How to Change Your LUKS Key but Not the Password

2023-08-09 17:17:59Z

Let's say you have a storage device with LUKS on it. You want to change the parameters, but not the password itself. How I would do is like this:

1. Create a temporary key-slot to your container

2. Remove the key-slot you want to change

3. Recreate the key into the just removed key-slot

4. Remove the temporary key-slot

This prevents your LUKS container from turning completely encrypted from everyone (including you), and also works around `cryptsetup luksChangeKey` not accepting the same password[^repeat]. It would also ask for your password more than once, which is a bit too many times.

(On cryptsetup not accepting the same password on luksChangeKey: I've been unable to verify that statement in Alpine Linux. It might be related to password qualities and I don't think that's well enforced on Alpine Linux.)

However, there is a much simpler method:

1. Use `cryptsetup luksConvertKey`

That's it. It does pretty much the same thing (except when you're out of free slots) where you use a temporary key, replace the slot, and remove the temporary key.

public inbox (comments and discussions)

public inbox archives

(mailing list etiquette for public inbox)