Change LUKS Disk Password

How does one change the disk password?

It’s asked for on this Screen:

That appears after heads & nitrokey and before the user login.

edit: I have the current password/passphrase

The disk is encrypted with Luks, which allows you to have up to 8
passwords (i"key slots" in luks parlance)

Although you can use sudo luks cryptsetup luksChangeKey /dev/XXXXX, I
recommend that you ADD a key and then remove the original.
You can do this with sudo cryptsetup luksAddKey /dev/XXXXX. This
gives you a chance to test out the new password.
Once you are content, remove the original with sudo cryptsetup luksRemoveKey /dev/XXXXX - LUKS will prompt you for a password and
remove the associated key.

As always, the Arch documentation is comprehensive, but readable:

4 Likes

Oh, that is quite interesting that you can have multiple passwords. For the /dev/<device> how does one figure out the <device> part?

When I run lsblk I get:

In addition, I’m going to guess that this is done in dom0…

This was purchased through NitroKey; if that helps.

Yes

Figured it out thanks to you link above. Thank you!

2 Likes

hello, same problem here. i can‘t solve the problem with the diskpassword, i can‘t find out what device>. when i run lsblk it’s identical to your screenshot. please help me, i‘ve tried all the shown devices but nothing worked. thanks

hello, same problem here. i can‘t solve the problem with the diskpassword, i can‘t find out what device>. when i run lsblk it’s identical to your screenshot. please help me, i‘ve tried all the shown devices but nothing worked. thanks

hello, same here, I could not figure out which device

If I read this thread correctly (and discourse by email) doesn’t make
that easy, you want to change the disk passphrase but don’t know which
device to check.
lsblk --fs |head will show you the blk tree and the device with FSTYPE
crypto_luks.
Now you know the device, you can change password with:
cryptsetup luksChangeKey or the safer cryptsetup luksAddKey

1 Like

‘lsblk --fs’ actually doesn’t work for me.
‘lsblk’ shows my partitions properly:

In my case /dev/sda is the crypted hdd which probalby has to be used for cryptsetup luksAddKey.

Correction:
lsblk --fs works, but ‘head’ cropped the output.

1 Like

Of course, that’s what ¬head does.

Other users have a far more extensive output than you, and so using
head is good in that case. head -nX will show you the first X lines.

In you case, /dev/sda is not the encrypted drive, but does have
ancrypted partitions.

1 Like

thank you, I have found my device.

but then, after sudo cryptsetup luksAddKey /dev/device,
it requires me to enter any existing passphrase,
I assume this is the previous existing passphrase,

I have entered it many times, but it keep saying no key available with this passphrase.
I’m sure I have entered it correctly.

so is there any other way to add key now ?

No, you cant add a key without verifying with an existing key.
I assume that you can successfully log in to the system - are you using
any special characters or keyboard configuration?
If you just type out your passphrase in a terminal, does it look right?

yes, successfully login into the system, using special characters.
yes, typed into terminal correctly, but cannot see during typing into existing passphrase.

Interesting - without knowing what special characters you are using,
could it be something as simple as changing keyboard layout ? US/UK etc?

okay, I thought special character you asked, is whether I use symbol, such as ~`!@#$%^&*()_-=.
so no, I don’t use special character, but I think that is good idea.

after trying several times, finally I can change it, thank you.
I think since we couldn’t see the typed passphrase, so maybe I made typing mistake.

Here a how to:

Since this operation touches a very sensitive – core – part of your Qubes OS it is highly recommended to:
A) do a backup before continue with the procedure below and
B) do not rush through the steps you can logout yourself from your system.

This description is made for beginners. If you know what to do and you already know your LUKS partition you can do the password change with two command lines.

1.0. Make a Qubes Backup
Click on the “Q” application icon > System tools > Backup Qubes

2.0. Looking for the LUKS partition
Launch the dom0 terminal
Click on the “Q” application icon > Terminal Emulator

Command the following and check the output:
lsblk –fs | head

In the column FSTYPE it should be named crypto_LUKS, this points you to the corresponding NAME (first column) in my case it is sda2. In your case it can be different so please be careful and do not blindly copy & paste the following commands.

2.1. LUKS disk encryption has 8 “key slots” for your secrets (passwords or key files). Here we will touch passwords only. With the next command you can do both
A) check, which of them are used and
B) verify that you have selected the right LUKS partition.

sudo cryptsetup luksDump /dev/sda2 | grep Key.Slot

The terminal should return this (if you have set just one LUKS password; should be your default setting):

Key Slot 0: ENABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Key Slot 8: DISABLED

Note: If you have selected a wrong partition you will get this message:
Device dev/sdaX is not a valid LUKS device.

3.0. Modify LUKS password settings
You can add, change or delete LUKS keys. Not the quickest but safest way to change your password is the following.

3.1. Add a new password with:
sudo cryptsetup luksAddKey /dev/sda2

First, you will be asked to enter the old (current) password and afterwards you will be asked to enter your new password. It will store your new password on next free Key Slot.

Double check again the LUKS Key Slots (see 2.1) and verify that you have now 2 Key Slots ENABLED. In my case the Key Slot 0 contains the old password and the Key Slot 1 contains the new password.

3.2. Remove the old passwords
sudo cryptsetup luksRemoveKey dev/sda2

Now, you have to enter your old (previous) password it will automatically delete the corresponding Key Slot. Thus, Key Slot 0 is DISABLED and Key Slot 1 is set to ENABLED now.

4.0 Reboot your system and verify that your new LUKS password has been updated properly.

Done. :partying_face:

Want more LUKS?

2 Likes

@deeplow may I ask you to change the Subject line to
Change LUKS disk password
to get a better search results when searching for “LUKS”
Thanks

1 Like

I renamed the topic title.

2 Likes

Thank you @ludovic!

(note for others: trust level 3 members can change the titles :slight_smile: )

This is not working on Qubes 4.1. Maybe because something changed in LUKS2.
If I don’t grep and just use the base command, I also don’t see a list of keyslots. It seems keyslot 0 is currently in use, but no information about other keyslots:

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i

1 Like