Posted over 11 years ago. Visible to the public.

How to change your dm-crypt passphrase

dm-crypt has multiple passphrase slots. The process will be to add a new passphrase to a new slot, check that it works, and then remove the old passphrase.

  1. Find out which partitions are decrypted by dm-crypt:
Copy
$ lsblk --fs NAME FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINT nvme0n1 ├─nvme0n1p1 vfat 65CB-0937 503,2M 2% /boot/efi ├─nvme0n1p2 ext4 4c74e2f2-ac89-460d-a735-6c4af43adb3c 288,2M 52% /boot └─nvme0n1p3 crypto_LUKS ecb4bf66-2236-4be1-8de3-6ff5714a1728 └─nvme0n1p3_crypt LVM2_member c7m5g9-rJp3-IvGP-ehge-mdO5-rgX3-Z7Djhb ├─vgubuntu-root ext4 d892accc-9cbc-4605-b60e-789ea994e1db 316,2G 27% / └─vgubuntu-swap_1 swap 0c701516-cc7b-4d6d-ace8-96131bb6cd3b [SWAP]

We're looking for the NAME that has crypto_LUKS in the FSTYPE column, i.e. in this case nvme0n1p3

  1. Add a new passphrase:

    Be aware, that you will be prompted for your password on boot before being able to switch your keyboard layout, so choose your password so that it works on your default working layout as well as the US-Layout. ("z" and "y" swapped, special characters might be tricky)

    Copy
    sudo cryptsetup luksAddKey /dev/nvme0n1p3

    You will be asked for any existing passphrase before you can add a new passphrase. So type in your old passphrase when you are asked to enter any passphrase.

    Or add a keyfile:

    Copy
    sudo cryptsetup luksAddKey /dev/nvme0n1p3 /path/to/keyfile
  2. Reboot and decrypt with your new passphrase.

  3. If your new key works, you can remove the old one:

    Copy
    sudo cryptsetup luksRemoveKey /dev/nvme0n1p3

    You will be asked which passphrase should be deleted.

Owner of this card:

Avatar
Arne Hartherz
Last edit:
11 months ago
by Florian Heinle
Keywords:
linux, pre-boot, dmcrypt, password, add, key
Posted by Arne Hartherz to makandra orga
This website uses short-lived cookies to improve usability.
Accept or learn more