We use encryption to protect mobile devices. For instance, I always use LUKS disk encryption to protect all files stored on my SSD. Dm-crypt (Cryptsetup and LUKS) open-source disk encryption is transparent disk encryption and a great way to keep your data secure. However, changing passphrase is a bit of a challenge for new Linux users and developers. This step-by-step guide explains how to find LUKS slots assigned to you and change your passphrase on a Debian/Ubuntu, CentOS/RHEL, OpenSUSE/SUSE other Linux distros.
First, we need to locate information about encrypted filesystems.
The file /etc/crypttab contains descriptive information about LUKS encrypted filesystems and view with the cat command:
# sudo cat /etc/crypttab
Here is what I saw:
sda3_crypt UUID=42e50ed0-5055-45f5-b1fc-0f54669e6d1f none luks,discard>
So I have sda3_crypt. On your system, you may see a different name such as md1_crypt for RAID-1 protected LUKS disk encryption. Now we obtained device information, and it is time to find the partition schema for sda3:
# sudo fdisk -l /dev/sda
Outputs:
Disk /dev/sda: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors Disk model: CT1000MX500SSD1 Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes Disklabel type: gpt Disk identifier: 1BB1DDD0-47F9-48FB-AA29-69D6A74F4D91 Device Start End Sectors Size Type /dev/sda1 2048 1050623 1048576 512M EFI System /dev/sda2 1050624 1550335 499712 244M Linux filesystem /dev/sda3 1550336 1953523711 1951973376 930.8G Linux filesystem
Execute the following command to get information about our encrypted /dev/sda3:
# sudo cryptsetup luksDump /dev/sda3
My LUKS disk/parition header info:
LUKS header information Version: 2 Epoch: 4 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: 42e50ed0-5055-45f5-b1fc-0f54669e6d1f Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2i Time cost: 7 Memory: 1048576 Threads: 4 Salt: fc 9d b7 e0 ec 06 d0 b1 47 09 61 6f c1 73 f9 51 b7 ff 9b 6b 44 a0 2b c5 dd 5a c4 7e 46 28 c3 62 AF stripes: 4000 AF hash: sha256 Area offset:32768 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 136107 Salt: 40 82 65 fc cf e1 24 d3 0d b8 85 07 13 c7 dd a1 03 52 6a b9 04 b8 6d 23 4a d1 90 89 cb 96 a7 ca Digest: 5b d0 10 56 e4 9a ff e1 eb 14 2a fb 4d 85 ba c3 a7 75 fa fa 6c 24 cc 01 b0 9c 34 dd 48 98 1a d9
It seems I only have slot 0, but on many systems, you may see up to 8 slots numbered from 0 to 7. Therefore in step # 3, we will see how to determine your LUKS slot.
To determine which luks slot a passphrase is in on Linux, run:
# sudo cryptsetup --verbose open --test-passphrase /path/to/dev/ # sudo cryptsetup --verbose open --test-passphrase /dev/sda3
The command will tell you the correct LUKS slot without any guesswork on your part:
Enter passphrase for /dev/sda3: Key slot 0 unlocked. Command successful.
Please note down slot number. In other words, we need to use slot number 0 for /dev/sda3.
So far, so good we obtained all information required for updating or changing or existing passphrase. Please note that a passphrase is similar to a password in usage but is commonly longer for security reasons. The syntax is:
# sudo cryptsetup luksChangeKey /dev/sda3 -S 0
First, enter the existing passphrase and press the [Enter] key. If the passphrase is correct, you are allowed to change it by entering it twice as follows:
Enter passphrase to be changed: Enter new passphrase: Verify passphrase:
Either reboot the Linux system or simulate a new passphrase on the CLI as follows:
# sudo cryptsetup --verbose open --test-passphrase /dev/sda3