LUKS2: systemd-cryptenroll: All recovery keys accidentally deleted. System is running

Hi Community,

i’m facing a new problem. Im using a LUKS2 Encrypted disk, automatically decrypted with TPM2 at boot. I’ve had installed a recovery key with systemd-cryptenroll /path/to/LUKS2 --recovery-key Today, i figured out, that i have installed two recovery keys, so I decide to remove one key by issuing systemd-cryptenroll ... --wipe-slot recovery command. I though, it would prompt me for a choice, e.g. by entering the remaining key. But in fact, this command deletes all recovery keys without confirmation, so LUKS2 is now only protected by the TPM2 and I’m unable to insert any other Key again.

Is there any chance to insert another Passphrase or recovery key using the remaining TPM2 Module?

Edit: it looks like the Data in the Luks header are still present, so all i have to do is to reinsert the information gathered with luksDump, i think…

that was too easy,
adding a new passphrase with tpm2:
cryptsetup luksAddKey --token-id 2 --token-type systemd-tpm2 /dev/nvme0n1p3

where --token-id= is the corresponding Token found in the luks Dump.

1 Like