How to change encryption password?
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
How to change encryption password?
When I installed mint I chose to encrypt my drive, to require a password to boot. I had a security issue (not with my computer, I gave the password to someone I no longer want to access my computer). Now I want to change the password, but I can't figure out how. I would also like to remove the current user account I have on the computer, and replace it with one that has a new username and password.
Thanks!
Thanks!
Re: How to change encryption password?
what's on the computer ?
it may just be plain easier - to re-install the whole thing. ..
- rather than mess around changing all of that.
was it backed up, recently?.
it may just be plain easier - to re-install the whole thing. ..
- rather than mess around changing all of that.
was it backed up, recently?.
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
Re: How to change encryption password?
See System Settings > Users & groups > addmentha scholasticus wrote:I would also like to remove the current user account I have on the computer, and replace it with one that has a new username and password.
When done select new user in user list and change the
No password set
current setting.Regarding disk encryption there are 8 key slots available, you can use the command line to add a new key then remove the old key. Post the command results:
Code: Select all
sudo lsblk -o name,size,fstype,label,mountpoint
Re: How to change encryption password?
@Laurent85
Thanks for the tips. I should have been more clear, I know how to add users. My problem is that I want the new user to have all the same files, apps, settings, etc. Basically I want to have the exact same setup as before, but with a new user/password. When I log in as the new user I get a bare system, like when I first installed. I went through alot of trouble setting up my system, I don't want to go through that again. Help!
Here's the output for the code you suggested:
Thanks for the tips. I should have been more clear, I know how to add users. My problem is that I want the new user to have all the same files, apps, settings, etc. Basically I want to have the exact same setup as before, but with a new user/password. When I log in as the new user I get a bare system, like when I first installed. I went through alot of trouble setting up my system, I don't want to go through that again. Help!
Here's the output for the code you suggested:
Code: Select all
NAME SIZE FSTYPE LABEL MOUNTPOINT
sda 931.5G
├─sda1 512M vfat /boot/efi
├─sda2 244M ext2 /boot
└─sda3 930.8G crypto_LUKS
└─sda3_crypt (dm-0) 930.8G LVM2_member
├─mint--vg-root (dm-1) 914.9G ext4 /
└─mint--vg-swap_1 (dm-2) 15.9G swap [SWAP]
sr0 1024M
Re: How to change encryption password?
Hello mentha scholasticus - Here's something you should consider: When you boot your machine, you must enter the encryption key first, and the user password second. If someone cannot get beyond the encryption key, they'll never have the opportunity to enter the user password. So there's really no need to create a new user name and password as long as you change the encryption key.
Laurent85 has already mentioned the solution to this: Create a new encryption key, store it in a different key slot, and delete the old one. Here's an outline of how to proceed:
1.) Boot your machine and open the Terminal. Based on the info you provided in your last post, the encrypted volume is /dev/sda3. What you need to do first is find out which key slot is used to store your current encryption key. If you've never changed anything since you installed, it's probably key slot 0, but you should verify this regardless.To do so, enter " sudo cryptsetup luksDump /dev/sda3 ", examine the output, and verify that key slot 0 is shown as "Enabled", and that key slots 1 through 7 are shown as "Disabled".
2.) Now you can create a new encryption password and store it in key slot 1 (or any other unused key slot). To do this, enter " sudo cryptsetup luksAddKey /dev/sda3 -S 1 " (the -S option specifies the key slot 1 will be used). You will be prompted to enter your new encryption key twice. At this point, you will have two encryption keys stored in the luks volume header: Your original key stored in key slot 0 and the new key stored in key slot 1. Both can be used to unlock the encrypted volume /dev/sda3 during system boot.
3.) Now close the Terminal. Before doing anything else, reboot the machine, and use your new encryption key to unlock the encrypted volume /dev/sda3 during system boot. NOTE: It's extremely important to verify the new key works before proceeding to the next step, or you might find yourself locked out without a key!
4.) After reboot, open the Terminal, and delete the original key stored in key slot 0. To do this, enter " sudo cryptsetup luksRemoveKey /dev/sda3 -S 0 ". You should be prompted to enter the original key (not the new one!) to confirm this action.
