Manage LUKS Passphrase

This is just a simple reference for changing passwords on a LUKS-encrypted volume. There are plenty of places you could go to find this information, but I have it here for my own reference more than anything.

For the sake of this guide, I’m going to be using /dev/nvme0n1p3 for the LUKS encrypted volume.

If you don’t know how to identify the disk you’re trying to change the passphrase to, you can do one of the following:

Check the crypttab file to see which encrypted disks are mounted:

cat /etc/crypttab

If you’ve got a UUID in the crypttab, you can just reverse look it up by UUID:

ls -l /dev/disk/by-uuid/

Which should give you back the symlink to the actual disk we’re trying to edit.

If you know which physical disk it is you can check fdisk to see which disk it is using:

fdisk -l

Locate the disk by device, size, or other info to determine which one you’re trying to change.

Now that we know which partition we’re trying to change, we can get info about the LUKS volume:

cryptsetup luksDump /dev/nvme0n1p3

Under the Keyslots section you’ll see some info about the keys that are currently able to unlock the disk. You can have up to 8 (0-7) keys on a disk.

We can determine which keyslot that we’re trying to change with:

cryptsetup open --verbose --test-passphrase /dev/nvme0n1p3

Enter passphrase for /dev/nvme0n1p3:
Key slot 0 unlocked.
Command successful.

After we have determined the keyslot, we can change the passphrase for the keyslot that was unlocked (in my case it’s keyslot 0):

cryptsetup luksChangeKey /dev/nvme0n1p3 -S 0

Enter passphrase to be changed:
Enter new passphrase:
Verify passphrase:

Test the new key after you’ve added it to be sure it was changed correctly:

cryptsetup --verbose open --test-passphrase /dev/nvme0n1p3

As an alternative, you can just reboot your system.

Once we have determined the keyslot, we can remove the key from the disk (in my case it will be keyslot 0):

cryptsetup luksRemoveKey -S 0