Change LUKS Disk Password

code9n · January 28, 2023, 2:37pm

Hi,

Trying to change LUKS passphrase in Qubes 4.1 I can’t figure out which I need to use. (as with most of the replies above).
Running lsblk -fs | head -n 40 I get:

(you can’t copy / paste from dom0) so this is rough:

loop0

loop1

. . .

loop 20

sda1 500 M 25%/boot
-sda

qubes_dom0-root–pool-tmeta

. . .

M2 001
- nvme0n1p1 crypto-LUKS 2

. . .

qubes_dom0-root–pool-tdata

M2 001
- nvme0n1p1 crypto-LUKS 2

Nothing I try comes up as a valid device using;

sudo cryptsetup luksDump // | grep Key.Slot

Where is anything remotely likely like /sda/nvme0n1p1 or
/qubes_dom0-root/M2001/nvme0n1p1

Or any combination I can think of. So any helpful ideas of what constitutes the ‘’ would be gratefully appreciated.

Not sure what @Scumbag means by the ‘base command’. And I’m wary of messing with cryptsetup so if I’m unsure I’m going with ‘do nothing’.

The only thing recognisable is the sda1 or sda and crypto-LUKS 2 is not under that.

luksDump requires a and that’s the problem I’m trying to get luksDump to solve. Catch 22.
And all the documentation I can find assumes you know the .

Any ideas, pls?

unman · January 28, 2023, 3:00pm

You can do so.
You can copy in dom0 and then use qui-clipboard to copy the dom0 clipboard
contents,so they can be passed to a qube using normal Ctrl+Shift+V
operation.
Or you can redirect output to a file,and then used qvm-copy-to-vm
to copy the file to a qube.

It might have helped if you had given details of what you had tried. (I
know that nothing you tried worked,but I don’t know what you did try.)
Or if you had given details of your disks.

If I understand your output correctly, you have /boot on /dev/sda2 and
the encrypted Qubes install on nvme drive.
I would try /dev/nvme0n1p1

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

code9n · January 28, 2023, 5:38pm

Of course! qvm-copy/move-to-vm. Thanks.

I just wrote a long answer with the output of the above . . . but outputting:

sudo cryptsetup luksDump /dev/nvme0n1p1 (like you said) to stdout or into a text file does give a suitable output. That’s what @Scumbag meant by the base command.

I can go with that. Thanks for your help.

code9n · October 15, 2023, 6:09pm

Okay, so I’ve successfully added a new key with:

sudo cryptsetup luksAddKey /dev/nvme0n1p1

which is the entire SSD or as much of it as was covered in the initial install disk encryption.

sudo cryptsetup luksDump /dev/nvme0n1p1

now shows both key slots. I can check the new passphrase on Key Slot 1 works with

sudo cryptsetup --test-passphrase -v /dev/nvme0n1p1

and entering the new passphrase. It works giving

Key slot 1 unlocked
command successful.

but the command

sudo cryptsetup luksDump /dev/sda2 | grep Key.Slot

or any variant of that does not work so I can’t know for sure that key slot is enabled and I daren’t risk getting totally shut out if it isn’t and I’ve removed the original passphrase which, of course, does work.

Is there another way to check the new passphrase will work? Just rebooting and trying it fails and I have to use the old one to get in.

@unman 's suggested docs at

https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Cryptsetup_actions_specific_for_LUKS

are great but doesn’t say anything about this.

Still on 4.1. thanks.

code9n · October 30, 2023, 6:04pm

Edit to add:

These instructions work. Just make sure you’re encrypting the right disk if you have more than one!

Lace · February 28, 2024, 4:18am

Do you know the CLI input commands for checking what is currently in use?

Lace · February 28, 2024, 4:55am

I didn’t get any outputs

except for “qubes_dom0-root”

What does this mean?

&

barto · February 28, 2024, 10:29am

[irrelevant comment retracted]

Lace · February 28, 2024, 6:23pm

Yes, thank you

In a different Forum thread I got the full path and you are correct it is that,