I installed Ubuntu 12 with full disk encryption, and now I want to change the pass phrase.
How can this be done?
Asked
Active
Viewed 6.0k times
16
-
Which software are you using? – Dennis Jun 02 '12 at 15:35
-
@Dennis Ubuntu 12, the option I chose was 'encrypted LVM'. I think I heard it uses luks. – HappyDeveloper Jun 02 '12 at 15:48
-
@techie007 I can't just try right now, can't afford the risk (no time for a reinstall). So I want to know the right way to do this. – HappyDeveloper Jun 02 '12 at 15:52
5 Answers
22
This is the easiest way to do it:
Press Super.
Type
Disk Utilityand launch the program with the same name.Select the encrypted partition.
Click
Change passphrase.
Dennis
- 48,917
- 12
- 130
- 149
22
Ubuntu uses LUKS to encrypt partitions and LVMs.
LUKS supports eight key slots per partition. The cryptsetup luksAddKey and cryptsetup luksRemoveKey can be used to add and remove keys from the slots. cryptsetup luksDump can tell you which slots have keys in them.
Basically the right way to do this is you want to add a key to a new slot, test that you can successfully use the new key, and then when you are ready, delete the old key.
During the boot process, when you are asked for the key, it should tell which block device it's trying to unlock. That's the partition you need to apply the cryptsetup commands to.
So use cryptsetup to add a key, reboot, and try the new key. Once you can confirm that works, you can delete the old key.
I would back up your data before trying this or taking anyone else's advice, or at least wait for a couple upvotes. It's been a while since I changed a key on a LUKS partition. (edit: or used a Linux system with GUI...)
LawrenceC
- 73,030
- 15
- 129
- 214
-
2I would like to add that creating an image of the whole disk is not necessary just for modifying the passphrase. Simply use something like `cryptsetup luksHeaderBackup /dev/sda1 --header-backup-file /media/externalthing/somefile` to backup the file. Replace `luksHeaderBackup` by `luksHeaderRestore` to restore the old keys again. Note that the header backup should be saved to a secure place (preferably another LUKS partition on a USB stick). – Lekensteyn Jun 02 '12 at 16:53
8
Here is what to do
- Go to Dash Home
- Search for Disks and click it
- Select your hard disk on the left
Now look to the right. There are likely to be several partitions.
- Select one of them.
- Look for the tiny logo of two gears
- Click on the gears
The option to change passphrase will be available if its the right partition.
If its not there, select another partition. Most likely, the correct partition will be Partition 5
6
Adding an answer that gives an actual working example.
Firstly work out what the device name is:
$ sudo blkid
For example on an Ubuntu machine the Full Disk Encryption device can be found using this command:
$ sudo blkid | awk -F':' '/crypto_LUKS/{ print $1 }'
/dev/nvme0n1p3
Now check your existing slots:
$ sudo cryptsetup luksDump /dev/nvme0n1p3 | grep luks2
0: luks2
Now add a new key:
$ sudo cryptsetup luksAddKey /dev/nvme0n1p3
Enter any existing passphrase:
Enter new passphrase for key slot:
Verify passphrase:
You have now used a second slot:
$ sudo cryptsetup luksDump /dev/nvme0n1p3 | grep luks2
0: luks2
1: luks2
To be safe you should ensure the new passphrase is working by rebooting, then remove the old passphrase:
$ sudo cryptsetup luksRemoveKey /dev/nvme0n1p3
Enter passphrase to be deleted:
You are now using a single slot:
$ sudo cryptsetup luksDump /dev/nvme0n1p3 | grep luks2
0: luks2
htaccess
- 211
- 3
- 3
2
Adding an answer as this is one of the top search results.
It looks like cryptsetup now has the command luksChangeKey to do this operation and does pretty much what LawrenceC said in the other answer. To change the passphrase run
cryptsetup luksChangeKey <device>
This will add a new key and remove the previous one.