NOTE: There is a quick and dirty way to do all of this using a single command: " sudo cryptsetup luksChangeKey /dev/sda3 -S 0 ". There is one thing I don't like about doing it this way: You are only prompted once to enter a new key. There is no second prompt to confirm the key change! If you screw it up, you're locked out. This is why I outlined the longer but safer way of doing this in the first place.
Laurent85 has already mentioned the solution to this: Create a new encryption key, store it in a different key slot, and delete the old one. Here's an outline of how to proceed:
1.) Boot your machine and open the Terminal. Based on the info you provided in your last post, the encrypted volume is /dev/sda3. What you need to do first is find out which key slot is used to store your current encryption key. If you've never changed anything since you installed, it's probably key slot 0, but you should verify this regardless.To do so, enter " sudo cryptsetup luksDump /dev/sda3 ", examine the output, and verify that key slot 0 is shown as "Enabled", and that key slots 1 through 7 are shown as "Disabled".
2.) Now you can create a new encryption password and store it in key slot 1 (or any other unused key slot). To do this, enter " sudo cryptsetup luksAddKey /dev/sda3 -S 1 " (the -S option specifies the key slot 1 will be used). You will be prompted to enter your new encryption key twice. At this point, you will have two encryption keys stored in the luks volume header: Your original key stored in key slot 0 and the new key stored in key slot 1. Both can be used to unlock the encrypted volume /dev/sda3 during system boot.
3.) Now close the Terminal. Before doing anything else, reboot the machine, and use your new encryption key to unlock the encrypted volume /dev/sda3 during system boot. NOTE: It's extremely important to verify the new key works before proceeding to the next step, or you might find yourself locked out without a key!
4.) After reboot, open the Terminal, and delete the original key stored in key slot 0. To do this, enter " sudo cryptsetup luksRemoveKey /dev/sda3 -S 0 ". You should be prompted to enter the original key (not the new one!) to confirm this action.
NOTE: There is a quick and dirty way to do all of this using a single command: " sudo cryptsetup luksChangeKey /dev/sda3 -S 0 ". There is one thing I don't like about doing it this way: You are only prompted once to enter a new key. There is no second prompt to confirm the key change! If you screw it up, you're locked out. This is why I outlined the longer but safer way of doing this in the first place.
"When you rise in the morning, give thanks for the light, for your life, for your strength. Give thanks for your food and for the joy of living. If you see no reason to give thanks, the fault lies in yourself." - Tecumseh
Re: How to change encryption password?
Thank you Derek_S! I worked except for one thing: it did not ask me to enter the passphrase twice. As a result, The first one I tried, I messed up, and now I have a key slot with a passphrase that I don't know! The second time around, I got it right, and erased the passphrase I was worried about, so I have a new passphrase. The problem is that since I messed up key slot 1, and it needs a passphrase I don't know, I don't know how to erase it and disable that key slot. Since even I don't know the passphrase, I'm not too worried, but in the interest of thouroughness, I would like to remove it. How do I remove the lost passphrase, or discover what it is?Derek_S wrote: You will be prompted to enter your new encryption key twice.
Re: How to change encryption password?
Hello mentha scholasticus - Sorry for the bad info about entering the key twice. It used to work that way, but I guess this is yet another change in the cryptsetup command I'm unaware of.
I should amend my instructions in step 3 as well. Not only is it important to know that your new key works, it's also important to know which key slot it's stored in as well! If you have any doubts at all about which key is stored in which key slot, or whether it's a working key or not, here's what I suggest:
Use " sudo cryptsetup luksDump /dev/sda3 " to verify that key slot 7 is unused. Then create a new key and store it in key slot 7 - " sudo cryptsetup luksAddKey /dev/sda3 -S 7 ". Verify this new key works by rebooting and entering it at system boot. NOTE: It doesn't matter if this new key is a duplicate of any key you created previously; it's much more important to be sure that it's stored in key slot 7.
Then use " cryptsetup luksKillSlot -S 0 ", "cryptsetup luksKillSlot -S 1 ", and so on to remove all the other keys in all the other key slots starting at key slot zero and working on up. Use " sudo cryptsetup luksDump /dev/sda3 " to check your progress and verify that key slot 7 is the only one left with a working key.
