How to change LUKS passphrase?

Having installed Ubuntu 11.10 with whole disk encryption and LVM, I need to provide a way for users to easily change LUKS passphrase.

Preferably, this should be done using GUI tools, thus, enabling novice users to perform this basic task.


Solution 1:

I am not familiar with GUI tool but cryptsetup is the tool to interact with LUKS.

Basically AFAIK LUKS lets you add 8 passphrase slots and you can do that with:

sudo cryptsetup -y luksAddKey ENCRYPTED_PARTITION
sudo cryptsetup luksRemoveKey ENCRYPTED_PARTITION

where 0 is the slot number. I guess LUKS stores slots as 0,1,2 etc. But I recommend you to be very careful with LUKS as you may lock yourself out. Please refer to manual of cryptsetup. Also I recommend you to visit other distro IRC channel just to be extra safe before you proceed.

You may need to reboot the machine and try your new passsphrase as well before you remove the key.

cryptsetup FAQ

Edit: Seems like gnome-disks (AKA gnome-disk-utility) lets you change the passphrase.

enter image description here

enter image description here

Solution 2:

Tested in Ubuntu 14.04: Search for the "Disks" application

Select Device, select volume, Click cogs (more actions) -> "Change passphrase"

screenshot screenshot

Solution 3:

cryptsetup luksChangeKey <target device> -S <target key slot number>

This will ask you first for a valid pass-phrase (in any enabled keyslot) then will prompt you fro the new passphrase in the target keyslot.

From man page:

--key-slot, -S <0-7> For LUKS operations that add key material, this options allows you to specify which key slot is selected for the new key. This option can be used for luksFormat, and luksAddKey. In addition, for open, this option selects a specific key-slot to compare the passphrase against. If the given passphrase would only match a different key-slot, the operation fails.