How to Change Your LUKS Encryption Passphrase

Change LUKs Passphrase

You decided to protect your data with LUKS, and that’s great, but you chose a bad passphrase, and you need to change it. You’re in luck. Unlike a lot of encryption solutions, LUKS actually does allow you to change your passphrase fairly easily. Unfortunately, this isn’t a solution for a lost passphrase, you do need to know your previous one, but it is a great way to rotate passphrases or get rid of a poorly designed old one.

Changing the Passphrase

Simply changing your passphrase on a LUKS drive with only one passphrase is extremely easy. Open a terminal and run the following command, substituting the actual drive location for “sdX.” First, you’ll be prompted to enter your existing passphrase. Then, you can create a new one.

sudo cryptsetup luksChangeKey /dev/sdX

Change Single LUKs Passphrase

LUKs Drives With Multiple Passphrases

LUKS Drives can actually have multiple passphrases or key files associated with them, up to eight. To start, take a look at your drive and see how many keys it has. Chances are, you’ll only see key slot 0 occupied. That’s the first one.

sudo cryptsetup luksDump /dev/sdX | grep -i key

List LUKs Keys

If you have free slots open, you can always add another passphrase to your drive. Run the following command, and a new key will be appended in the first free slot.

sudo cryptsetup luksAddKey /dev/sdX

Add a LUKs Key

When you’re managing multiple keys on the same drive, you’re going to need the ability to target specific ones. Once again, you can do that pretty simply with the -S flag. Just add the slot number after to pick a key to alter.

sudo cryptsetup luksChangeKey /dev/sdX -S 2

Removing a Passphrase

When working with multiple keys, you’re probably going to need to remove old ones from time to time. There are a few ways that LUKS lets you handle it. The simplest way is to use the built in command to remove a key, and LUKS will prompt you for a passphrase. It’ll automatically remove the key associated with the one that you enter.

sudo cryptsetup luksRemoveKey /dev/sdX

Remove a LUKs Key

In case you’d prefer to specify it yourself, you can use the KillSlot command to remove the key in a certain slot. Just include the slot number after the drive, and that’s the one that’ll be removed.

sudo cryptsetup luksKillSlot /dev/sdX 2

Whichever way you choose to manage your LUKS passphrases, you’ll find that it’s one of the most flexible encryption options available. Because LUKS lets you change, manage, and remove keys, you can add new layers of security to your drive. It also allows you to control access for a team of people, rather than just yourself.

Nick Congleton
Nick Congleton

Nick is a freelance tech. journalist, Linux enthusiast, and a long time PC gamer.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox