How to change encryption password?

[mentha scholasticus]

When I installed mint I chose to encrypt my drive, to require a password to boot. I had a security issue (not with my computer, I gave the password to someone I no longer want to access my computer). Now I want to change the password, but I can't figure out how. I would also like to remove the current user account I have on the computer, and replace it with one that has a new username and password.

Thanks!

[Pierre]

what's on the computer ?

it may just be plain easier - to re-install the whole thing. ..
- rather than mess around changing all of that.

was it backed up, recently?.

[Laurent85]

I would also like to remove the current user account I have on the computer, and replace it with one that has a new username and password.

See System Settings > Users & groups > add

When done select new user in user list and change the No password set current setting.

Regarding disk encryption there are 8 key slots available, you can use the command line to add a new key then remove the old key. Post the command results:

Code: Select all

sudo lsblk -o name,size,fstype,label,mountpoint

[mentha scholasticus]

@Laurent85
Thanks for the tips. I should have been more clear, I know how to add users. My problem is that I want the new user to have all the same files, apps, settings, etc. Basically I want to have the exact same setup as before, but with a new user/password. When I log in as the new user I get a bare system, like when I first installed. I went through alot of trouble setting up my system, I don't want to go through that again. Help!

Here's the output for the code you suggested:

Code: Select all

NAME                           SIZE FSTYPE      LABEL MOUNTPOINT
sda                          931.5G                   
├─sda1                         512M vfat              /boot/efi
├─sda2                         244M ext2              /boot
└─sda3                       930.8G crypto_LUKS       
  └─sda3_crypt (dm-0)        930.8G LVM2_member       
    ├─mint--vg-root (dm-1)   914.9G ext4              /
    └─mint--vg-swap_1 (dm-2)  15.9G swap              [SWAP]
sr0                           1024M 

[Derek_S]

Hello mentha scholasticus - Here's something you should consider: When you boot your machine, you must enter the encryption key first, and the user password second. If someone cannot get beyond the encryption key, they'll never have the opportunity to enter the user password. So there's really no need to create a new user name and password as long as you change the encryption key.

Laurent85 has already mentioned the solution to this: Create a new encryption key, store it in a different key slot, and delete the old one. Here's an outline of how to proceed:

1.) Boot your machine and open the Terminal. Based on the info you provided in your last post, the encrypted volume is /dev/sda3. What you need to do first is find out which key slot is used to store your current encryption key. If you've never changed anything since you installed, it's probably key slot 0, but you should verify this regardless.To do so, enter " sudo cryptsetup luksDump /dev/sda3 ", examine the output, and verify that key slot 0 is shown as "Enabled", and that key slots 1 through 7 are shown as "Disabled".

2.) Now you can create a new encryption password and store it in key slot 1 (or any other unused key slot). To do this, enter " sudo cryptsetup luksAddKey /dev/sda3 -S 1 " (the -S option specifies the key slot 1 will be used). You will be prompted to enter your new encryption key twice. At this point, you will have two encryption keys stored in the luks volume header: Your original key stored in key slot 0 and the new key stored in key slot 1. Both can be used to unlock the encrypted volume /dev/sda3 during system boot.

3.) Now close the Terminal. Before doing anything else, reboot the machine, and use your new encryption key to unlock the encrypted volume /dev/sda3 during system boot. NOTE: It's extremely important to verify the new key works before proceeding to the next step, or you might find yourself locked out without a key!

4.) After reboot, open the Terminal, and delete the original key stored in key slot 0. To do this, enter " sudo cryptsetup luksRemoveKey /dev/sda3 -S 0 ". You should be prompted to enter the original key (not the new one!) to confirm this action.

NOTE: There is a quick and dirty way to do all of this using a single command: " sudo cryptsetup luksChangeKey /dev/sda3 -S 0 ". There is one thing I don't like about doing it this way: You are only prompted once to enter a new key. There is no second prompt to confirm the key change! If you screw it up, you're locked out. This is why I outlined the longer but safer way of doing this in the first place.

[mentha scholasticus]

You will be prompted to enter your new encryption key twice.

Thank you Derek_S! I worked except for one thing: it did not ask me to enter the passphrase twice. As a result, The first one I tried, I messed up, and now I have a key slot with a passphrase that I don't know! The second time around, I got it right, and erased the passphrase I was worried about, so I have a new passphrase. The problem is that since I messed up key slot 1, and it needs a passphrase I don't know, I don't know how to erase it and disable that key slot. Since even I don't know the passphrase, I'm not too worried, but in the interest of thouroughness, I would like to remove it. How do I remove the lost passphrase, or discover what it is?

[Derek_S]

Hello mentha scholasticus - Sorry for the bad info about entering the key twice. It used to work that way, but I guess this is yet another change in the cryptsetup command I'm unaware of.

I should amend my instructions in step 3 as well. Not only is it important to know that your new key works, it's also important to know which key slot it's stored in as well! If you have any doubts at all about which key is stored in which key slot, or whether it's a working key or not, here's what I suggest:

Use " sudo cryptsetup luksDump /dev/sda3 " to verify that key slot 7 is unused. Then create a new key and store it in key slot 7 - " sudo cryptsetup luksAddKey /dev/sda3 -S 7 ". Verify this new key works by rebooting and entering it at system boot. NOTE: It doesn't matter if this new key is a duplicate of any key you created previously; it's much more important to be sure that it's stored in key slot 7.

Then use " cryptsetup luksKillSlot -S 0 ", "cryptsetup luksKillSlot -S 1 ", and so on to remove all the other keys in all the other key slots starting at key slot zero and working on up. Use " sudo cryptsetup luksDump /dev/sda3 " to check your progress and verify that key slot 7 is the only one left with a working key.

[mentha scholasticus]

@Derek_S:
I tried the killslot code you gave, as well as some variants, but everytime I get a list of killslot usage commands, which end with this:

Code: Select all

cryptsetup: luksKillSlot: requires <device> <key slot> as arguments

What I don't get is that I am specifying the keyslot, and I've tried adding the device, as in: " cryptsetup luksKillSlot /dev/sda3 -S 1 ". I'm new at this, so the syntax escapes me. What am I doing wrong?

[Laurent85]

Remove -S option when using luksKillSlot command.

Here is an example using virtual drive /dev/loop0,
LUKS Header dump, only key slot #0 enabled:

Code: Select all

sudo cryptsetup luksDump /dev/loop0
LUKS header information for /dev/loop0

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	256
MK digest:     	97 49 bb 4c 93 2a ec 8e 79 54 95 1e 55 4e 3c bf fd 90 63 9d 
MK salt:       	c3 ac e9 44 0c 9c e3 15 59 6a 27 6f 8a 8d 32 63 
               	88 af 6b 87 b9 8c 69 75 cd 45 03 d5 ec 44 a5 eb 
MK iterations: 	137250
UUID:          	1dd78d50-dca2-403f-8aaa-a807bc0fc851

Key Slot 0: ENABLED
	Iterations:         	540083
	Salt:               	5e f4 f8 43 48 ea ad c2 d5 19 e9 bc 99 5e 0f 1f 
	                      	79 77 ab 32 78 34 fd bc 2b 9a a3 76 92 0b 41 2c 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Adding key to next key slot available, no -S option necessary:

Code: Select all

sudo cryptsetup luksAddKey /dev/loop0

Adding key to key slot #7, -S 7 option specified:

Code: Select all

sudo cryptsetup luksAddKey /dev/loop0 -S 7

Removing key from slot #7, do not enter -S option, only enter key slot number:

Code: Select all

sudo cryptsetup luksKillSlot /dev/loop0 7

[LinuxStrawMan]

I am wondering how to do the same but on a external Hard Drive that i lost my Password to?
will the command be the same?

[Mute Ant]

"...that i lost my Password to..." To modify LUKS key-slots you must supply one of the existing keys. Ideally, you know what it is. If you have a good idea of what it is, there are programs to auto-guess LUKS passwords, unavoidably limited to (roughly) 1 guess per second by the LUKS system itself.

[cypher1024]

There's a really easy way to do this with the GUI now. I'm not sure when it was added, but I'm running Mint Cinnamon 18.3.

1. Go to Menu > Preferences > Disks
2. In the list on the left side, select your hard drive
3. In the 'Volumes' list on the right hand side, select the LUKS entry (it should be marked with an open padlock)
4. Click the cogs button immediately below the volume list ('Additional Partition Options')
5. Select 'Change Passphrase'