Each LUKS partition can have a total of 8 passphrases which occupy key slots 0-7. That means you can have a maximum of eight passphrases or passwords for each LUKS partition. Normally when an encrypted partition is created it will use key slot 0 first presuming there were not any others that were created manually.
As an aside, a LUKS passphrase can contain a maximum of 512 characters.
Display the key slots used
The following command will display header information which is a summary of the encryption information for the specified device, sda3 in this example. This command is useful to confirm that a key slot has been added or removed.
Remember to change sda3 to your encrypted partition if necessary:
Code: Select all
sudo cryptsetup luksDump /dev/sda3The "--test-passphrase" command will match a passphrase to a key slot:
Code: Select all
sudo cryptsetup -v open --test-passphrase /dev/sda3
Enter passphrase for /dev/sda3: (I entered the passphrase for key slot 7)
Key slot 7 unlocked.
Command successful.Code: Select all
sudo cryptsetup -v open --test-passphrase /dev/sda3 -S <0-7>Add a LUKS key (passphrase)
A maximum of eight passphrases using key slots 0-7 can be set up for each device (sda3 in this example).
To create a LUKS key to the next available key slot use the following command:
Code: Select all
sudo cryptsetup -v luksAddKey /dev/sda3
Enter any existing passphrase: (I entered the passphrase for key slot 0)
Key slot 0 unlocked.
Enter new passphrase for key slot:
Verify passphrase:
Key slot 2 created. (because key slot 2 was the next available key slot closest to 0)
Command successful.Code: Select all
sudo cryptsetup -v luksAddKey /dev/sda3 -S <0-7>LUKS will find the key slot associated to a passphrase a little faster with lower numbered key slots. This is because LUKS will begin searching for a match with key slot 0. As a test I entered a passphrase for key slot 0 and it took 1.5 seconds until the boot up scrolling text began. Using key slot 7 took 5.4 seconds.
Change a LUKS key (passphrase)
To change a LUKS key (passphrase), use the following command and select the key slot number (0-7) that corresponds to the passphrase to be changed. This forces the passphrase for that key slot to be used. If the key slot number is not known then use the --test-passphrase command above (second code window in this post). This is the command:
Code: Select all
sudo cryptsetup -v luksChangeKey /dev/sda3 -S <0-7>
Enter passphrase to be changed: (I entered the passphrase for key slot 7 because "... -S 7" was used in the command)
Key slot 7 unlocked.
Enter new passphrase:
Verify passphrase:
Key slot 7 created.
Command successful.- This command is similar to using gnome-disks, also known as "Disks", to change the passphrase. "Disks" has the same input parameters (Current Passphrase, New Passphrase, and Confirm Passphrase) except that it has an option to show the passphrase text and has a passphrase strength progress bar. Note that gnome-disks can only change an existing passphrase for a key slot, it cannot add or delete key slots, at least as far as I'm aware.
I have seen some reports years ago that recommended avoiding the gnome utility if a long passphrase is used because it may cut off the input but I do not know if there is any validity to that.
Remove a LUKS key (passphrase)
There are three different actions to remove keys (passphrases) from the LUKS header:
- luksRemoveKey - remove a key by specifying its passphrase.
- luksKillSlot - remove a specified key slot by using any passphrase except the passphrase for the key slot to be removed.
- luksErase - erase all key slots (this will make the LUKS container permanently inaccessible unless there is a backup LUKS header).
luksRemoveKey will remove a key slot by using a passphrase that will identify the key slot to remove. If the same passphrase is used for two key slots then only the first key slot that was created with the same passphrase will be deleted. The command will have to be executed again to delete the second. This is the command:
Code: Select all
sudo cryptsetup -v luksRemoveKey /dev/sda3
Enter passphrase to be deleted: (I entered the passphrase for key slot 7)
Key slot 7 unlocked.
Keyslot 7 is selected for deletion.
Key slot 7 removed.
Command successful.luksKillSlot will remove a specified key slot (0-7) by using any existing passphrase except for the passphrase that is used for key slot to be removed.
This is the command:
Code: Select all
sudo cryptsetup -v luksKillSlot /dev/sda3 <0-7>
Keyslot 7 is selected for deletion. (because I used ".../dev/sda3 7" in the command)
Enter any remaining passphrase: (I entered the passphrase for key slot 0)
Key slot 0 unlocked.
Key slot 7 removed.
Command successful.luksErase will quickly nuke access to the specified device (sda3 in this example) by erasing all key slots making the LUKS container permanently inaccessible (unless there is a backup LUKS header). It will not prompt for a valid passphrase. It will not wipe the LUKS header but it will wipe all key slots at once and therefore you will not be able to regain access unless there is a valid backup of the LUKS header.
The -q (--batch-mode) option will suppress all confirmation questions. This is the command:
Code: Select all
sudo cryptsetup luksErase -q /dev/sda3 