How to interactively manage LUKS passphrases

Learn how to interactively manage LUKS passphrases on a specific device.

Display LUKS header

Display LUKS header information.

Notice that there are 8 key-slots available numbered from 0 to 7.

$ sudo cryptsetup luksDump /dev/sdb1

LUKS header information for /dev/sdb1
Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha256
Payload offset:	4096
MK bits:       	256
MK digest:     	eb 33 45 89 95 2b 67 dd 65 6d 17 d3 ed 7d 05 c4 84 58 5f fc
MK salt:       	b7 0b c3 96 0e ab 70 1b f0 28 9f 39 63 a4 37 95
               	16 e0 61 e6 98 ab fc c1 18 db 1a 36 bc 00 bd 13
MK iterations: 	151879
UUID:          	ac32a865-2716-43e3-8db9-798d4279a3a3
Key Slot 0: ENABLED
	Iterations:         	2430070
	Salt:               	10 a5 7d 29 c8 7f 21 d8 15 ca 42 08 01 a5 79 0c
	                      	d4 d7 5b 87 c3 14 cc 33 75 ec ec ba 71 26 8c 67
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Add an additional passphrase

Add an additional passphrase to the next free key-slot.

$ sudo cryptsetup luksAddKey /dev/sdb1
Enter any existing passphrase:     **********
Enter new passphrase for key slot: **********
Verify passphrase:                 **********

You will receive an error in case that every key-slot is used.

$ sudo cryptsetup luksAddKey /dev/sdb1
Enter any existing passphrase:     **********
Enter new passphrase for key slot: **********
Verify passphrase:                 **********
All key slots full.

Add an additional passphrase to the specified key-slot.

$ sudo cryptsetup luksAddKey --key-slot 7 /dev/sdb1
Enter any existing passphrase:     **********
Enter new passphrase for key slot: **********
Verify passphrase:                 **********

You will receive an error in case that specified key-slot is already used.

$ sudo cryptsetup luksAddKey --key-slot 7 /dev/sdb1
Enter any existing passphrase:     **********
Enter new passphrase for key slot: **********
Verify passphrase:                 **********
Key slot 7 is full, please select another one.

Change passphrase

Change already defined passphrase.

$ sudo cryptsetup luksChangeKey /dev/sdb1
Enter passphrase to be changed: **********
Enter new passphrase:           **********
Verify passphrase:              **********

Change passphrase in the specified key-slot.

$ sudo cryptsetup luksChangeKey --key-slot 7 /dev/sdb1
Enter passphrase to be changed: **********
Enter new passphrase:           **********
Verify passphrase:              **********

Remove passphrase

Remove additional passphrase in the specified key slot.

$ sudo cryptsetup luksKillSlot /dev/sdc1 7
Enter any remaining passphrase: **********

Remove already defined passphrase.

$ sudo cryptsetup luksRemoveKey /dev/sdc1
Enter passphrase to be deleted: **********

Additional notes

Create passphrase using characters from 7-bit ASCII to avoid encoding issues.

Always add a backup password or key to access data in case of emergency.
You probably do not take this into account, but the password can be forgotten.
From my own experience, I am confident that this will eventually happen.

Display LUKS header#

Add an additional passphrase#

Change passphrase#

Remove passphrase#

Additional notes#

Display LUKS header

Add an additional passphrase

Change passphrase

Remove passphrase

Additional notes