HowTo: Change your LUKS disk encryption password

boredsquirrel · July 16, 2024, 8:35pm

Background

On Fedora system setup, it is very easy to configure disk encryption.

Just set the checkbox “encrypt my drive” and it will be encrypted.

But you may want to change it, because it is too short, or you fear someone have got it.

A secure password

A password does not need to contain lots of crazy characters, even though this may increase the difficulty to crack.

But most important is to use a lot of characters.

A good password, depending on your threat model, may be over 20 characters long.

A trick is to concatenate (add together) random words. Start with 3, and after 2 weeks add more words to the line.

In the end you may have a nonsensical password, built up of 10 or more words, and you can remember it in your sleep.

It may not be very secure from the start, but better than “password” or reusing what you already use. And it will get stronger and stronger over time!

Check for LUKS1

If your installation is pretty old (or you use an old partition or external drive), on Fedora older than Fedora 30, you may still use LUKS1.

This standard is insecure, but you can upgrade to LUKS2.

Check your LUKS version:

sudo cryptsetup luksDump /dev/nvme0n1p3

Change your password

So how do you change the password that you use to decrypt your LUKS device?

Following this guide:

The password is just used to unlock the keyfile used for the encryption. You can have multiple passwords for multiple users.

Or you can add a password, and remove the old one, as easy as that!

Boot your system
Enter the terminal
Use lsblk to see your disks

all disks are in /dev/
SSDs are /dev/sd[a-z]
NVMEs are /dev/nvme0n[1-x]
your partition is a number behind that. Example /dev/sda1 for SSDs, or /dev/nvme0n1p1 for NVMEs

$ lsblk
NAME                             MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
zram0                            252:0    0    8G  0 disk  [SWAP]
nvme0n1                          259:0    0  1,8T  0 disk  
├─nvme0n1p1                      259:1    0  576M  0 part  /boot/efi
├─nvme0n1p2                      259:2    0 24,3G  0 part  /boot
└─nvme0n1p3                      259:3    0  1,8T  0 part  
  └─luks-64ae1755-4591-455d-b723-1e46c31ffe53

Here, our partition of interest is /dev/nvme0n1p3

1. Add A New Password

sudo cryptsetup luksAddKey /dev/nvme0n1p3

You are prompted for your sudo password, one password to decrypt the LUKS drive, and then the password you wish.

WARNING: On Atomic Desktops (Silverblue, Kinoite, …) you can currently just use the QWERTY layout. Use a password that works here!

2. Test the password

sudo cryptsetup --test-passphrase -v open /dev/nvme0n1p3

You may want to reboot and test if the password works here.

3. Remove the old password

sudo cryptsetup luksRemoveKey /dev/nvme0n1p3

Just enter the password you want to delete.

barryascott · July 16, 2024, 9:24pm

Before you remove the old password I would recommend that you reboot and test the new password works. Only after that test remove the old password.

boredsquirrel · July 16, 2024, 9:44pm

That is a good idea.

augenauf · July 17, 2024, 8:08am

You can also test the key without restarting:

sudo cryptsetup --test-passphrase -v open /dev/device

augenauf · July 17, 2024, 8:32am

maybe the day you change your encryption passphrase, it’s worth checking if the volume is safely encrypted with modern defaults and switch from luks1 and its key derivation function PBKDF2 to luks2 and argon2id.

The steps would be:

1.) verify the current status:

sudo cryptsetup luksDump /dev/device

2.) backup your luks1 header in case something goes wrong:

sudo cryptsetup luksHeaderBackup /dev/device --header-backup-file headerbackup.dat

3.) if Version shows 1, convert to luks2:

sudo cryptsetup convert /dev/device --type luks2

4.) convert PBKDF to argon2id:

sudo cryptsetup luksChangeKey /dev/device --pbkdf argon2id

I would also recommend running cryptsetup luksChangeKey /dev/device --pbkdf argon2id even if luks2 is already in place but the key is still pbkdf2

boredsquirrel · July 17, 2024, 8:43am

Good point! To keep it simple, I would make this a separate thread.

I would include the check fo LUKS1 here and if true, link to your howto to change to LUKS2.

augenauf · July 17, 2024, 11:54am

I think even if the install is fresh, say F39, but you recycled your existing partition layout (without formatting) from before f30, you still have luks1. Whenever I reinstall, I keep /home as is and just format /. That means the luks header is not being changed.

The second case that comes to my mind is: external disks, i.e. backup HDD that was first created before luks2 and argon2 became defaults.

Topic		Replies	Views
Fedora 30 : add additional USB keyfile for root LUKS decryption Ask Fedora	6	1640	February 24, 2020
Question regarding LUKS Ask Fedora f34	4	434	September 4, 2021
Encrypting a specif folder Fedora? Ask Fedora	10	4065	December 26, 2021
LUKS2 encrypted boot on Fedora - how to set up correctly? Ask Fedora installation , security , selinux , luks2 , grub , cryptsetup , encrypted-boot	11	1674	July 26, 2024
Encrypted disk issue Ask Fedora	4	46	February 24, 2025