Change My Luks Encryption Password etc...

English

Change my Luks encryption password etc...

Assuming you encrypted your drive with LUKS during your first install, then entered a weak password and now you want to change it.

If you are logged in and the container is open, type the following command.

Change my Luks encryption password.

Note: I experimented with this on Debian 9 "Stretch".

First off, lets find the LUKS encrypted device/s.

Type the following command:

blkid -t TYPE=crypto_LUKS -o device

Press Enter and you will get the result, but observe that your device number could be different. If so, just change the number after sdaX.

/dev/sda5

Inspect the LUKS header to see how many key-slots are populated.

Type the following command:

sudo cryptsetup luksDump /dev/sda5 | grep Key.Slot

Press Enter,

The result is listed below:

Key Slot 0: ENABLED

	Key Slot 1: DISABLED

	Key Slot 2: DISABLED

	Key Slot 3: DISABLED

	Key Slot 4: DISABLED

	Key Slot 5: DISABLED

	Key Slot 6: DISABLED

	Key Slot 7: DISABLED

If the system is still up and the device is currently opened (unlocked), root can use the master key to add a new key.

This command will only show open maps to LUKS-encrypted devices:

sudo dmsetup ls --target crypt

Press Enter, the result is shown below.

sda5_crypt    (254, 0)

Now that we have the information we need, we can continue answering the question.

To substitute the actual password you’ll be prompted to enter your existing passphrase. Then, you can create a new one. Remember to change the X for the correct device number.

Run the following command:

sudo cryptsetup luksChangeKey /dev/sdX

Press Enter,

Now if you have slots open like me, then you can add more keys.

Run the following command:

sudo cryptsetup luksAddKey /dev/sdX

Press Enter,

Enter a passphrase for the vacant slot and verify the password.

MANAGING SEVERAL KEYS:

If you’re managing multiple keys on the same drive, you’re going to need the ability to target specific ones using the -S flag. Just add the slot number after to pick a key to alter.

Run the following command:

sudo cryptsetup luksChangeKey /dev/sdX -S 2

Press Enter,

When working with multiple keys, you’re probably going to need to remove old ones from time to time. There are a few ways that LUKS lets you handle this. It It is recommended to use the built in command to remove a key.

LUKS will prompt you for a passphrase and then automatically remove the key associated with the one that you enter.

If you prefer to specify it yourself, you can use the "KillSlot command", to remove the key in a certain slot. Just include the slot number after the drive, and it will be removed.

Run the following command:

sudo cryptsetup luksKillSlot /dev/sdX 2

Press Enter, removed !


Workaround if you need to get the masterkey !

Open a terminal window and type:

dmsetup table --showkeys

Press Enter.
This command gives you all the parameters and master key which allows you to circumvent LUKS, if needed.

Read the manpages here.

Note: Some people recommend using this command to list all devices:

df -h

Press Enter, next look for where your harddrive is mounted on /

Please note that, this command lists all devices, with the exception encrypted one that you need, I am adding this, because I have seen this being recommended on several sites.

To find out if the device is a Luks device:

sudo cryptsetup isLuks -v  /dev/mapper/Device name--vg-root

Press Enter,

IMPORTANT: Now, only do this if you have a complete backup ready to go if you need to re-install.

To format and setup a new Luks password:
Initializes a LUKS partition and sets the initial passphrase (for key-slot 0), either via prompting or via <key file>. Note that if the second argument is present, then the passphrase is taken from the file given there, without the need to use the --key-file option. Also note that for both forms of reading the passphrase from file you can give '-' as file name, which results in the passphrase being read from stdin and the safety-question being skipped.

NOTE: You can only call luksFormat on a LUKS device that is not mapped.

sudo cryptsetup --verify-passphrase luksFormat /dev/mapper/Device name--vg-root

Press Enter, this verification comes up.

WARNING!
========
This will overwrite data on /dev/mapper/Computername--vg-root irrevocably.

Are you sure? (Type uppercase yes):

Games For Linux

Windows has always been the preferred platform for gaming, but after STEAM's interest in Linux more game developers are making their games natively available for Linux.

Disclaimer

All information on this website is published in good faith and for general educational purposes and for use in safe testing environments only. While linuxexperten.com strives to make the information on this site as accurate as possible, linuxexperten.com does not warrant its completeness, reliability and accuracy.

We are not responsible for any losses or damages associated with the use of our website. While we strive to provide only links to useful websites, we have no control over the content of these sites and links to other sites do not constitute a recommendation for all content contained on these websites.

 

Site Information

This is a professional review site that receives compensation from the companies whose products reviewed. Each service or product are thoroughly tested and given high marks if considered to be the very best. Independently owned and the opinions expressed here are no one elses.

 

Limited Time Offers

Coming soon...