From ArchWiki
Jump to navigation Jump to search

Tips and Tricks

Changing your LUKS Passphrase Key

First validate what slot the current key is in. As noted in dm-crypt/Device Encryption, there can be multiple keys if you are utilizing your TPM or FIDO2 to unlock your partition.

# sudo cryptsetup open --type=luks --test-passphrase -vv /dev/nvme0n1p2
No usable token is available.
Enter passphrase for /dev/nvme0n1p2:
Key slot 0 unlocked.
Command successful.

In this case,the old passphrase is in slot 0.

First, add a new key.

# cryptsetup luksAddKey /dev/nvme0n1p2
Enter any existing passphrase:
Enter new passphrase for key slot:
Verify passphrase:

Then, wipe out the key matching the original passphrase. You will be required to enter your new passphrase finish this operation.

# cryptsetup luksKillSlot /dev/nvme0n1p2 0
Enter any remaining passphrase: