You may be using LUKS for encrypting your root partition, or home partition etc.
Managing keys and passphases etc. is an important part of LUKS. Below are just a few common operations related to key and passphase management in LUKS.
To view information about current keys and slots used, execute:
| Code Block |
|---|
|
sudo cryptsetup luksDump /dev/sda2 |
| Info |
|---|
Replace /dev/sda2 with the device id of you LUKS partition. |
See below example for output:
The above shows two keys in use. The first is a pasephrase and the second is a keyfile used to unlock secondary partitions (once the root partition is unlocked) to avoid needing to enter a passphase multiple times.
Add a new key
| Code Block |
|---|
|
sudo cryptsetup luksAddKey /dev/sda2 -S 0 |
| Info |
|---|
The above command adds a new key at slot 0 on /dev/sda2 (replace with actual device id of your LUKS partition). |
Change key passphrase or number of iterations (which directly relates to the time delay when decrypting with passphrase)
| Code Block |
|---|
sudo cryptsetup luksChangeKey /dev/sda2 -S 0 --pbkdf-force-iterations 300000 |
| Info |
|---|
The above command will allow you to change the passphrase for key slot 0 on /dev/sda2 (replace with actual device id of your LUKS partition). You can also enter the same passphrase if, for example, you just wanted to change the number of iterations. The --pbkdf-force-iterations 300000 directly relates to the delay observed when decrypting - the larger the number the more time is required when decrypting the partition with the passphrase). If the time taken to decrypt the partition when booting takes too long, lower this value.
See the article Enabling cryptomount in GRUB2 for more information about this delay and why it can take longer with GRUB (i.e. when booting). |
Remove key
| Code Block |
|---|
sudo cryptsetup luksKillSlot /dev/sda2 2 |
| Info |
|---|
The above command will remove a key from key slot 2 on /dev/sda2. Replace these with the actual device id of your LUKS partition and the actual keyslot you want to remove. |
References
- https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption
- https://forum.manjaro.org/t/grub-luks-slow-boot/117673/22
- https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
Related articles
| Content by Label |
|---|
| showLabels | false |
|---|
| max | 5 |
|---|
| spaces | TKB |
|---|
| showSpace | false |
|---|
| sort | modified |
|---|
| reverse | true |
|---|
| type | page |
|---|
| cql | label in ("luks","encryption") and type = "page" and space = "TKB" |
|---|
| labels | luks encryption |
|---|
|