We use encryption to protect mobile devices. For instance, I always use LUKS disk encryption to protect all files stored on my SSD. Dm-crypt (Cryptsetup and LUKS) open-source disk encryption is transparent disk encryption and a great way to keep your data secure. However, changing passphrase is a bit of a challenge for new Linux users and developers. This step-by-step guide explains how to find LUKS slots assigned to you and change your passphrase on a Debian/Ubuntu, CentOS/RHEL, OpenSUSE/SUSE other Linux distros.
How to change LUKS disk encryption passphrase in Linux
First, we need to locate information about encrypted filesystems.
Step 1 – Query /etc/crypttab file on Linux
The file /etc/crypttab contains descriptive information about LUKS encrypted filesystems and view with the cat command:
sudo cat /etc/crypttab
Here is what I saw:
sda3_crypt UUID=42e50ed0-5055-45f5-b1fc-0f54669e6d1f none luks,discard>
So I have sda3_crypt. On your system, you may see a different name such as md1_crypt for RAID-1 protected LUKS disk encryption. Now we obtained device information, and it is time to find the partition schema for sda3:
sudo fdisk -l /dev/sda
Disk /dev/sda: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors Disk model: CT1000MX500SSD1 Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes Disklabel type: gpt Disk identifier: 1BB1DDD0-47F9-48FB-AA29-69D6A74F4D91 Device Start End Sectors Size Type /dev/sda1 2048 1050623 1048576 512M EFI System /dev/sda2 1050624 1550335 499712 244M Linux filesystem /dev/sda3 1550336 1953523711 1951973376 930.8G Linux filesystem
Make sure you substitute /dev/sda3 with your actual device name on Linux.
Step 2 – Dump the header information of a LUKS device
Execute the following command to get information about our encrypted /dev/sda3:
sudo cryptsetup luksDump /dev/sda3
My LUKS disk/parition header info:
LUKS header information Version: 2 Epoch: 4 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: 42e50ed0-5055-45f5-b1fc-0f54669e6d1f Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2i Time cost: 7 Memory: 1048576 Threads: 4 Salt: fc 9d b7 e0 ec 06 d0 b1 47 09 61 6f c1 73 f9 51 b7 ff 9b 6b 44 a0 2b c5 dd 5a c4 7e 46 28 c3 62 AF stripes: 4000 AF hash: sha256 Area offset:32768 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 136107 Salt: 40 82 65 fc cf e1 24 d3 0d b8 85 07 13 c7 dd a1 03 52 6a b9 04 b8 6d 23 4a d1 90 89 cb 96 a7 ca Digest: 5b d0 10 56 e4 9a ff e1 eb 14 2a fb 4d 85 ba c3 a7 75 fa fa 6c 24 cc 01 b0 9c 34 dd 48 98 1a d9
It seems I only have slot 0, but on many systems, you may see up to 8 slots numbered from 0 to 7. Therefore in step # 3, we will see how to determine your LUKS slot.
Step 3 – Finding out LUKS slot assigned to you by Linux sysadmin or installer
To determine which luks slot a passphrase is in on Linux, run:
sudo cryptsetup --verbose open --test-passphrase /path/to/dev/
sudo cryptsetup --verbose open --test-passphrase /dev/sda3
The command will tell you the correct LUKS slot without any guesswork on your part:
Enter passphrase for /dev/sda3: Key slot 0 unlocked. Command successful.
Please note down slot number. In other words, we need to use slot number 0 for /dev/sda3.
Step 4 – Changing LUKS disk encryption passphrase in Linux using the command-line
So far, so good we obtained all information required for updating or changing or existing passphrase. Please note that a passphrase is similar to a password in usage but is commonly longer for security reasons. The syntax is:
sudo cryptsetup luksChangeKey /dev/sda3 -S 0
First, enter the existing passphrase and press the [Enter] key. If the passphrase is correct, you are allowed to change it by entering it twice as follows:
Enter passphrase to be changed: Enter new passphrase: Verify passphrase:
Step 5 – Verify new passphrase
Either reboot the Linux system or simulate a new passphrase on the CLI as follows:
sudo cryptsetup --verbose open --test-passphrase /dev/sda3
Using ‘Disks & storage’ GUI tool to change the passphrase
New Linux developers and users might find the whole command line complicated. Fortunately, Linux desktop users can skip all complicated steps and directly use Disk & storage utility.
Say hello to gnome-disks – the GNOME Disks application
The gnome-disks is the command to launch the GNOME Disks application. Disks provides a way to inspect, format, partition and configure disks and block devices. Open the Terminal application and then type:
We can also open Disks app from the Activities overview GUI. Once opened, choose the disk from the list in the left pane and make sure you select LUKS. Click on the additional partition option and click on the Change passphrase:
We explained both GUI and CLI methods for updating or replacing the existing LUKS disk encryption passphrase on your Linux system. Please note that we only changed the passphrase assigned to your slot. LUKS has the master key, too, and cannot alter without re-encryption. The master key is used to decrypt the LUKS container’s data without a passphrase and even without the LUKS header. In other words, if the master key is compromised, the whole device has to be erased to prevent further access. I would strongly suggest that you read LUKS documentation online or man page by typing the following man command:
$ man cryptsetup
$ man crypttab
- Linux Hard Disk Encryption With LUKS
- Backup and restore LUKS header on Linux
- Change LUKS disk encryption passphrase on Linux
- Unlock LUKS using Dropbear SSH keys remotely in Linux
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
|Category||List of Unix and Linux commands|
|Firewall||Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04|
|Network Utilities||dig • host • ip • nmap|
|OpenVPN||CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04|
|Package Manager||apk • apt|
|Processes Management||bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time|
|Searching||grep • whereis • which|
|User Information||groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w|
|WireGuard VPN||Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04|