Nope, those are partitions. Use the sudo cryptsetup luksDump command to view your keyslots.
Those aren’t boot passphrases, but LUKS passphrases…the boot process is prior to the OS being loaded; at the beginning of the OS starting is when you enter the LUKS passphrase. So no, the boot passphrase you set (blue box in screenshot) is something totally different.
Wow, this seems really messed up — or maybe I am misunderstanding this …
So I checked Star Labs StarBook laptop default passphrase on:
• nvme0n1p0 (access is denied, I think is more likely)
• nvme0n1p1 — doesn’t seem to exist (not a valid LUKS device)
• nvme0n1p2 — doesn’t seem to exist (not a valid LUKS device)
• nvme0n1p3 (obviously the one I been on, and is currently running so can’t login as I am already logged-in lol)
So Star Labs shipped the StarBook laptop out with a default “nvme0n1p3” passphrase, and gave me that passphrase obviously and even followed-up eventually admitting how to change it
(was not sent in original instructions, I had to email them to ask how to change it, just wow).
Now, I am realizing that same “default” passphrase is NOT applicable to “nvme0n1p0” and I cannot even access “nvme0n1p0” be it passphrase protected or not. Just says it either doesn’t exist or access is denied. I suspect it is the later, “access denied”
(or do I have the wrong conclusion here?)
My lack of access to “nvme0n1p0” is it because StarLabs restricted access to only them?
OR
Is my lack of access to “nvme0n1p0” because I have enabled a password UEFI boot with AMI (American MegaTrends) which over rides this LUKS KeySlot and so “access denied” is because it isn’t managed under LUKS but under whatever AMI does its key management under?
I am not accusing Star Labs of a KeySlot 0 backdoor, though their lack of informing their customers to change the FDE MasterKey does concern me now as they only ever mentioned and sent instructions only for the KeySlots never ever informing about a MasterKey FDE passphrase. What I am doing is trying to understand why KeySlot 0 is likely “access denied”, while KeySlot 1 & 2 returns as “not a valid device” making it sound like it doesn’t exist; all while implying KeySlot 0 does exist then but access is being denied to not even allow a passphrase to be entered so to block any attempt at all of accessing KeySlot 0.
Is it because I am currently logged into KeySlot 3 and also I guess then currently logged into KeySlot 0 as well due to needing it to enter into the OS? (just thought of this) But then why did it not spit out the same error it did for KeySlot 3, when trying to access KeySlot 0? KeySlot 3 even lets me enter the current passphrase and then returns with an error due to being logged-in, but trying to access KeySlot 0 doesn’t at all behave like the KeySlot 3 input prompt I did.
Please, someone who knows, please clarify what this all means (see screenshots provided).
Just reading this now, I have screenshots now regarding LUKS 0, 1, and 2
I need help understanding what is going on
" Nope, those are partitions. Use the sudo cryptsetup luksDump command to view your keyslots." — @Bearillo
I don’t understand this (also see my previous reply post above this one)
You best do some reading about the basics then: e.g. What is a disk/SSD partition (wiki). LUKS is a container based either on a file, or, in your case, an SSD partition. The lsblk command categorically cannot list LUKS keyslots, but it can list partitions, among other things. Use the man utility to read about what commands do, e.g. man lsblk.
I am just concerned now, now knowing there was NO mention from Star Labs about a MasterKey as if they purposely don’t tell lay users this, the irony is advanced users would likely never have Qubes pre-installed anyway so this feels like ignorant and/or newbie users are being taken advantage of. Thus, since I realize there is also a MasterKey that is why I now have questions about what is going on with the KeySlots 0, 1, and 2 (specifically KeySlot 0). KeySlot 0 is not behaving like any of the others at all. I am just concerned now that’s all
But yes I will read up on what you gave me
But I also just need to do all this ASAP as the 1st of the Month approaches and I really need to get back online fully soon with a computer (this computer)
Still wondering,
Why would access be denied for KeySlot 0 then?
It doesn’t even let me try to enter a password, just returns with “does not exist or access denied” and I think it is “access denied” because if it didn’t exist then it would do what KeySlots 1 & 2 returned which was, “not a valid LUKS device”
Unless I am assuming wrong about what LUKS 1 & 2 output returns mean
I see it worked here as there is a new “1: luks2” added along with a new “Salt”
Also, I noticed the “Epoch” changed from 3 to 4
Now I need to run the CLI command to delete the “starlabs” login default Key Slot
In an email from Star Labs they said to use this,
cryptsetup luksRemoveKey /dev/nvme0n1p3
BUT
I am worried
how does THAT command know which Key Slot to remove? Will it prompt me to pick/choose?
What if I run this CLI command and it deletes ALL the Key Slots in “nvme0n1p3”
I am so worried …
Can someone confirm this is the correct CLI command?
So does this mean somewhere in the CLI command I have to tell it to specifically remove “0: luks2”?
How would I even do that specification?
Also, in that same thread they claim it isn’t truly deleted. Thus, now that I confirmed the new one worked I might should first Change the “0: luks2” and after changing THEN remove it, right?
I think the command to change a KeySlot is:
luks cryptsetup luksChangeKey /dev/nvme0n1p3
BUT
again,
how to inert the specific command to tell it WHICH Key Slot to make sure I am now only alternating the oldest Key Slot the “0: luks2” and NOT the new “1: luks2”
I cant help you here because I have no idea what you are trying to do
with that image.
Also, posting images is easy for you - it’s of no help to someone who
might have exactly the same issue as you, but cant find this.
Search engines cant yet get text from images - you can.
I’ve already suggested you search for guides to this stuff - there’s
nothing Qubes specific here.
Also, you can get a good deal of help by using man - man cryptsetup
I wanted to know the command to specify a selected slot that seems to be
-S [insert number slot here]
I needed to try it before deleting/removing that slot
So I figured to change the passphrase for that specific Slot first to test the “-S” command
I read a rumor that removing it still doesn’t delete it so IMHO wouldn’t it be best to change the passphrase of the slot then prior to “removing” it to be extra thorough? So I did that
Now I hope to try to “remove” it without removing my new one by accident, accomplishing this hopefully via the “-S” CLI command
Hope that clarifies what I am attempting to accomplish here still following the advice that @sm95 gave above but with a few more added steps to be extra sure of everything
In other words no matter how careful I am in inputing a CLI command(s) for this, it will inevitably destroy the current data making me start over with a fresh install of QubesOS?