You decided to protect your data with LUKS, and that’s great, but you chose a bad passphrase, and you need to change it. You’re in luck. Unlike a lot of encryption solutions, LUKS actually does allow you to change your passphrase fairly easily. Unfortunately, this isn’t a solution for a lost passphrase, you do need to know your previous one, but it is a great way to rotate passphrases or get rid of a poorly designed old one.

Changing the Passphrase

Simply changing your passphrase on a LUKS drive with only one passphrase is extremely easy. Open a terminal and run the following command, substituting the actual drive location for “sdX.” First, you’ll be prompted to enter your existing passphrase. Then, you can create a new one.

Change Single LUKs Passphrase

LUKs Drives With Multiple Passphrases

LUKS Drives can actually have multiple passphrases or key files associated with them, up to eight. To start, take a look at your drive and see how many keys it has. Chances are, you’ll only see key slot 0 occupied. That’s the first one.

List LUKs Keys

If you have free slots open, you can always add another passphrase to your drive. Run the following command, and a new key will be appended in the first free slot.

Add a LUKs Key

When you’re managing multiple keys on the same drive, you’re going to need the ability to target specific ones. Once again, you can do that pretty simply with the -S flag. Just add the slot number after to pick a key to alter.

Removing a Passphrase

When working with multiple keys, you’re probably going to need to remove old ones from time to time. There are a few ways that LUKS lets you handle it. The simplest way is to use the built in command to remove a key, and LUKS will prompt you for a passphrase. It’ll automatically remove the key associated with the one that you enter.

Remove a LUKs Key

In case you’d prefer to specify it yourself, you can use the KillSlot command to remove the key in a certain slot. Just include the slot number after the drive, and that’s the one that’ll be removed.