksAddKey" command on since all three encrypted partitions use the same LUKS key or keyfile. I also wonder if creating an additional keyslot on the two additional partitions created two additional keyslots, each with the same passphrase. If so, instead of having a total of 2 keyslots for the three partitions, there would be a total four (1 for the original keyslot plus 3 more for the second keyslot [1 keyslot for each for the 3 partitions] = 4 total). I have not tested this so I am not 100% sure. See below.

BUT the encrypted partitions appear to have LUKS linked in slightly different ways so maybe only the first LUKS created encrypted partition must be used. I have not tested this so I am not 100% sure.

For example, in my MX-19 that uses full disk encryption, there are two encrypted partitions (root and swap) which are both unlocked using one passphrase during bootup.


While not 100% certain, I think /etc/crypttab is the file that is responsible for linking the two encrypted partitions (root and swap) so they use the same passphrase, allowing both to be unlocked during bootup.

The contents of crypttab on my MX-19 is:

Code: Select all

root.fsm /dev/disk/by-uuid/...UUID_NUMBER... none luks
swap /dev/disk/by-uuid/...UUID_NUMBER... /root/keyfile luks

In the above, "luks" appears for both the root and swap partitions (although swap has /root/keyfile included but root does not.

If correct, then changing one keyslot will change the contents of (/root/keyfile). Since both partitions use the same keyfile, both will be unlocked using the same passphrase during bootup.

I am not certain on the above so any corrections or additions to this post would be welcome.

Regarding Amandaville's additional keyslot that was made. I would be curious to see if the output of cryptsetup is now identical on all three partitions. For example, is the output identical for the three commands in the below code window:

Code: Select all

sudo cryptsetup luksDump /dev/nvme0n1p3
sudo cryptsetup luksDump /dev/nvme0n1p4
sudo cryptsetup luksDump /dev/nvme0n1p5

I am thinking one of two scenarios when adding a LUKS Key:

• all 3 encrypted partitions will show only 2 keyslots in use (0 and 1), OR:
• the first encrypted partition that used the "luksAddKey" command will now have 2 keyslots;
  the 2nd encrypted partition that used the "luksAddKey" command will now have 3 keyslots;
  the 3rd encrypted partition that used the "luksAddKey" command will now have 4 keyslots

The reason for the second scenario is because each time the "luksAddKey" command was run on a partition, it added an additional keyslot to the same keyfile (the original keyslot plus an additional keyslot for each time the "luksAddKey" command was run). If that is true then keyslots 3 and 4 would have the same passphrase since the same passphrase was used when creating it. If that is true, then having keyslots 3 and 4 is of no use and could be removed.

If keyslots 3 and 4 exist, to see if they use the same passphrase as keyslot 2, then test that passphrase on a specific keyslot number as shown in the below command (keyslot 3 is used in this example):

Code: Select all

sudo cryptsetup -v open --test-passphrase /dev/nvme0n1p3 -S 3

[Amandaville]

I am thinking one of two scenarios when adding a LUKS Key:

• all 3 encrypted partitions will show only 2 keyslots in use (0 and 1), OR:
• the first encrypted partition that used the "luksAddKey" command will now have 2 keyslots;
  the 2nd encrypted partition that used the "luksAddKey" command will now have 3 keyslots;
  the 3rd encrypted partition that used the "luksAddKey" command will now have 4 keyslots

I agree that those are the 2 most likely scenarios, however I ended up with something else that makes no sense.

Code: Select all

sudo cryptsetup luksDump /dev/nvme0n1p3 <--shows 3 keys
sudo cryptsetup luksDump /dev/nvme0n1p4 <--shows 2 keys
sudo cryptsetup luksDump /dev/nvme0n1p5 <--shows 3 keys

I'm not entirely sure how that happened. I checked bash history and I did add the new keys in the order listed, nvme0n1p3, then nvme0n1p4, then nvme0n1p5. Unless there's a reason why there should not be duplicate identical keys in multiple slots, I'm not going to worry about it. The new key works and that's the important thing.

[Stuart_M]

Without knowing anything more that what was given in this thread (there was no mention what each partition is for, e.g. root, home, swap, data, etc.), I would guess partition 4 (nvme0n1p4) was created first because I have a hunch it is root (/).

If correct, then the other two partitions, 3 and 5 (nvme0n1p3 and nvme0n1p5), would be created afterwards and are thus linked to the keyfile for the partition that was created first since all three partitions use the same keyfile (passphrase) to unlock. The reason I believe that is because that is the only partition with only 2 keyslots.

For example, see the first code window in my Post #5 that shows the content of /etc/crypttab. Both of the partitions shown in that file are the two encrypted partitions I have on my system (root and swap) and both were created during installation. I believe the root partition was created first because after the UUID number, only "luks" appears while the swap partition has the absolute path for the keyfile /root/keyfile before "luks". This way both partitions use the same keyfile, meaning they both use the same passphrase. When one partition is changed, both partitions will change because both use the same keyfile. Also, I have created a couple additional passphrases (keycodes) for my Full Disk Encryption installation and I only added a luks key to the first partition, which in my case, is root (/). I didn't touch the second encrypted partition. That always results in the other partition (swap) to be automatically unlocked because both use the same keyfile.

...
The new key works and that's the important thing.

I agree. However, for those that want to clean up partitions that have two keyslots with identical passphrases, it is easy to do. Since a keyslot was created with an identical passphrase to a prior keyslot, in your case it is a simple matter to just delete the keyslot that has a higher number since you should only have two keyslots for each encrypted partition, each with a different passphrase. But you have two partitions that have three keyslots, two of which have the identical passphrase. In this case, the keyslots were added automatically based on the commands shown in Post #4 above - that means that the keyslots were added sequentially. Because all of the added keyslots used the same passphrase, two partitions each have two keyslots that use the same passphrase, meaning one keyslot on each of the two encrypted partitions is superfluous.

• To confirm keyslot 2 is associated with a specific passphrase, run the following command. Then repeat the command with keyslot 3 using the same passphrase. I believe you will have to use partition 5 (nvme0n1p5) to check keyslots 2 and 3 there:

  Code: Select all

  sudo cryptsetup -v open --test-passphrase /dev/nvme0n1p3 -S 2
  
  (the above command is checking the passphrase with keyslot 2. The below command is checking with keyslot 3
  
  sudo cryptsetup -v open --test-passphrase /dev/nvme0n1p3 -S 3

• After confirming that keyslot 3 has the same passphrase as keyslot 2 then you can be confident to remove keyslot 3 using the "luksKillSlot" command. That command will remove a specified keyslot using any passphrase except the passphrase for the keyslot to be removed.
  
  The below command will remove keyslot 3 on your partition 3. The below command does NOT have an error identifying the keyslot - unlike the "luksAddKey" and "--test-passphrase" commands, there is no "-S" that precedes the keyslot number in this command:

  Code: Select all

  sudo cryptsetup -v luksKillSlot /dev/nvme0n1p3 3

• Repeat for your partition 5 (nvme0n1p5) if necessary.

I agree with the "If it works, don't fix it" mantra even though the above seems to contradict it, but this is given only for those that want to "clean it up".