Change my Luks encryption password etc...
Assuming you encrypted your drive with LUKS during your first install, then entered a weak password and now you want to change it.
If you are logged in and the container is open, type the following command.
Change my Luks encryption password.
Note: I experimented with this on Debian 9 "Stretch".
First off, lets find the LUKS encrypted device/s.
Type the following command:
blkid -t TYPE=crypto_LUKS -o device
Press Enter and you will get the result, but observe that your device number could be different. If so, just change the number after sdaX.
/dev/sda5
Inspect the LUKS header to see how many key-slots are populated.
Type the following command:
sudo cryptsetup luksDump /dev/sda5 | grep Key.Slot
Press Enter,
The result is listed below:
Key Slot 0: ENABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
If the system is still up and the device is currently opened (unlocked), root can use the master key to add a new key.
This command will only show open maps to LUKS-encrypted devices:
sudo dmsetup ls --target crypt
Press Enter, the result is shown below.
sda5_crypt (254, 0)
Now that we have the information we need, we can continue answering the question.
To substitute the actual password you’ll be prompted to enter your existing passphrase. Then, you can create a new one. Remember to change the X for the correct device number.
Run the following command:
sudo cryptsetup luksChangeKey /dev/sdX
Press Enter,
Now if you have slots open like me, then you can add more keys.
Run the following command:
sudo cryptsetup luksAddKey /dev/sdX
Press Enter,
Enter a passphrase for the vacant slot and verify the password.
MANAGING SEVERAL KEYS:
If you’re managing multiple keys on the same drive, you’re going to need the ability to target specific ones using the -S flag. Just add the slot number after to pick a key to alter.
Run the following command:
sudo cryptsetup luksChangeKey /dev/sdX -S 2
Press Enter,
When working with multiple keys, you’re probably going to need to remove old ones from time to time. There are a few ways that LUKS lets you handle this. It It is recommended to use the built in command to remove a key.
LUKS will prompt you for a passphrase and then automatically remove the key associated with the one that you enter.
If you prefer to specify it yourself, you can use the "KillSlot command", to remove the key in a certain slot. Just include the slot number after the drive, and it will be removed.
Run the following command:
sudo cryptsetup luksKillSlot /dev/sdX 2
Press Enter, removed !
Workaround if you need to get the masterkey !
Open a terminal window and type:
dmsetup table --showkeys
Press Enter.
This command gives you all the parameters and master key which allows you to circumvent LUKS, if needed.
Read the manpages here.
Note: Some people recommend using this command to list all devices:
df -h
Press Enter, next look for where your harddrive is mounted on /
Please note that, this command lists all devices, with the exception encrypted one that you need, I am adding this, because I have seen this being recommended on several sites.
To find out if the device is a Luks device:
sudo cryptsetup isLuks -v /dev/mapper/Device name--vg-root
Press Enter,
IMPORTANT: Now, only do this if you have a complete backup ready to go if you need to re-install.
To format and setup a new Luks password:
Initializes a LUKS partition and sets the initial passphrase (for key-slot 0), either via prompting or via <key file>. Note that if the second argument is present, then the passphrase is taken from the file given there, without the need to use the --key-file option. Also note that for both forms of reading the passphrase from file you can give '-' as file name, which results in the passphrase being read from stdin and the safety-question being skipped.
NOTE: You can only call luksFormat on a LUKS device that is not mapped.
sudo cryptsetup --verify-passphrase luksFormat /dev/mapper/Device name--vg-root
Press Enter, this verification comes up.
WARNING!
========
This will overwrite data on /dev/mapper/Computername--vg-root irrevocably.
Are you sure? (Type uppercase yes):