How to change your dm-crypt passphrase
dm-crypt has multiple passphrase slots. The process will be to add a new passphrase to a new slot, check that it works, and then remove the old passphrase.
- Find out which partitions are decrypted by dm-crypt:
$ lsblk --fs NAME FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINT nvme0n1 ├─nvme0n1p1 vfat 65CB-0937 503,2M 2% /boot/efi ├─nvme0n1p2 ext4 4c74e2f2-ac89-460d-a735-6c4af43adb3c 288,2M 52% /boot └─nvme0n1p3 crypto_LUKS ecb4bf66-2236-4be1-8de3-6ff5714a1728 └─nvme0n1p3_crypt LVM2_member c7m5g9-rJp3-IvGP-ehge-mdO5-rgX3-Z7Djhb ├─vgubuntu-root ext4 d892accc-9cbc-4605-b60e-789ea994e1db 316,2G 27% / └─vgubuntu-swap_1 swap 0c701516-cc7b-4d6d-ace8-96131bb6cd3b [SWAP]
We're looking for the
NAME that has
crypto_LUKS in the
FSTYPE column, i.e. in this case
Add a new passphrase:
Be aware, that you will be prompted for your password on boot before being able to switch your keyboard layout, so choose your password so that it works on your default working layout as well as the US-Layout. ("z" and "y" swapped, special characters might be tricky)Copy
sudo cryptsetup luksAddKey /dev/nvme0n1p3
You will be asked for any existing passphrase before you can add a new passphrase. So type in your old passphrase when you are asked to enter any passphrase.
Or add a keyfile:Copy
sudo cryptsetup luksAddKey /dev/nvme0n1p3 /path/to/keyfile
Reboot and decrypt with your new passphrase.
If your new key works, you can remove the old one:Copy
sudo cryptsetup luksRemoveKey /dev/nvme0n1p3
You will be asked which passphrase should be deleted.