Tips and Tricks
Changing your LUKS Passphrase Key
First validate what slot the current key is in. As noted in dm-crypt/Device Encryption, there can be multiple keys if you are utilizing your TPM or FIDO2 to unlock your partition.
# sudo cryptsetup open --type=luks --test-passphrase -vv /dev/nvme0n1p2 No usable token is available. Enter passphrase for /dev/nvme0n1p2: Key slot 0 unlocked. Command successful.
In this case,the old passphrase is in slot 0.
First, add a new key.
# cryptsetup luksAddKey /dev/nvme0n1p2 Enter any existing passphrase: Enter new passphrase for key slot: Verify passphrase:
Then, wipe out the key matching the original passphrase. You will be required to enter your new passphrase finish this operation.
# cryptsetup luksKillSlot /dev/nvme0n1p2 0 Enter any remaining passphrase: