How to change, add, or remove a LUKS passphrase (Full Disk Encryption, etc.)
Posted: Sun Mar 13, 2022 6:09 pm
I will show how to change, add, or remove a passphrase (password) on a LUKS encrypted partition which also includes Full Disk Encryption installations. In this post I use sda3 as the encrypted partition because that is what will be normally used with Full Disk Encryption, but change if your encrypted partition is different.
Each LUKS partition can have a total of 8 passphrases which occupy key slots 0-7. That means you can have a maximum of eight passphrases or passwords for each LUKS partition. Normally when an encrypted partition is created it will use key slot 0 first presuming there were not any others that were created manually.
As an aside, a LUKS passphrase can contain a maximum of 512 characters.
Display the key slots used
The following command will display header information which is a summary of the encryption information for the specified device, sda3 in this example. This command is useful to confirm that a key slot has been added or removed.
Remember to change sda3 to your encrypted partition if necessary:
The "--test-passphrase" command will match a passphrase to a key slot:
If there are multiple key slots that use the same passphrase, running the "--test-passphrase" command without identifying the key slot will only return the first key slot that was created for that passphrase. To force a passphrase to be used with a specific key slot, use the same command but identify the key slot to use (0-7):
Add a LUKS key (passphrase)
A maximum of eight passphrases using key slots 0-7 can be set up for each device (sda3 in this example).
To create a LUKS key to the next available key slot use the following command:
To create a LUKS key to a specific key slot use the following command where <0-7> is the key slot number to be created:
If you do not know which key slots are available use the first command in this post (sudo cryptsetup luksDump /dev/sda3).
LUKS will find the key slot associated to a passphrase a little faster with lower numbered key slots. This is because LUKS will begin searching for a match with key slot 0. As a test I entered a passphrase for key slot 0 and it took 1.5 seconds until the boot up scrolling text began. Using key slot 7 took 5.4 seconds.
Change a LUKS key (passphrase)
To change a LUKS key (passphrase), use the following command and select the key slot number (0-7) that corresponds to the passphrase to be changed. This forces the passphrase for that key slot to be used. If the key slot number is not known then use the --test-passphrase command above (second code window in this post). This is the command:
If " -S <0-7>" is not in the command then LUKS will remove the key slot associated with the old passphrase and create a new key slot with the new passphrase on the next available key slot closest to 0.
Remove a LUKS key (passphrase)
There are three different actions to remove keys (passphrases) from the LUKS header:
luksRemoveKey will remove a key slot by using a passphrase that will identify the key slot to remove. If the same passphrase is used for two key slots then only the first key slot that was created with the same passphrase will be deleted. The command will have to be executed again to delete the second. This is the command:
luksKillSlot will remove a specified key slot (0-7) by using any existing passphrase except for the passphrase that is used for key slot to be removed.
This is the command:
luksErase will quickly nuke access to the specified device (sda3 in this example) by erasing all key slots making the LUKS container permanently inaccessible (unless there is a backup LUKS header). It will not prompt for a valid passphrase. It will not wipe the LUKS header but it will wipe all key slots at once and therefore you will not be able to regain access unless there is a valid backup of the LUKS header.
The -q (--batch-mode) option will suppress all confirmation questions. This is the command:
Each LUKS partition can have a total of 8 passphrases which occupy key slots 0-7. That means you can have a maximum of eight passphrases or passwords for each LUKS partition. Normally when an encrypted partition is created it will use key slot 0 first presuming there were not any others that were created manually.
As an aside, a LUKS passphrase can contain a maximum of 512 characters.
Display the key slots used
The following command will display header information which is a summary of the encryption information for the specified device, sda3 in this example. This command is useful to confirm that a key slot has been added or removed.
Remember to change sda3 to your encrypted partition if necessary:
Code: Select all
sudo cryptsetup luksDump /dev/sda3The "--test-passphrase" command will match a passphrase to a key slot:
Code: Select all
sudo cryptsetup -v open --test-passphrase /dev/sda3
Enter passphrase for /dev/sda3: (I entered the passphrase for key slot 7)
Key slot 7 unlocked.
Command successful.Code: Select all
sudo cryptsetup -v open --test-passphrase /dev/sda3 -S <0-7>Add a LUKS key (passphrase)
A maximum of eight passphrases using key slots 0-7 can be set up for each device (sda3 in this example).
To create a LUKS key to the next available key slot use the following command:
Code: Select all
sudo cryptsetup -v luksAddKey /dev/sda3
Enter any existing passphrase: (I entered the passphrase for key slot 0)
Key slot 0 unlocked.
Enter new passphrase for key slot:
Verify passphrase:
Key slot 2 created. (because key slot 2 was the next available key slot closest to 0)
Command successful.Code: Select all
sudo cryptsetup -v luksAddKey /dev/sda3 -S <0-7>LUKS will find the key slot associated to a passphrase a little faster with lower numbered key slots. This is because LUKS will begin searching for a match with key slot 0. As a test I entered a passphrase for key slot 0 and it took 1.5 seconds until the boot up scrolling text began. Using key slot 7 took 5.4 seconds.
Change a LUKS key (passphrase)
To change a LUKS key (passphrase), use the following command and select the key slot number (0-7) that corresponds to the passphrase to be changed. This forces the passphrase for that key slot to be used. If the key slot number is not known then use the --test-passphrase command above (second code window in this post). This is the command:
Code: Select all
sudo cryptsetup -v luksChangeKey /dev/sda3 -S <0-7>
Enter passphrase to be changed: (I entered the passphrase for key slot 7 because "... -S 7" was used in the command)
Key slot 7 unlocked.
Enter new passphrase:
Verify passphrase:
Key slot 7 created.
Command successful.- This command is similar to using gnome-disks, also known as "Disks", to change the passphrase. "Disks" has the same input parameters (Current Passphrase, New Passphrase, and Confirm Passphrase) except that it has an option to show the passphrase text and has a passphrase strength progress bar. Note that gnome-disks can only change an existing passphrase for a key slot, it cannot add or delete key slots, at least as far as I'm aware.
I have seen some reports years ago that recommended avoiding the gnome utility if a long passphrase is used because it may cut off the input but I do not know if there is any validity to that.
Remove a LUKS key (passphrase)
There are three different actions to remove keys (passphrases) from the LUKS header:
- luksRemoveKey - remove a key by specifying its passphrase.
- luksKillSlot - remove a specified key slot by using any passphrase except the passphrase for the key slot to be removed.
- luksErase - erase all key slots (this will make the LUKS container permanently inaccessible unless there is a backup LUKS header).
luksRemoveKey will remove a key slot by using a passphrase that will identify the key slot to remove. If the same passphrase is used for two key slots then only the first key slot that was created with the same passphrase will be deleted. The command will have to be executed again to delete the second. This is the command:
Code: Select all
sudo cryptsetup -v luksRemoveKey /dev/sda3
Enter passphrase to be deleted: (I entered the passphrase for key slot 7)
Key slot 7 unlocked.
Keyslot 7 is selected for deletion.
Key slot 7 removed.
Command successful.luksKillSlot will remove a specified key slot (0-7) by using any existing passphrase except for the passphrase that is used for key slot to be removed.
This is the command:
Code: Select all
sudo cryptsetup -v luksKillSlot /dev/sda3 <0-7>
Keyslot 7 is selected for deletion. (because I used ".../dev/sda3 7" in the command)
Enter any remaining passphrase: (I entered the passphrase for key slot 0)
Key slot 0 unlocked.
Key slot 7 removed.
Command successful.luksErase will quickly nuke access to the specified device (sda3 in this example) by erasing all key slots making the LUKS container permanently inaccessible (unless there is a backup LUKS header). It will not prompt for a valid passphrase. It will not wipe the LUKS header but it will wipe all key slots at once and therefore you will not be able to regain access unless there is a valid backup of the LUKS header.
The -q (--batch-mode) option will suppress all confirmation questions. This is the command:
Code: Select all
sudo cryptsetup luksErase -q /dev/sda3