36

I would like to change a LUKS password. I want to remove my old password, but I would like to try out my new password before removing the original. I obviously know the old password. I would like to use the terminal not GUI.

I have sensitive data on the drive and would rather not have to use my backup so I need the method to be safe.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
user
  • 2,227
  • 6
  • 20
  • 25

1 Answers1

44

In LUKS scheme, you have 8 "slots" for passwords or key files. First, check, which of them are used:

cryptsetup luksDump /dev/<device> |grep BLED

Then you can add, change or delete chosen keys:

cryptsetup luksAddKey /dev/<device> [/path/to/<additionalkeyfile>, optional] 

cryptsetup luksChangeKey /dev/<device> -S 6

As for deleting keys, you have 2 options:

a) delete any key that matches your entered password:

cryptsetup luksRemoveKey /dev/<device>

b) delete a key in specified slot:

cryptsetup luksKillSlot /dev/<device> 6
Adam Selker
  • 5
  • 2
Tomasz Klim
  • 1,032
  • 9
  • 9
  • 2
    After a little checking, that should probably be `cryptsetup luksAddKey /dev/ []` per the docs. The `[]` indicates that it's optional, which completely escaped me as written with `()`. I thought I was going to need to figure out how to first create the keyfile then use these instructions to add it. Turns out you don't need that at all. – fbicknel Jun 28 '19 at 14:14
  • 1
    **Just a note**, I've seen mention that it might be possible to mess up an ubuntu (older than 19.04) installed disk by removing the last and only key/slot, rendering the disk unbootable, see: https://bugs.launchpad.net/ubuntu/+source/libblockdev/+bug/1837437 . Basically ensure there is always at least 2 slots used before removing 1, for older versions of ubuntu. – jmunsch Dec 11 '19 at 12:32
  • 1
    What `grep BLED` is supposed to do? – robertspierre Oct 24 '22 at 22:16