How to change encryption password?

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help
mentha scholasticus
Level 1
Level 1
Posts: 12
Joined: Sat Apr 23, 2016 10:45 pm

How to change encryption password?

Postby mentha scholasticus » Sat Apr 23, 2016 10:55 pm

When I installed mint I chose to encrypt my drive, to require a password to boot. I had a security issue (not with my computer, I gave the password to someone I no longer want to access my computer). Now I want to change the password, but I can't figure out how. I would also like to remove the current user account I have on the computer, and replace it with one that has a new username and password.

Thanks!

User avatar
Pierre
Level 15
Level 15
Posts: 5865
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: How to change encryption password?

Postby Pierre » Sat Apr 23, 2016 11:27 pm

what's on the computer ?

it may just be plain easier - to re-install the whole thing. ..
- rather than mess around changing all of that.

was it backed up, recently?.
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

Laurent85
Level 13
Level 13
Posts: 4766
Joined: Tue May 26, 2015 10:11 am

Re: How to change encryption password?

Postby Laurent85 » Sun Apr 24, 2016 2:41 am

mentha scholasticus wrote:I would also like to remove the current user account I have on the computer, and replace it with one that has a new username and password.

See System Settings > Users & groups > add

When done select new user in user list and change the No password set current setting.

Regarding disk encryption there are 8 key slots available, you can use the command line to add a new key then remove the old key. Post the command results:

Code: Select all

sudo lsblk -o name,size,fstype,label,mountpoint
Image

mentha scholasticus
Level 1
Level 1
Posts: 12
Joined: Sat Apr 23, 2016 10:45 pm

Re: How to change encryption password?

Postby mentha scholasticus » Sun Apr 24, 2016 3:48 pm

@Laurent85
Thanks for the tips. I should have been more clear, I know how to add users. My problem is that I want the new user to have all the same files, apps, settings, etc. Basically I want to have the exact same setup as before, but with a new user/password. When I log in as the new user I get a bare system, like when I first installed. I went through alot of trouble setting up my system, I don't want to go through that again. Help!

Here's the output for the code you suggested:

Code: Select all

NAME                           SIZE FSTYPE      LABEL MOUNTPOINT
sda                          931.5G                   
├─sda1                         512M vfat              /boot/efi
├─sda2                         244M ext2              /boot
└─sda3                       930.8G crypto_LUKS       
  └─sda3_crypt (dm-0)        930.8G LVM2_member       
    ├─mint--vg-root (dm-1)   914.9G ext4              /
    └─mint--vg-swap_1 (dm-2)  15.9G swap              [SWAP]
sr0                           1024M

User avatar
Derek_S
Level 6
Level 6
Posts: 1234
Joined: Sat Dec 28, 2013 5:36 pm
Location: Long Island, N.Y.

Re: How to change encryption password?

Postby Derek_S » Sun Apr 24, 2016 9:33 pm

Hello mentha scholasticus - Here's something you should consider: When you boot your machine, you must enter the encryption key first, and the user password second. If someone cannot get beyond the encryption key, they'll never have the opportunity to enter the user password. So there's really no need to create a new user name and password as long as you change the encryption key.

Laurent85 has already mentioned the solution to this: Create a new encryption key, store it in a different key slot, and delete the old one. Here's an outline of how to proceed:

1.) Boot your machine and open the Terminal. Based on the info you provided in your last post, the encrypted volume is /dev/sda3. What you need to do first is find out which key slot is used to store your current encryption key. If you've never changed anything since you installed, it's probably key slot 0, but you should verify this regardless.To do so, enter " sudo cryptsetup luksDump /dev/sda3 ", examine the output, and verify that key slot 0 is shown as "Enabled", and that key slots 1 through 7 are shown as "Disabled".

2.) Now you can create a new encryption password and store it in key slot 1 (or any other unused key slot). To do this, enter " sudo cryptsetup luksAddKey /dev/sda3 -S 1 " (the -S option specifies the key slot 1 will be used). You will be prompted to enter your new encryption key twice. At this point, you will have two encryption keys stored in the luks volume header: Your original key stored in key slot 0 and the new key stored in key slot 1. Both can be used to unlock the encrypted volume /dev/sda3 during system boot.

3.) Now close the Terminal. Before doing anything else, reboot the machine, and use your new encryption key to unlock the encrypted volume /dev/sda3 during system boot. NOTE: It's extremely important to verify the new key works before proceeding to the next step, or you might find yourself locked out without a key!

4.) After reboot, open the Terminal, and delete the original key stored in key slot 0. To do this, enter " sudo cryptsetup luksRemoveKey /dev/sda3 -S 0 ". You should be prompted to enter the original key (not the new one!) to confirm this action.

NOTE: There is a quick and dirty way to do all of this using a single command: " sudo cryptsetup luksChangeKey /dev/sda3 -S 0 ". There is one thing I don't like about doing it this way: You are only prompted once to enter a new key. There is no second prompt to confirm the key change! If you screw it up, you're locked out. This is why I outlined the longer but safer way of doing this in the first place.
If Bill Gates had a nickel for every time Windows crashed . . . . . oh wait, he does.

mentha scholasticus
Level 1
Level 1
Posts: 12
Joined: Sat Apr 23, 2016 10:45 pm

Re: How to change encryption password?

