Hello
I run the first time QubesOS with a detached header according to the instructions here on forum:
I would like to change the LUKS/FDE password, but it is not possible. Always the note appears: “No Luks device found”, regardless if I mount the external USB drive with the Header+boot partition or not. I tried also on CLI following instructions, like LuksDump etc, but when I choose the /dev/nvme01n (which has no p1, p2 etc) similar note appears.
Maybe somebody can help me to find the mistake
Bests regards
Everything is in the header, and based on your setup, it is separate from the disk where the encrypted data resides. This means that you have to both point to the encrypted disk and specify the header location with --header.
Hi,
I am sorry to exhume this thread, but I am facing the exact same problem as easycrypt. I installed Qubes OS following the same tutorial made by apparatus, and now I want to change the encryption password.
I understand the issue but I do not know what I have to do to fix it.
What command should I use, and how to find the header ? I am only able to find the /root/header.img (I do not really understand what this header is, perhaps a copy made during boot?) but I do not know how to point to the header that is on the usb.
To be more specific, after running the command :
qvm-block attach dom0 sys-usb:sda1 && qvm-block attach dom0 sys-usb:sda2 && sudo mount /boot && sudo mount /boot/efi
I don’t know what is the path to the attached usb partitions.
Moreover, I guess I am supposed to use cryptsetup, but i don’t know what parameters i must use to specify the disk and the header.
If anyone could give me the specific commands I would be very grateful !
If you followed the guide, the header should be located in the /root directory under the name header.img. This means that you need to use it to change the password.
LUKS works with “keyslots”, so it’s best to create a new password, test it, and then remove the old one once everything is confirmed to be working properly.
I don’t use this setup, but it should be correct:
# dom0 terminal
# Mount /boot and /boot/efi with the provided qvm-block command
# Add new password in keyslot
# /dev/sda is an example
# it should be the path to the encrypted disk where Qubes resides
# Check with "lsblk" and see where the "/" mountpoint is
sudo cryptsetup luksAddKey --header /root/header.img /dev/sda
# Verify with current password
# Add new password and confirm it to add new keyslot
# Should show 2 keyslots
sudo cryptsetup luksDump --header /root/header.img /dev/sda
# Regenerate dracut to update header.img inside the initramfs image
sudo dracut -f --regenerate-all --verbose
# Reboot and test new password
# If new password is working, mount /boot and /boot/efi again
# Delete old password keyslot
sudo cryptsetup luksRemoveKey --header /root/header.img /dev/sda
# Regenerate dracut again
sudo dracut -f --regenerate-all --verbose
# Reboot and use new password
# Done