I should amend my instructions in step 3 as well. Not only is it important to know that your new key works, it's also important to know which key slot it's stored in as well! If you have any doubts at all about which key is stored in which key slot, or whether it's a working key or not, here's what I suggest:
Use " sudo cryptsetup luksDump /dev/sda3 " to verify that key slot 7 is unused. Then create a new key and store it in key slot 7 - " sudo cryptsetup luksAddKey /dev/sda3 -S 7 ". Verify this new key works by rebooting and entering it at system boot. NOTE: It doesn't matter if this new key is a duplicate of any key you created previously; it's much more important to be sure that it's stored in key slot 7.
Then use " cryptsetup luksKillSlot -S 0 ", "cryptsetup luksKillSlot -S 1 ", and so on to remove all the other keys in all the other key slots starting at key slot zero and working on up. Use " sudo cryptsetup luksDump /dev/sda3 " to check your progress and verify that key slot 7 is the only one left with a working key.
"When you rise in the morning, give thanks for the light, for your life, for your strength. Give thanks for your food and for the joy of living. If you see no reason to give thanks, the fault lies in yourself." - Tecumseh
Re: How to change encryption password?
@Derek_S:
I tried the killslot code you gave, as well as some variants, but everytime I get a list of killslot usage commands, which end with this:
What I don't get is that I am specifying the keyslot, and I've tried adding the device, as in: " cryptsetup luksKillSlot /dev/sda3 -S 1 ". I'm new at this, so the syntax escapes me. What am I doing wrong?
I tried the killslot code you gave, as well as some variants, but everytime I get a list of killslot usage commands, which end with this:
Code: Select all
cryptsetup: luksKillSlot: requires <device> <key slot> as arguments
Re: How to change encryption password?
Remove
Here is an example using virtual drive /dev/loop0,
LUKS Header dump, only key slot #0 enabled:
Adding key to next key slot available, no
Adding key to key slot #7,
Removing key from slot #7, do not enter -S option, only enter key slot number:
-S
option when using luksKillSlot
command.Here is an example using virtual drive /dev/loop0,
LUKS Header dump, only key slot #0 enabled:
Code: Select all
sudo cryptsetup luksDump /dev/loop0
LUKS header information for /dev/loop0
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 97 49 bb 4c 93 2a ec 8e 79 54 95 1e 55 4e 3c bf fd 90 63 9d
MK salt: c3 ac e9 44 0c 9c e3 15 59 6a 27 6f 8a 8d 32 63
88 af 6b 87 b9 8c 69 75 cd 45 03 d5 ec 44 a5 eb
MK iterations: 137250
UUID: 1dd78d50-dca2-403f-8aaa-a807bc0fc851
Key Slot 0: ENABLED
Iterations: 540083
Salt: 5e f4 f8 43 48 ea ad c2 d5 19 e9 bc 99 5e 0f 1f
79 77 ab 32 78 34 fd bc 2b 9a a3 76 92 0b 41 2c
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
-S
option necessary:
Code: Select all
sudo cryptsetup luksAddKey /dev/loop0
-S 7
option specified:
Code: Select all
sudo cryptsetup luksAddKey /dev/loop0 -S 7
Code: Select all
sudo cryptsetup luksKillSlot /dev/loop0 7
Re: How to change encryption password?
I am wondering how to do the same but on a external Hard Drive that i lost my Password to?
will the command be the same?
will the command be the same?
Re: How to change encryption password?
"...that i lost my Password to..." To modify LUKS key-slots you must supply one of the existing keys. Ideally, you know what it is. If you have a good idea of what it is, there are programs to auto-guess LUKS passwords, unavoidably limited to (roughly) 1 guess per second by the LUKS system itself.
Re: How to change encryption password?
There's a really easy way to do this with the GUI now. I'm not sure when it was added, but I'm running Mint Cinnamon 18.3.
- Go to Menu > Preferences > Disks
- In the list on the left side, select your hard drive
- In the 'Volumes' list on the right hand side, select the LUKS entry (it should be marked with an open padlock)
- Click the cogs button immediately below the volume list ('Additional Partition Options')
- Select 'Change Passphrase'