How can I have multiple passphrases for unlocking one encrypted partition?

I am using Ubuntu 15.10 and encrypted my partition with the default partitioning tool that is being displayed during installation. Now I want to be able to give my Laptop to somebody else without having to decrypt my drive and without giving him my passphrase. I already have a second user for him, but he doesn't even get to the point where you can login yourself because he can't encrypt the drive. So is it possible to have 2 keys for encryption?

Solution 1:

Yes, LUKS supports multiple keyslots (8 in total) which all can unlock the master key.

See the manpage of cryptsetup on how to manage LUKS keyslots. E.g. if your LUKS partition is /dev/sda2, then:

sudo cryptsetup luksAddKey /dev/sda2

While you're at it, also consider providing an --iter-time N (were N is the time in miliseconds) option to lower the risk of bruteforcing a keyslot. E.g. for a 2 seconds hashing time:

sudo cryptsetup --iter-time 2000 luksAddKey /dev/sda2

to list your current key slots:

sudo cryptsetup luksDump /dev/sda2

Adding a new key slot first is also how I would recommende to change a current passphrase. First add a new one with the instruction above, reboot, verify the new passphrase works (you never know about keyboard layout mismatches etc.), then delete the old keyslot.

sudo cryptsetup luksRemoveKey /dev/sda2

You'll then be asked to provide the passphrase to be removed.

In case you want to remove a key slot without providing the current passphrase, you can use luksKillSlot, but do that with great care and be sure to provide the right slot ID.