Changing a (known) LUKS passphrase

This is one for me, as I have to look this up Every Single Time I want to change a LUKS passphrase.

Note to self: it might be safer to add a new passphrase, and verify that works, and then - and only then - delete the old passphrase. If you overwrite the existing passphrase with a passphrase you cannot remember (or you mistype twice), you're stuck.

Identify the encrypted device

sudo cat /etc/crypttab

If this gives you a UUID, use

sudo fdisk -l /dev/[devicename]

to work out the partition structure.

Check which key slot(s) is used

When you know the device name and partition (e.g. /dev/mmcblk0p2), check which key slot(s) is in use:

sudo cryptsetup luksDump /dev/mmcblk0p2

If you've only set up one passphrase, it's likely to be key slot 0.

Whatever your answer, attempt to unlock the device:

sudo cryptsetup --verbose open --test-passphrase /dev/mmcblk0p2

The output should say:

Key slot 0 unlocked.

Make a note of the key slot, as you'll need it to change the passphrase for that key slot.

Change the passphrase

Using the devicename and the slot (-S) that you've identified, issue the command to change the passphrase:

sudo cryptsetup luksChangeKey /dev/mmcblk0p2 -S 0

(If it is slot 1, change it to -S 1.)

Test it

Issue

sudo cryptsetup --verbose open --test-passphrase /dev/mmcblk0p2

and use your new passphrase.


Author: neil

I'm Neil. By day, I run a law firm, decoded.legal, giving advice on Internet, telecoms, and tech law. This is my personal blog, so will be mostly about tech stuff, cycling, and other hobbies.

You can find me (and follow me) on Mastodon and Twitter.