This is one for me, as I have to look this up Every Single Time I want to change a LUKS passphrase.

Note to self: it might be safer to add a new passphrase, and verify that works, and then - and only then - delete the old passphrase. If you overwrite the existing passphrase with a passphrase you cannot remember (or you mistype twice), you’re stuck.

Identify the encrypted device

sudo cat /etc/crypttab

If this gives you a UUID, use

sudo fdisk -l /dev/[devicename]

to work out the partition structure.

Check which key slot(s) is used

When you know the device name and partition (e.g. /dev/mmcblk0p2), check which key slot(s) is in use:

sudo cryptsetup luksDump /dev/mmcblk0p2

If you’ve only set up one passphrase, it’s likely to be key slot 0.

Whatever your answer, attempt to unlock the device:

sudo cryptsetup --verbose open --test-passphrase /dev/mmcblk0p2

The output should say:

Key slot 0 unlocked.

Make a note of the key slot, as you’ll need it to change the passphrase for that key slot.

Change the passphrase

Using the devicename and the slot (-S) that you’ve identified, issue the command to change the passphrase:

sudo cryptsetup luksChangeKey /dev/mmcblk0p2 -S 0

(If it is slot 1, change it to -S 1.)

Test it

Issue

sudo cryptsetup --verbose open --test-passphrase /dev/mmcblk0p2

and use your new passphrase.