How to change your dm-crypt passphrase

Posted Over 13 years ago. Visible to the public.

dm-crypt has multiple passphrase slots. The process will be to add a new passphrase to a new slot, check that it works, and then remove the old passphrase.

  1. Find out which partitions are decrypted by dm-crypt:
$ lsblk --fs
NAME                  FSTYPE      LABEL   UUID                                   FSAVAIL FSUSE% MOUNTPOINT
nvme0n1                                                                                         
├─nvme0n1p1           vfat                65CB-0937                               503,2M     2% /boot/efi
├─nvme0n1p2           ext4                4c74e2f2-ac89-460d-a735-6c4af43adb3c    288,2M    52% /boot
└─nvme0n1p3           crypto_LUKS         ecb4bf66-2236-4be1-8de3-6ff5714a1728                  
  └─nvme0n1p3_crypt   LVM2_member         c7m5g9-rJp3-IvGP-ehge-mdO5-rgX3-Z7Djhb                
    ├─vgubuntu-root   ext4                d892accc-9cbc-4605-b60e-789ea994e1db    316,2G    27% /
    └─vgubuntu-swap_1 swap                0c701516-cc7b-4d6d-ace8-96131bb6cd3b                  [SWAP]

We're looking for the NAME that has crypto in the FSTYPE column, i.e. in this case nvme0n1p3

  1. Add a new passphrase:

    Be aware, that you will be prompted for your password on boot before being able to switch your keyboard layout, so choose your password so that it works on your default working layout as well as the US-Layout. ("z" and "y" swapped, special characters might be tricky)

    sudo cryptsetup luksAddKey /dev/nvme0n1p3
    

    You will be asked for any existing passphrase before you can add a new passphrase. So type in your old passphrase when you are asked to enter any passphrase.

    Or add a keyfile:

    sudo cryptsetup luksAddKey /dev/nvme0n1p3 /path/to/keyfile
    
  2. Reboot and decrypt with your new passphrase.

  3. If your new key works, you can remove the old one:

    sudo cryptsetup luksRemoveKey /dev/nvme0n1p3
    

    You will be asked which passphrase should be deleted.

Arne Hartherz
Last edit
Over 1 year ago
Ruben Aleman
Keywords
linux, pre-boot, dmcrypt, password, add, key
License
Source code in this card is licensed under the MIT License.
Posted by Arne Hartherz to makandra orga (2010-09-07 08:21)