What do you think? Discuss, post comments, or ask questions at the end of this article [More about me]

Skip to end of metadata
Go to start of metadata

You may be using LUKS for encrypting your root partition, or home partition etc.

Managing keys and passphases etc. is an important part of LUKS.  Below are just a few common operations related to key and passphase management in LUKS.

Viewing information about current keys

To view information about current keys and slots used, execute:

sudo cryptsetup luksDump /dev/sda2

Replace /dev/sda2 with the device id of you LUKS partition.

See below example (with redacted sections) for output:

The above shows two keys in use.  The first is a pasephrase and the second is a keyfile used to unlock secondary partitions (once the root partition is unlocked) to avoid needing to enter a passphase multiple times.

Add a new key

sudo cryptsetup luksAddKey /dev/sda2 -S 0

The above command adds a new key at slot 0 on /dev/sda2 (replace with actual device id of your LUKS partition).

Change key passphrase or number of iterations (which directly relates to the time delay when decrypting with passphrase)

sudo cryptsetup luksChangeKey /dev/sda2 -S 0 --pbkdf-force-iterations 300000

The above command will allow you to change the passphrase for key slot 0 on /dev/sda2 (replace with actual device id of your LUKS partition).

You can also enter the same passphrase if, for example, you just wanted to change the number of iterations.

The --pbkdf-force-iterations 300000 directly relates to the delay observed when decrypting - the larger the number the more time is required when decrypting the partition with the passphrase).  If the time taken to decrypt the partition when booting takes too long, lower this value.

See the article Enabling cryptomount in GRUB2 for more information about this delay and why it can take longer with GRUB (i.e. when booting).

Remove key

sudo cryptsetup luksKillSlot /dev/sda2 2

The above command will remove a key from key slot 2 on /dev/sda2.  Replace these with the actual device id of your LUKS partition and the actual keyslot you want to remove.

References

  1. https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption
  2. https://forum.manjaro.org/t/grub-luks-slow-boot/117673/22
  3. https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html