Is it possible to determine which luks slot has been used to unlock an encrypted partition?

Question

I'm in a (bad) situation where I have multiple correct passwords and used luks slots, but I can't tell which password belongs to which slot

Decryption (during startup thanks to crypttab) works well, but I can't tell which slot has been used. In order to rationalize this situation, is there a way to determine which luks slot has been used?

From this question I've read:

If you've forgotten one of the passphrases then you can only find which slot it's in by elimination, and if you've forgotten two of the passphrases then there's no way to tell which is which (otherwise the passphrase hash would be broken).

... so I'm a bit afraid of testing each slot for each password, even if I haven't found any reference of broken passphrase hashes in the man page.

Nota: luckily the first luks slot is known, so I might back up on my feet by resetting the others.

Answer 1

The open LUKS container does not tell which keyslot it was opened with. So no, you can't determine later which slot "has been used".

However, if you know a valid key or passphrase, you can determine which slot it is located in, for example by re-running cryptsetup open with --test-passphrase, --key-slot or --verbose options.

Normal operation (not very informative):

# cryptsetup open --test-passphrase luks.img 
Enter passphrase for foobar.img: first
# cryptsetup open --test-passphrase luks.img 
Enter passphrase for foobar.img: second
# cryptsetup open --test-passphrase luks.img 
Enter passphrase for foobar.img: third

Verbose operation (tells you which keyslot was used):

# cryptsetup --verbose open --test-passphrase luks.img 
Enter passphrase for foobar.img: first
Key slot 0 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img 
Enter passphrase for foobar.img: second
Key slot 1 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img 
Enter passphrase for foobar.img: third
Key slot 2 unlocked.
Command successful.

Specific keyslot operation (only accepts key stored in this slot):

# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: first
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: second
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: third

Normally the verbose mode is informative enough, however specifying the key slot directly can be useful when looking for duplicate passphrases (same key stored in two separate slots). It's also faster to test only one slot vs. going through all of them (optimizing LUKS open speed is a different topic, though).