Passwords

Passwords serve different purposes in securing computer systems and protecting user data.

Terminology

Term

Description

PIN

A numeric code, often 4-6 characters

Passphrase

An alphanumeric string of characters

Password

Often used interchangeably with “passphrase”

Types of passwords

The following types of passwords and passphrases are commonly used in PureOS:

Password type

Description

Forgot?

LUKS encryption passphrase

Used to encrypt the disk and protect data at rest. Required during the boot process to unlock encrypted partitions. It is crucial to keep a backup of this passphrase in a secure location.

User login PIN/passphrase

Login credentials that a user creates to log in to their user account on the system.

PureBoot user & admin PIN

The PureBoot user PIN (used to sign boot files) and admin PIN (used to reset the signing key).
More passwords

Password type

Description

Forgot?

Librem Key user & admin PIN

The Librem Key user PIN (regular access) and admin PIN (higher-level functions).

Root password

Used to gain administrative access to the system, if a root account is configured.

Application-specific passwords

Used to log in to specific applications, such as email clients or password managers.

  • Reset the password through the settings; follow the password recovery process.

SSH Key passphrase

Used to protect an SSH private key for secure remote access, if configured.

  • Generate a new SSH key pair; update any services that use the old key.

Wi-Fi password

Used to connect to secured wireless networks.

  • Accessing router settings through a web browser.

  • View the saved passhrase from another device connected on the network.

Forgot your password?

LUKS encryption passphrase

Primary PureOS partition

Full-disk encryption on your device means that the data on your device cannot be accessed by adversaries if they were to steal the device. Unfortunately, your system protects the data indiscriminately and cannot validate you versus an adversary without it.

  1. Reinstall PureOS

  2. Store a backup of the LUKS encryption passphrase in a secure and memorable location

  3. Restore files from a backup if you have one

Secondary data partition

Encrypting a secondary partition means that the data on the partition cannot be accessed by adversaries while the partition is locked. Unfortunately, your system protects the data indiscriminately and cannot validate you versus an adversary without it.

  1. Remove the existing LUKS-encrypted partition

  2. Re-format the partition

  3. Re-mount the partition

  4. Restore files from a backup if you have one

User login

If you forget your user login password, you can reset it by booting into recovery mode or using a Live Linux install image.

Live Linux image

Follow the following steps to reset a user password using a Live install image:

  1. Boot into a Live Linux install image.

  2. Launch a terminal once the Live environment has loaded.

  3. Identify the root partition where the PureOS installation is located. Use the following command to list the partitions:

    sudo fdisk -l

    The partition is typically something like /dev/sda1, /dev/sda2, etc.

  4. Create a mount point.

    sudo mkdir /mnt/temp

  5. Mount the root partition. Replace /dev/sdaX with the correct partition identifier you found in the previous step.

    sudo mount /dev/sdaX /mnt/temp

  6. Use the chroot command to change the shell environment to the mounted partition.

    sudo chroot /mnt/temp

  7. Reset the user (or root) password. Replace username with the actual username of the account you want to reset.

    passwd username

  8. You will be prompted to enter a new password for the user. Enter the new password and confirm it.

  9. Exit the chroot environment after resetting the password:.

    exit

  10. Unmount the root partition:

    sudo umount /mnt/temp

  11. Finally, reboot the system and remove the Live install disk:

    sudo reboot

After the system reboots, you should be able to log in with the new password you set for the user account.

Change the disk encryption passphrase

This guide describes how to change the passphrase of an encrypted LVM partition.

The passphrase may include numbers, symbols, and a mix of upper and lower-case characters.

Important

It is good practice to create a backup of this passphrase, as it is required every time the device is powered on.

Method 1: Using the terminal

LUKS allows for an encrypted partition/system to have multiple passwords and also to remove them. To change the password, we first add the new password and then remove the old one.

  1. Get the name of the encrypted volume. Launch a terminal emulator and issue the following command:

    lsblk

    It will show you the name of the partition. Ignore /boot and /swap.

    test@test-pc:~$ lsblk
NAME                      MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda                         8:0    0   20G  0 disk
├─sda1                      8:1    0  1,1G  0 part  /boot
├─sda2                      8:2    0 10,5G  0 part
│ └─luks-92d57f72-cb7f-431e-8446-052f1d569dd3
│                         254:0    0 10,5G  0 crypt /
└─sda3                      8:3    0  8,4G  0 part
  └─luks-23b1ab2d-064e-4d58-a365-9c84a4d55cd7
                          254:1    1  8,4G  0 crypt [SWAP]
sr0                        11:1    1  1,5G  0 rom   /media/test/PureOS 8.0 GNOME Live
test@test-pc:~$ █

    Note

    In this case the encrypted volume is called sda2 but your computer can have a different name. Make sure you adjusted these commands to with the name of your device!

  2. Add a new password. Issue the following command in a terminal emulator:

    sudo cryptsetup luksAddKey /dev/device_name

  3. Type the password when prompted, then press Enter.

    test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2
[sudo] password for test: █

  4. Type the old disk encryption password when prompted, then press Enter.

    test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2
[sudo] password for test:
Enter any existing passphrase: █

  5. Type the new password for the encrypted disk, then press Enter.

    test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2
[sudo] password for test:
Enter any existing passphrase:
Enter new passphrase for key slot: █

  6. Confirm the new password and press Enter.

    test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2
[sudo] password for test:
Enter any existing passphrase:
Enter new passphrase for key slot:
Verify passphrase: █

    The new password is now added.

  7. Remove the old password. Issue the following command in a terminal emulator:

    sudo cryptsetup luksRemoveKey /dev/device_name

  8. Type the password to delete and press Enter.

Method 2: Using GNOME Disks

Laptops and desktops

  1. Launch GNOME Disks

  2. Click the encrypted volume you wish to change the password for.

  3. Click the gear icon and select Change Passphrase…:

    Change passphrase right-click context menu

  4. Enter your current and new password:

    Changing the passphrase
Mobile devices

  1. Launch GNOME Disks:

    GNOME Disks icon

  2. Select the storage device:

    Selecting the block device

  3. Select the LUKS partition and press the settings button:

    GNOME Disks UI

  4. Select Change Passphrase:

    Change Passphrase menu

  5. Type your USER password, and press Authenticate:

    GNOME Disks authentication
  6. Type in their respective fields:

    1. Current Disk Encryption Passphrase

    2. New Passphrase

    3. Confirm the new Passphrase

    4. Press Change

    Changing the passphrase

Change the user password

Mobile devices

  1. Launch the Settings application.

  2. From the main Settings page, select Details. This opens a page describing the system software and users that have accounts on the device.

    The Details page

  3. Select the Users page to view and update information about your account on the phone. This is the page you visit when you want to update the password that unlocks the phone.

    The Users page where the PIN/password can be changed

  4. Select the button containing the hidden text next to the Password label. This will open the Change Password dialog where you will need to enter both your old password and a new one.

    The empty Change Password dialog

  5. Enter the old password in the Current Password field. Then enter your new password in both the New Password and Confirm fields. This is designed to ensure that you have not mistyped your password.

    The Change Password dialog with completed fields

  6. When you have entered all the information, press the Change button at the top-right of the screen to confirm the change. Otherwise, press the Cancel button at the top-left of the screen to continue using your old password.

    A warning about duplicate passwords

Note

You cannot use the same code for both old and new passwords. If you submit the same code for both old and new password, the system will reject the change; press Close if this occurs. Otherwise, press the Cancel button to leave the Change Password dialog and continue using the old password.

Change the root password

  1. Launch a terminal emulator and execute the following command:

    sudo su

  2. Type in your user account password and press Enter. You are now in superuser (root) mode. You can recognize this by looking at the terminal prompt. Before entering root terminal your prompt looks something like this:

    username@hostname:~$

    and after:

    root@hostname:/home/username/

  3. To change root password, run:

    passwd

    You will be prompted to Enter new UNIX password:.

  4. Type your desired password (it will not be printed out to the screen) and press Enter.

  5. Type it in again to confirm.

Your new root password is now set.