This is a simple way to change your LUKS Encryption Passphrase:
- Get the encryption information of your disk from the /etc/crypttab file.
sudo cat /etc/crypttab
you will get a string like this:
sda2_crypt UUID=14312ef1-5055-45f5-b1fc-0f54669e6d1f none luks,discard>
- Dump the header information
for example, my encrypted disk is /dev/sda2
sudo cryptsetup luksDump /dev/sda2
you will get like this:
LUKS header information
Version: 2
Epoch: 4
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 14312ef1-5055-45f5-b1fc-0f54669e6d1f
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 7
Memory: 1048576
Threads: 4
Salt: fc 9d b7 e0 ec 06 d0 b1 47 09 61 6f c1 73 f9 51
b7 ff 9b 6b 44 a0 2b c5 dd 5a c4 7e 46 28 c3 62
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 136107
Salt: 40 82 65 fc cf e1 24 d3 0d b8 85 07 13 c7 dd a1
03 52 6a b9 04 b8 6d 23 4a d1 90 89 cb 96 a7 ca
Digest: 5b d0 10 56 e4 9a ff e1 eb 14 2a fb 4d 85 ba c3
a7 75 fa fa 6c 24 cc 01 b0 9c 34 dd 48 98 1a d9
- Get the slot assigned to your LUKS
sudo cryptsetup --verbose open --test-passphrase /dev/sda2
you get something like this:
Enter passphrase for /dev/sda3: Key slot 0 unlocked. Command successful.
so the key slot is slot 0.
- Change the passphrase for slot X
sudo cryptsetup luksChangeKey /dev/sda2 -S 0
results:
Enter passphrase to be changed: Enter new passphrase: Verify passphrase:
to verify:
sudo cryptsetup --verbose open --test-passphrase /dev/sda2