Saturday, December 13, 2014

Change LUKS disk encryption key

This morning I wanted to "cleanup" the work laptop to pass it over to a new colleague in the team. Then I remembered that I have used my LUKS password in other applications. Unwilling to share this password I decided to take the plunge and change it! These are the steps needed:

1. Determine the device with LUKS encryption:
╭─root@darktech  ~
╰─$ dmsetup ls                                                                                                                                                                                fedora-win8     (253:9)
fedora-backtrack        (253:6)
fedora-swap     (253:1)
fedora-root     (253:2)
luks-eca67822-2122-44ab-9dc7-2f13c8e94d6f       (253:0)
fedora-data     (253:7)
fedora-winxp    (253:4)
fedora-backup   (253:8)
fedora-f18      (253:5)
fedora-home     (253:3)
╭─root@darktech  ~
╰─$ dmsetup info luks-eca67822-2122-44ab-9dc7-2f13c8e94d6f
Name:              luks-eca67822-2122-44ab-9dc7-2f13c8e94d6f
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        9
Event number:      0
Major, minor:      253, 0
Number of targets: 1
UUID: CRYPT-LUKS1-eca67822212244ab9dc72f13c8e94d6f-luks-eca67822-2122-44ab-9dc7-2f13c8e94d6f

╭─root@darktech  ~
╰─$ pvdisplay
  --- Physical volume ---
  PV Name               /dev/mapper/luks-eca67822-2122-44ab-9dc7-2f13c8e94d6f
  VG Name               fedora
  PV Size               465.08 GiB / not usable 0
  Allocatable           yes (but full)
  PE Size               4.00 MiB
  Total PE              119059
  Free PE               0
  Allocated PE          119059
  PV UUID               yXSVeR-pwc4-nkJt-EXWq-CiLA-2XPs-qwdQVu

2. Create a new LUKS password:
╭─root@darktech  ~
╰─$ cryptsetup luksAddKey /dev/sda3                                                                                                                                                          
Enter any existing passphrase:
Enter new passphrase for key slot:
Verify passphrase:
╭─root@darktech  ~

3. Remove the first slot:
╭─root@darktech  ~
╰─$ cryptsetup luksKillSlot /dev/sda3 0                                                                                                                                                      
Enter any remaining passphrase:

The first slot is "Slot 0", second is 1, etc. Make sure you don't remove the wrong slot or you will lose your data permanently!