Cryptsetup actions specific for LUKS
It is possible to define up to 8 different keys per LUKS partition. This enables the user to create access keys for save backup storage. Also a different key-slot could be used to grant access to a partition to a user by issuing a second key and later revoking it again. Passphrases or key-files to a key may be changed.
Once an encrypted partition has been created, the initial keyslot 0 is created (if no other was specified manually). Additional keyslots are numbered from 1 to 7. Which keyslots are used can be seen by issuing
# cryptsetup luksDump /dev/<device> |grep BLED
Key Slot 0: ENABLED Key Slot 1: ENABLED Key Slot 2: ENABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
Adding LUKS keys
Adding new keyslots is accomplished using cryptsetup with the
luksAddKey action. For safety it will always, i.e. also for already unlocked devices, ask for a valid existing key ("any passphrase") before a new one may be entered:
# cryptsetup luksAddKey /dev/<device> (/path/to/<additionalkeyfile>) Enter any passphrase: Enter new passphrase for key slot: Verify passphrase:
Where <device> is the volume containing the LUKS header to which the new keyslot is added. This works on header backup files as well.
/path/to/<additionalkeyfile> is given, cryptsetup will add a new keyslot for <additionalkeyfile>. Otherwise a new passphrase will be prompted for twice.
For getting the master key from an existing keyfile keyslot the
-d option followed by the "old" <keyfile> will try to unlock all available keyfile keyslots.
# cryptsetup luksAddKey /dev/<device> (/path/to/<additionalkeyfile>) -d /path/to/<keyfile>
If it is intended to use multiple keys and change or revoke them, the
-S option may be used to specify the slot:
# cryptsetup luksAddKey /dev/<device> -S 6 Enter any passphrase: Enter new passphrase for key slot: Verify passphrase: # cryptsetup luksDump /dev/sda8 |grep 'Slot 6' Key Slot 6: ENABLED
Now we decide to change the key right away
# cryptsetup luksChangeKey /dev/<device> -S 6 Enter LUKS passphrase to be changed: Enter new LUKS passphrase:
before continuing to remove it.
Removing LUKS keys
There are two different actions to remove keys from the header:
luksRemoveKeyis used to remove a key by specifying its passphrase/key-file and
luksKillSlotmay be used to remove a key from a specific key slot (using another key). Obviously, this is extremely useful if you have forgot a passphrase, lost a key-file, or have no access to it.
For above warning it is good to know the key we want to keep is valid. An easy check is to unlock the device with the
-v option, which will specify which slot it occupies:
# cryptsetup -v open /dev/<device> testcrypt Enter passphrase for /dev/<device>: Key slot 1 unlocked. Command successful.
Now we remove can remove the key added above like:
# cryptsetup luksRemoveKey /dev/<device> Enter LUKS passphrase to be deleted:
If we had used the same passphrase for two keyslots, the first slot would be wiped now. Only executing it again would remove the second one.
Alternatively, we can specify the key slot:
# cryptsetup luksKillSlot /dev/<device> 6 Enter any remaining LUKS passphrase:
Note that in both cases, no confirmation was required.
# cryptsetup luksDump /dev/sda8 |grep 'Slot 6' Key Slot 6: DISABLED
To stick with the warning above: If the same passphrase had been used for key slots 1 and 6, both would be gone now.