Of course, that’s what ¬head does.
Other users have a far more extensive output than you, and so using
head is good in that case. head -nX will show you the first X lines.
In you case, /dev/sda is not the encrypted drive, but does have
ancrypted partitions.
thank you, I have found my device.
but then, after sudo cryptsetup luksAddKey /dev/device,
it requires me to enter any existing passphrase,
I assume this is the previous existing passphrase,
I have entered it many times, but it keep saying no key available with this passphrase.
I’m sure I have entered it correctly.
so is there any other way to add key now ?
No, you cant add a key without verifying with an existing key.
I assume that you can successfully log in to the system - are you using
any special characters or keyboard configuration?
If you just type out your passphrase in a terminal, does it look right?
yes, successfully login into the system, using special characters.
yes, typed into terminal correctly, but cannot see during typing into existing passphrase.
Interesting - without knowing what special characters you are using,
could it be something as simple as changing keyboard layout ? US/UK etc?
okay, I thought special character you asked, is whether I use symbol, such as ~`!@#$%^&*()_-=.
so no, I don’t use special character, but I think that is good idea.
after trying several times, finally I can change it, thank you.
I think since we couldn’t see the typed passphrase, so maybe I made typing mistake.
Here a how to:
Since this operation touches a very sensitive – core – part of your Qubes OS it is highly recommended to:
A) do a backup before continue with the procedure below and
B) do not rush through the steps you can logout yourself from your system.
This description is made for beginners. If you know what to do and you already know your LUKS partition you can do the password change with two command lines.
1.0. Make a Qubes Backup
Click on the “Q” application icon > System tools > Backup Qubes
2.0. Looking for the LUKS partition
Launch the dom0 terminal
Click on the “Q” application icon > Terminal Emulator
Command the following and check the output:
lsblk –fs | head
In the column FSTYPE it should be named crypto_LUKS, this points you to the corresponding NAME (first column) in my case it is sda2. In your case it can be different so please be careful and do not blindly copy & paste the following commands.
2.1. LUKS disk encryption has 8 “key slots” for your secrets (passwords or key files). Here we will touch passwords only. With the next command you can do both
A) check, which of them are used and
B) verify that you have selected the right LUKS partition.
sudo cryptsetup luksDump /dev/sda2 | grep Key.Slot
The terminal should return this (if you have set just one LUKS password; should be your default setting):
Key Slot 0: ENABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Key Slot 8: DISABLED
Note: If you have selected a wrong partition you will get this message:
Device dev/sdaX is not a valid LUKS device.
3.0. Modify LUKS password settings
You can add, change or delete LUKS keys. Not the quickest but safest way to change your password is the following.
3.1. Add a new password with:
sudo cryptsetup luksAddKey /dev/sda2
First, you will be asked to enter the old (current) password and afterwards you will be asked to enter your new password. It will store your new password on next free Key Slot.
Double check again the LUKS Key Slots (see 2.1) and verify that you have now 2 Key Slots ENABLED. In my case the Key Slot 0 contains the old password and the Key Slot 1 contains the new password.
3.2. Remove the old passwords
sudo cryptsetup luksRemoveKey dev/sda2
Now, you have to enter your old (previous) password it will automatically delete the corresponding Key Slot. Thus, Key Slot 0 is DISABLED and Key Slot 1 is set to ENABLED now.
4.0 Reboot your system and verify that your new LUKS password has been updated properly.
Done. 
Want more LUKS?
@deeplow may I ask you to change the Subject line to
Change LUKS disk password
to get a better search results when searching for “LUKS”
Thanks
I renamed the topic title.
This is not working on Qubes 4.1. Maybe because something changed in LUKS2.
If I don’t grep and just use the base command, I also don’t see a list of keyslots. It seems keyslot 0 is currently in use, but no information about other keyslots:
)Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Hi,
Trying to change LUKS passphrase in Qubes 4.1 I can’t figure out which I need to use. (as with most of the replies above).
Running lsblk -fs | head -n 40 I get:
(you can’t copy / paste from dom0) so this is rough:
loop0
loop1
. . .
loop 20
sda1 500 M 25%/boot
-sda
qubes_dom0-root–pool-tmeta
. . .
M2 001
- nvme0n1p1 crypto-LUKS 2
. . .
qubes_dom0-root–pool-tdata
M2 001
- nvme0n1p1 crypto-LUKS 2
Nothing I try comes up as a valid device using;
sudo cryptsetup luksDump // | grep Key.Slot
Where is anything remotely likely like /sda/nvme0n1p1 or
/qubes_dom0-root/M2001/nvme0n1p1
Or any combination I can think of. So any helpful ideas of what constitutes the ‘’ would be gratefully appreciated.
Not sure what @Scumbag means by the ‘base command’. And I’m wary of messing with cryptsetup so if I’m unsure I’m going with ‘do nothing’.
The only thing recognisable is the sda1 or sda and crypto-LUKS 2 is not under that.
luksDump requires a and that’s the problem I’m trying to get luksDump to solve. Catch 22.
And all the documentation I can find assumes you know the .
Any ideas, pls?
You can do so.
You can copy in dom0 and then use qui-clipboard to copy the dom0 clipboard
contents,so they can be passed to a qube using normal Ctrl+Shift+V
operation.
Or you can redirect output to a file,and then used qvm-copy-to-vm
to copy the file to a qube.
It might have helped if you had given details of what you had tried. (I
know that nothing you tried worked,but I don’t know what you did try.)
Or if you had given details of your disks.
If I understand your output correctly, you have /boot on /dev/sda2 and
the encrypted Qubes install on nvme drive.
I would try /dev/nvme0n1p1
Of course! qvm-copy/move-to-vm. Thanks.
I just wrote a long answer with the output of the above . . . but outputting:
sudo cryptsetup luksDump /dev/nvme0n1p1 (like you said) to stdout or into a text file does give a suitable output. That’s what @Scumbag meant by the base command.
I can go with that. Thanks for your help.
Okay, so I’ve successfully added a new key with:
sudo cryptsetup luksAddKey /dev/nvme0n1p1
which is the entire SSD or as much of it as was covered in the initial install disk encryption.
sudo cryptsetup luksDump /dev/nvme0n1p1
now shows both key slots. I can check the new passphrase on Key Slot 1 works with
sudo cryptsetup --test-passphrase -v /dev/nvme0n1p1
and entering the new passphrase. It works giving
Key slot 1 unlocked
command successful.
but the command
sudo cryptsetup luksDump /dev/sda2 | grep Key.Slot
or any variant of that does not work so I can’t know for sure that key slot is enabled and I daren’t risk getting totally shut out if it isn’t and I’ve removed the original passphrase which, of course, does work.
Is there another way to check the new passphrase will work? Just rebooting and trying it fails and I have to use the old one to get in.
@unman 's suggested docs at
https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Cryptsetup_actions_specific_for_LUKS
are great but doesn’t say anything about this.
Still on 4.1. thanks.
Edit to add:
These instructions work. Just make sure you’re encrypting the right disk if you have more than one!
Do you know the CLI input commands for checking what is currently in use?
[irrelevant comment retracted]
