Change the disk encryption passphrase

This guide describes how to change the passphrase of an encrypted LVM partition.

Important

You might want to backup your data to an external hard disk before doing this, as a precaution.

Laptops and desktops

Method 1: Using the terminal

LUKS allows for an encrypted partition/system to have multiple passwords and also to remove them. To change the password, we first add the new password and then remove the old one.

  1. Get the name of the encrypted volume

Open a terminal emulator and issue the following command:

lsblk

It will show you the name of the partition. Ignore /boot and /swap.

test@test-pc:~$ lsblk
NAME                      MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda                         8:0    0   20G  0 disk
├─sda1                      8:1    0  1,1G  0 part  /boot
├─sda2                      8:2    0 10,5G  0 part
│ └─luks-92d57f72-cb7f-431e-8446-052f1d569dd3
│                         254:0    0 10,5G  0 crypt /
└─sda3                      8:3    0  8,4G  0 part
  └─luks-23b1ab2d-064e-4d58-a365-9c84a4d55cd7
                          254:1    1  8,4G  0 crypt [SWAP]
sr0                        11:1    1  1,5G  0 rom   /media/test/PureOS 8.0 GNOME Live
test@test-pc:~$ █

Note

In this case the encrypted volume is called sda2 but your computer can have a different name. Make sure you adjusted these commands to with the name of your device!

  1. Add a new password

  • Issue the following command in a terminal emulator:

sudo cryptsetup luksAddKey /dev/device_name

  • It will ask you for your user password. Type it and press Enter.

test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2
[sudo] password for test: █

  • Next you will be asked for the old disk encryption password. Type it and press Enter.

test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2
[sudo] password for test:
Enter any existing passphrase: █

  • Type the new password you want for the encrypted disk, then press enter

test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2
[sudo] password for test:
Enter any existing passphrase:
Enter new passphrase for key slot: █

  • Confirm the new password and press Enter

test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2
[sudo] password for test:
Enter any existing passphrase:
Enter new passphrase for key slot:
Verify passphrase: █

The new password is now added.

  1. Removing the old password

Issue the following command in a terminal emulator:

sudo cryptsetup luksRemoveKey /dev/device_name

  • Type the password that you want to delete and press Enter.

Method 2: Using GNOME Disks

Launch GNOME Disks and click the encrypted volume you wish to change the password for. Click the gear icon and select Change Passphrase…:

Change passphrase right-click context menu

Enter your current and new password:

Changing the passphrase

Librem 5

Method 1: Using the terminal

You can use the exact same method as described for laptops. Either from the device terminal application or from ssh.

Method 2: Using GNOME Disks

  1. Launch GNOME Disks:

GNOME Disks icon

  1. Select the storage device:

Selecting the block device

  1. Select the LUKS partition and press the settings button:

GNOME Disks UI

  1. Select Change Passphrase:

Change Passphrase menu

  1. Type your USER password, and press Authenticate:

GNOME Disks authentication

  1. Type in their respective fields:

  • Current Disk Encryption Passphrase

  • New Passphrase

  • Confirm the new Passphrase

  • Press Change

Changing the passphrase