Howto add a passphrase to encrypted volume using LUKS

Posted on July 17, 2011 by peter

Howto add a passphrase to encrypted volume using LUKS

From the manpage CRYPTSETUP(8)

LUKS,  Linux Unified Key Setup, is a standard for hard disk encryption. It standardizes a partition header, as well as the format of the bulk data. LUKS can manage  multiple  passwords,  that can be revoked effectively and that are protected against dictionary attacks with PBKDF2.

Find a free slot for your new passphrase

root@d410:/# cryptsetup luksDump /dev/sda5
LUKS header information for /dev/sda5
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 2056
MK bits: 256
MK digest: 21 d9 81 23 41 ce ed 02 eb b6 6d ab 7b 11 09 14 79
MK salt: 81 67 8f 42 ba 90 73 db 5c 92 e0 d9 b0 e4 f8 75 e0 30 61 49 9f 8a 21 3e 50 28 1f 33 58 1b 87
MK iterations: 18125
UUID: 9b250a8f-3dab-4162-8e1f-5bf7945e9fa0

Key Slot 0: ENABLED
Iterations: 74344
Salt: b4 ab 33 6b 82 31 ee ef 02 hb b6 b0 e4 f8 75 c1
b7 d4 0b 5d 93 11 40 65 7a 2f 18 d6 ee fd b6 d3
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 74751
Salt: 5c 92 e0 d9 ec f4 3a 21 42 39 fe 4a 47 52 29 19
85 7e 93 c1 c9 dd 9f 8a 2e 3d 54 24 1f 30 2f ea
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Key Slot 2 is available

root@d410# cryptsetup -y luksAddKey /dev/sda5 --key-slot=2
Enter any passphrase: <enter an existing passphrase>
Verify passphrase: <enter the same passphrase as above>
Enter new passphrase for key slot: <enter a new passphrase>
Verify passphrase: <repeat the new passphrase>

Check with cryptsetup
root@d410:/# cryptsetup luksDump /dev/sda5
<snip>
Key Slot 2: ENABLED
Iterations: 73322
Salt: 6b e2 3c 31 19 f3 ad 74 43 52 11 91 f4 68 dd f2
49 7f 65 32 54 40 a7 71 1c 1a 4c fe 15 25 56 cb
Key material offset: 520
AF stripes: 4000
</snip>

To delete a passphrase use the luksKillSlot

Deleting the newly added key (Key Slot 2)

root@d410:/# cryptsetup luksKillSlot /dev/sda5 2
Enter any remaining LUKS passphrase: <enter an existing passphrase>

Check with cryptsetup
root@d410:/# cryptsetup luksDump /dev/sda5
<snip>
Key Slot 2: DISABLED
</snip>

This entry was posted in UNIX/Linux and tagged , , . Bookmark the permalink.

One Response to Howto add a passphrase to encrypted volume using LUKS

  1. Nancy says:
    October 2, 2011 at 3:21 am

    Thanks for the share!
    Nancy.R

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *