You decided to protect your data with LUKS, and that’s great, but you chose a bad passphrase, and you need to change it. You’re in luck. Unlike a lot of encryption solutions, LUKS actually does allow you to change your passphrase fairly easily. Unfortunately, this isn’t a solution for a lost passphrase, you do need to know your previous one, but it is a great way to rotate passphrases or get rid of a poorly designed old one.
Changing the Passphrase
Simply changing your passphrase on a LUKS drive with only one passphrase is extremely easy. Open a terminal and run the following command, substituting the actual drive location for “sdX.” First, you’ll be prompted to enter your existing passphrase. Then, you can create a new one.
sudo cryptsetup luksChangeKey /dev/sdX
LUKs Drives With Multiple Passphrases
LUKS Drives can actually have multiple passphrases or key files associated with them, up to eight. To start, take a look at your drive and see how many keys it has. Chances are, you’ll only see key slot 0 occupied. That’s the first one.
sudo cryptsetup luksDump /dev/sdX | grep -i key
If you have free slots open, you can always add another passphrase to your drive. Run the following command, and a new key will be appended in the first free slot.
sudo cryptsetup luksAddKey /dev/sdX
When you’re managing multiple keys on the same drive, you’re going to need the ability to target specific ones. Once again, you can do that pretty simply with the
-S flag. Just add the slot number after to pick a key to alter.
sudo cryptsetup luksChangeKey /dev/sdX -S 2
Removing a Passphrase
When working with multiple keys, you’re probably going to need to remove old ones from time to time. There are a few ways that LUKS lets you handle it. The simplest way is to use the built in command to remove a key, and LUKS will prompt you for a passphrase. It’ll automatically remove the key associated with the one that you enter.
sudo cryptsetup luksRemoveKey /dev/sdX
In case you’d prefer to specify it yourself, you can use the
KillSlot command to remove the key in a certain slot. Just include the slot number after the drive, and that’s the one that’ll be removed.
sudo cryptsetup luksKillSlot /dev/sdX 2
Whichever way you choose to manage your LUKS passphrases, you’ll find that it’s one of the most flexible encryption options available. Because LUKS lets you change, manage, and remove keys, you can add new layers of security to your drive. It also allows you to control access for a team of people, rather than just yourself.
Our latest tutorials delivered straight to your inbox