You decided to protect your data with LUKS, and that’s great, but you chose a bad passphrase, and you need to change it. You’re in luck. Unlike a lot of encryption solutions, LUKS actually does allow you to change your passphrase fairly easily. Unfortunately, this isn’t a solution for a lost passphrase, you do need to know your previous one, but it is a great way to rotate passphrases or get rid of a poorly designed old one.
Changing the Passphrase
Simply changing your passphrase on a LUKS drive with only one passphrase is extremely easy. Open a terminal and run the following command, substituting the actual drive location for “sdX.” First, you’ll be prompted to enter your existing passphrase. Then, you can create a new one.
LUKs Drives With Multiple Passphrases
LUKS Drives can actually have multiple passphrases or key files associated with them, up to eight. To start, take a look at your drive and see how many keys it has. Chances are, you’ll only see key slot 0 occupied. That’s the first one.
If you have free slots open, you can always add another passphrase to your drive. Run the following command, and a new key will be appended in the first free slot.
When you’re managing multiple keys on the same drive, you’re going to need the ability to target specific ones. Once again, you can do that pretty simply with the
-S flag. Just add the slot number after to pick a key to alter.
Removing a Passphrase
When working with multiple keys, you’re probably going to need to remove old ones from time to time. There are a few ways that LUKS lets you handle it. The simplest way is to use the built in command to remove a key, and LUKS will prompt you for a passphrase. It’ll automatically remove the key associated with the one that you enter.
In case you’d prefer to specify it yourself, you can use the
KillSlot command to remove the key in a certain slot. Just include the slot number after the drive, and that’s the one that’ll be removed.