Postby mentha scholasticus » Mon Apr 25, 2016 12:57 am

Derek_S wrote:You will be prompted to enter your new encryption key twice.


Thank you Derek_S! I worked except for one thing: it did not ask me to enter the passphrase twice. As a result, The first one I tried, I messed up, and now I have a key slot with a passphrase that I don't know! The second time around, I got it right, and erased the passphrase I was worried about, so I have a new passphrase. The problem is that since I messed up key slot 1, and it needs a passphrase I don't know, I don't know how to erase it and disable that key slot. Since even I don't know the passphrase, I'm not too worried, but in the interest of thouroughness, I would like to remove it. How do I remove the lost passphrase, or discover what it is?

User avatar
Derek_S
Level 6
Level 6
Posts: 1234
Joined: Sat Dec 28, 2013 5:36 pm
Location: Long Island, N.Y.

Re: How to change encryption password?

Postby Derek_S » Mon Apr 25, 2016 10:27 am

Hello mentha scholasticus - Sorry for the bad info about entering the key twice. It used to work that way, but I guess this is yet another change in the cryptsetup command I'm unaware of.

I should amend my instructions in step 3 as well. Not only is it important to know that your new key works, it's also important to know which key slot it's stored in as well! If you have any doubts at all about which key is stored in which key slot, or whether it's a working key or not, here's what I suggest:

Use " sudo cryptsetup luksDump /dev/sda3 " to verify that key slot 7 is unused. Then create a new key and store it in key slot 7 - " sudo cryptsetup luksAddKey /dev/sda3 -S 7 ". Verify this new key works by rebooting and entering it at system boot. NOTE: It doesn't matter if this new key is a duplicate of any key you created previously; it's much more important to be sure that it's stored in key slot 7.

Then use " cryptsetup luksKillSlot -S 0 ", "cryptsetup luksKillSlot -S 1 ", and so on to remove all the other keys in all the other key slots starting at key slot zero and working on up. Use " sudo cryptsetup luksDump /dev/sda3 " to check your progress and verify that key slot 7 is the only one left with a working key.
If Bill Gates had a nickel for every time Windows crashed . . . . . oh wait, he does.

mentha scholasticus
Level 1
Level 1
Posts: 12
Joined: Sat Apr 23, 2016 10:45 pm

Re: How to change encryption password?

Postby mentha scholasticus » Tue Apr 26, 2016 8:20 pm

@Derek_S:
I tried the killslot code you gave, as well as some variants, but everytime I get a list of killslot usage commands, which end with this:

Code: Select all

cryptsetup: luksKillSlot: requires <device> <key slot> as arguments


What I don't get is that I am specifying the keyslot, and I've tried adding the device, as in: " cryptsetup luksKillSlot /dev/sda3 -S 1 ". I'm new at this, so the syntax escapes me. What am I doing wrong?

Laurent85
Level 13
Level 13
Posts: 4766
Joined: Tue May 26, 2015 10:11 am

Re: How to change encryption password?

Postby Laurent85 » Wed Apr 27, 2016 4:02 am

Remove -S option when using luksKillSlot command.

Here is an example using virtual drive /dev/loop0,
LUKS Header dump, only key slot #0 enabled:

Code: Select all

sudo cryptsetup luksDump /dev/loop0
LUKS header information for /dev/loop0

Version:          1
Cipher name:      aes
Cipher mode:      xts-plain64
Hash spec:        sha1
Payload offset:   4096
MK bits:          256
MK digest:        97 49 bb 4c 93 2a ec 8e 79 54 95 1e 55 4e 3c bf fd 90 63 9d
MK salt:          c3 ac e9 44 0c 9c e3 15 59 6a 27 6f 8a 8d 32 63
                  88 af 6b 87 b9 8c 69 75 cd 45 03 d5 ec 44 a5 eb
MK iterations:    137250
UUID:             1dd78d50-dca2-403f-8aaa-a807bc0fc851

Key Slot 0: ENABLED
   Iterations:            540083
   Salt:                  5e f4 f8 43 48 ea ad c2 d5 19 e9 bc 99 5e 0f 1f
                            79 77 ab 32 78 34 fd bc 2b 9a a3 76 92 0b 41 2c
   Key material offset:   8
   AF stripes:               4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Adding key to next key slot available, no -S option necessary:

Code: Select all

sudo cryptsetup luksAddKey /dev/loop0

Adding key to key slot #7, -S 7 option specified:

Code: Select all

sudo cryptsetup luksAddKey /dev/loop0 -S 7

Removing key from slot #7, do not enter -S option, only enter key slot number:

Code: Select all

sudo cryptsetup luksKillSlot /dev/loop0 7
Image


Return to “Installation & Boot”