From ArchWiki
< User:Indigo
Revision as of 00:21, 15 March 2014 by Indigo (talk | contribs) (Removing LUKS keys)
Jump to: navigation, search

Cryptsetup actions specific for LUKS

Key management

It is possible to define up to 8 different keys per LUKS partition. This enables the user to create access keys for save backup storage. Also a different key-slot could be used to grant access to a partition to a user by issuing a second key and later revoking it again. Passphrases or key-files to a key may be changed.

Once an encrypted partition has been created, the initial keyslot 0 is created (if no other was specified manually). Additional keyslots are numbered from 1 to 7. Which keyslots are used can be seen by issuing

# cryptsetup luksDump /dev/<device> |grep BLED
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: ENABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Adding LUKS keys

Adding new keyslots is accomplished using cryptsetup with the luksAddKey action. For safety it will always, i.e. also for already unlocked devices, ask for a valid existing key ("any passphrase") before a new one may be entered:

# cryptsetup luksAddKey /dev/<device> (/path/to/<additionalkeyfile>) 
Enter any passphrase:
Enter new passphrase for key slot:
Verify passphrase:

Where <device> is the volume containing the LUKS header to which the new keyslot is added. This works on header backup files as well.

If /path/to/<additionalkeyfile> is given, cryptsetup will add a new keyslot for <additionalkeyfile>. Otherwise a new passphrase will be prompted for twice.

For getting the master key from an existing keyfile keyslot the --key-file or -d option followed by the "old" <keyfile> will try to unlock all available keyfile keyslots.

# cryptsetup luksAddKey /dev/<device> (/path/to/<additionalkeyfile>) -d /path/to/<keyfile>

If it is intended to use multiple keys and change or revoke them, the --key-slot or -S option may be used to specify the slot:

# cryptsetup luksAddKey /dev/<device> -S 6 
Enter any passphrase: 
Enter new passphrase for key slot: 
Verify passphrase:
# cryptsetup luksDump /dev/sda8 |grep 'Slot 6'
Key Slot 6: ENABLED

Now we decide to change the key right away

# cryptsetup luksChangeKey /dev/<device> -S 6 
Enter LUKS passphrase to be changed: 
Enter new LUKS passphrase: 

before continuing to remove it.

Removing LUKS keys

There are two different actions to remove keys from the header:

  • luksRemoveKey is used to remove a key by specifying its passphrase/key-file and
  • luksKillSlot may be used to remove a key from a specific key slot (using another key). Obviously, this is extremely useful if you have forgot a passphrase, lost a key-file, or have no access to it.
Warning: Both above actions can be used to irrevocably delete the last active passphrase or key to an encrypted device!

For above warning it is good to know the key we want to keep is valid. An easy check is to unlock the device with the -v option, which will specify which slot it occupies:

# cryptsetup -v open /dev/<device> testcrypt
Enter passphrase for /dev/<device>: 
Key slot 1 unlocked.
Command successful.

Now we remove can remove the key added above like:

# cryptsetup luksRemoveKey /dev/<device>
Enter LUKS passphrase to be deleted: 

If we had used the same passphrase for two keyslots, the first slot would be wiped now. Only executing it again would remove the second one.

Alternatively, we can specify the key slot:

# cryptsetup luksKillSlot /dev/<device> 6
Enter any remaining LUKS passphrase:

Note that in both cases, no confirmation was required.

# cryptsetup luksDump /dev/sda8 |grep 'Slot 6'
Key Slot 6: DISABLED

To stick with the warning above: If the same passphrase had been used for key slots 1 and 6, both would be gone now.