Yes.
Nope, those are partitions. Use the sudo cryptsetup luksDump command to view your keyslots.
Those aren’t boot passphrases, but LUKS passphrases…the boot process is prior to the OS being loaded; at the beginning of the OS starting is when you enter the LUKS passphrase. So no, the boot passphrase you set (blue box in screenshot) is something totally different.
Wow, this seems really messed up — or maybe I am misunderstanding this …
So I checked Star Labs StarBook laptop default passphrase on:
• nvme0n1p0 (access is denied, I think is more likely)
• nvme0n1p1 — doesn’t seem to exist (not a valid LUKS device)
• nvme0n1p2 — doesn’t seem to exist (not a valid LUKS device)
• nvme0n1p3 (obviously the one I been on, and is currently running so can’t login as I am already logged-in lol)
So Star Labs shipped the StarBook laptop out with a default “nvme0n1p3” passphrase, and gave me that passphrase obviously and even followed-up eventually admitting how to change it
Now, I am realizing that same “default” passphrase is NOT applicable to “nvme0n1p0” and I cannot even access “nvme0n1p0” be it passphrase protected or not. Just says it either doesn’t exist or access is denied. I suspect it is the later, “access denied”
(or do I have the wrong conclusion here?)
My lack of access to “nvme0n1p0” is it because StarLabs restricted access to only them?
OR
Is my lack of access to “nvme0n1p0” because I have enabled a password UEFI boot with AMI (American MegaTrends) which over rides this LUKS KeySlot and so “access denied” is because it isn’t managed under LUKS but under whatever AMI does its key management under?
I am not accusing Star Labs of a KeySlot 0 backdoor, though their lack of informing their customers to change the FDE MasterKey does concern me now as they only ever mentioned and sent instructions only for the KeySlots never ever informing about a MasterKey FDE passphrase. What I am doing is trying to understand why KeySlot 0 is likely “access denied”, while KeySlot 1 & 2 returns as “not a valid device” making it sound like it doesn’t exist; all while implying KeySlot 0 does exist then but access is being denied to not even allow a passphrase to be entered so to block any attempt at all of accessing KeySlot 0.
Is it because I am currently logged into KeySlot 3 and also I guess then currently logged into KeySlot 0 as well due to needing it to enter into the OS? (just thought of this) But then why did it not spit out the same error it did for KeySlot 3, when trying to access KeySlot 0? KeySlot 3 even lets me enter the current passphrase and then returns with an error due to being logged-in, but trying to access KeySlot 0 doesn’t at all behave like the KeySlot 3 input prompt I did.
Please, someone who knows, please clarify what this all means (see screenshots provided).
Just reading this now, I have screenshots now regarding LUKS 0, 1, and 2
I need help understanding what is going on
" Nope, those are partitions. Use the sudo cryptsetup luksDump command to view your keyslots." — @Bearillo
I don’t understand this (also see my previous reply post above this one)
Thank you
You best do some reading about the basics then: e.g. What is a disk/SSD partition (wiki). LUKS is a container based either on a file, or, in your case, an SSD partition. The lsblk command categorically cannot list LUKS keyslots, but it can list partitions, among other things. Use the man utility to read about what commands do, e.g. man lsblk.
Okay I will
I am just concerned now, now knowing there was NO mention from Star Labs about a MasterKey as if they purposely don’t tell lay users this, the irony is advanced users would likely never have Qubes pre-installed anyway so this feels like ignorant and/or newbie users are being taken advantage of. Thus, since I realize there is also a MasterKey that is why I now have questions about what is going on with the KeySlots 0, 1, and 2 (specifically KeySlot 0). KeySlot 0 is not behaving like any of the others at all. I am just concerned now that’s all
But yes I will read up on what you gave me
But I also just need to do all this ASAP as the 1st of the Month approaches and I really need to get back online fully soon with a computer (this computer)
Skimmed over the Wiki
Still wondering,
Why would access be denied for KeySlot 0 then?
It doesn’t even let me try to enter a password, just returns with “does not exist or access denied” and I think it is “access denied” because if it didn’t exist then it would do what KeySlots 1 & 2 returned which was, “not a valid LUKS device”
Unless I am assuming wrong about what LUKS 1 & 2 output returns mean
Also applies here:
I have now added a 2nd Key Slot
using this CLI command while in ROOT
cryptsetup luksAddKey /dev/nvme0n1p3
I see it worked here as there is a new “1: luks2” added along with a new “Salt”
Also, I noticed the “Epoch” changed from 3 to 4
Now I need to run the CLI command to delete the “starlabs” login default Key Slot
In an email from Star Labs they said to use this,
cryptsetup luksRemoveKey /dev/nvme0n1p3
BUT
I am worried
how does THAT command know which Key Slot to remove? Will it prompt me to pick/choose?
What if I run this CLI command and it deletes ALL the Key Slots in “nvme0n1p3”
I am so worried …
Can someone confirm this is the correct CLI command?
cryptsetup luksRemoveKey /dev/nvme0n1p3
I found this:
So does this mean somewhere in the CLI command I have to tell it to specifically remove “0: luks2”?
How would I even do that specification?
Also, in that same thread they claim it isn’t truly deleted. Thus, now that I confirmed the new one worked I might should first Change the “0: luks2” and after changing THEN remove it, right?
I think the command to change a KeySlot is:
luks cryptsetup luksChangeKey /dev/nvme0n1p3
BUT
again,
how to inert the specific command to tell it WHICH Key Slot to make sure I am now only alternating the oldest Key Slot the “0: luks2” and NOT the new “1: luks2”
I cant help you here because I have no idea what you are trying to do
with that image.
Also, posting images is easy for you - it’s of no help to someone who
might have exactly the same issue as you, but cant find this.
Search engines cant yet get text from images - you can.
I’ve already suggested you search for guides to this stuff - there’s
nothing Qubes specific here.
Also, you can get a good deal of help by using man - man cryptsetup
I got it here is my proof yay!
I wanted to know the command to specify a selected slot that seems to be
-S [insert number slot here]
I needed to try it before deleting/removing that slot
So I figured to change the passphrase for that specific Slot first to test the “-S” command
I read a rumor that removing it still doesn’t delete it so IMHO wouldn’t it be best to change the passphrase of the slot then prior to “removing” it to be extra thorough? So I did that
Now I hope to try to “remove” it without removing my new one by accident, accomplishing this hopefully via the “-S” CLI command
Hope that clarifies what I am attempting to accomplish here still following the advice that @sm95 gave above but with a few more added steps to be extra sure of everything
How do I insert “alt text” for accessibility and searches in my images for this Forum???
Return output states that “-S” slot designation CLI command cannot be used along side the “LUKS remove Key” action
Okay then how will I tell the computer exactly which KeySlot to remove
I fear if I merely input,
cryptsetup luksRemoveKey /dev/nvme0n1p3
It might remove all of them
or no?
Will it prompt me to choose which to remove?
I don’t want to find out the hard way … please someone let me know if this is safe
Alright!
I took a chance …
THAT worked, as it lets the user define which key to be removed by prompting for the passphrase for the key being removed
whew, scary … but this part is now done.
Moving on, hope not to ruin my entire system by following directions now for the FDE passphrase change
eek
Any guidance to make extra sure the CLI commands for changing the Masterkey FDE as @sm95 gave directions on would be deeply appreciated
I am now moving onto that scary step
(it is scary for a me as a n00b)
Does this mean once encrypted, there is no going back?
You must start over, to be able to reformat?
In other words no matter how careful I am in inputing a CLI command(s) for this, it will inevitably destroy the current data making me start over with a fresh install of QubesOS?
