.. include:: /urls.rst .. _pureos_passwords: Passwords ========= Passwords serve different purposes in securing computer systems and protecting user data. .. _pureos_password_terminology: Terminology ----------- +----------------+----------------------------------------------+ | Term | Description | +================+==============================================+ | **PIN** | A numeric code, often 4-6 characters | +----------------+----------------------------------------------+ | **Passphrase** | An alphanumeric string of characters | +----------------+----------------------------------------------+ | **Password** | Often used interchangeably with "passphrase" | +----------------+----------------------------------------------+ .. _pureos_password_types: Types of passwords ------------------ The following types of passwords and passphrases are commonly used in PureOS: +--------------------------------+------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------+ | Password type | Description | Forgot? | +================================+================================================================================================+==================================================================================+ | LUKS encryption passphrase | Used to encrypt the disk and protect data at rest. | * :ref:`Primary (PureOS) partition ` | | | Required during the boot process to unlock encrypted partitions. | * :ref:`Secondary (data) partition ` | | | **It is crucial to keep a backup of this passphrase in a secure location.** | | +--------------------------------+------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------+ | User login PIN/passphrase | Login credentials that a user creates to log in to their user account on the system. | * :ref:`Reset the user password ` | +--------------------------------+------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------+ | PureBoot user & admin PIN | The PureBoot user PIN (used to sign boot files) and admin PIN (used to reset the signing key). | * :ref:`Factory reset ` | +--------------------------------+------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------+ .. Collapsible section for readability .. raw:: html
More passwords +--------------------------------+------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------+ | Password type | Description | Forgot? | +================================+================================================================================================+==================================================================================+ | Librem Key user & admin PIN | The Librem Key user PIN (regular access) and admin PIN (higher-level functions). | * **User PIN**: :ref:`Reset the user PIN ` | | | | * **Admin PIN**: :ref:`Factory reset the Librem Key ` | +--------------------------------+------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------+ | Root password | Used to gain administrative access to the system, if a root account is configured. | * :ref:`Reset the root password ` | +--------------------------------+------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------+ | Application-specific passwords | Used to log in to specific applications, such as email clients or password managers. | * Reset the password through the settings; follow the password recovery process. | +--------------------------------+------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------+ | SSH Key passphrase | Used to protect an SSH private key for secure remote access, if configured. | * Generate a new SSH key pair; update any services that use the old key. | +--------------------------------+------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------+ | Wi-Fi password | Used to connect to secured wireless networks. | * Accessing router settings through a web browser. | | | | * View the saved passhrase from another device connected on the network. | +--------------------------------+------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------+ .. raw:: html
.. _pureos_password_forgot: Forgot your password? --------------------- .. _pureos_password_forgot_luks: LUKS encryption passphrase ~~~~~~~~~~~~~~~~~~~~~~~~~~ .. _pureos_password_forgot_luks_primary: Primary PureOS partition ^^^^^^^^^^^^^^^^^^^^^^^^ Full-disk encryption on your device means that the data on your device cannot be accessed by adversaries if they were to steal the device. Unfortunately, your system protects the data indiscriminately and cannot validate you versus an adversary without it. #. :ref:`Reinstall PureOS ` #. Store a backup of the LUKS encryption passphrase in a secure and memorable location #. :ref:`Restore files from a backup ` if you have one .. _pureos_password_forgot_luks_secondary: Secondary data partition ^^^^^^^^^^^^^^^^^^^^^^^^ Encrypting a secondary partition means that the data on the partition cannot be accessed by adversaries while the partition is locked. Unfortunately, your system protects the data indiscriminately and cannot validate you versus an adversary without it. #. :ref:`Remove the existing LUKS-encrypted partition ` #. :ref:`Re-format the partition ` #. :ref:`Re-mount the partition ` #. :ref:`Restore files from a backup ` if you have one .. _pureos_password_forgot_user: User login ~~~~~~~~~~ If you forget your user login password, you can reset it by booting into recovery mode or using a :ref:`Live Linux install image `. .. .. _pureos_password_forgot_user_shell: .. Recovery shell .. ^^^^^^^^^^^^^^ .. #. Restart your computer and access the boot menu. .. #. Select the recovery mode option. .. #. Choose the option to drop to a root shell prompt. .. #. Remount the filesystem as read/write using the command: .. ``mount -o remount,rw /`` .. #. Use the command ``passwd username`` (replace "username" with your actual username) to set a new password. .. #. Reboot the system. .. _pureos_password_forgot_user_liveboot: Live Linux image ^^^^^^^^^^^^^^^^ Follow the following steps to reset a user password using a Live install image: #. Boot into a :ref:`Live Linux install image `. #. :ref:`Launch a terminal ` once the Live environment has loaded. #. Identify the root partition where the PureOS installation is located. Use the following command to list the partitions: .. code-block:: bash sudo fdisk -l The partition is typically something like ``/dev/sda1``, ``/dev/sda2``, etc. #. Create a mount point. .. code-block:: bash sudo mkdir /mnt/temp #. Mount the root partition. Replace ``/dev/sdaX`` with the correct partition identifier you found in the previous step. .. code-block:: bash sudo mount /dev/sdaX /mnt/temp #. Use the ``chroot`` command to change the shell environment to the mounted partition. .. code-block:: bash sudo chroot /mnt/temp #. Reset the user (or root) password. Replace ``username`` with the actual username of the account you want to reset. .. code-block:: bash passwd username #. You will be prompted to enter a new password for the user. Enter the new password and confirm it. #. Exit the chroot environment after resetting the password:. .. code-block:: bash exit #. Unmount the root partition: .. code-block:: bash sudo umount /mnt/temp #. Finally, reboot the system and remove the Live install disk: .. code-block:: bash sudo reboot After the system reboots, you should be able to log in with the new password you set for the user account. .. _pureos_passwords_disk_encryption_change: Change the disk encryption passphrase ------------------------------------- This guide describes how to change the passphrase of an encrypted LVM partition. The passphrase may include numbers, symbols, and a mix of upper and lower-case characters. .. important:: It is good practice to create a backup of this passphrase, as it is required every time the device is powered on. .. _pureos_passwords_disk_encryption_change_terminal: Method 1: Using the terminal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LUKS allows for an encrypted partition/system to have multiple passwords and also to remove them. To change the password, we first add the new password and then remove the old one. #. Get the name of the encrypted volume. :ref:`Launch a terminal emulator ` and issue the following command: .. code-block:: bash lsblk It will show you the name of the partition. Ignore ``/boot`` and ``/swap``. .. code-block:: test@test-pc:~$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 20G 0 disk ├─sda1 8:1 0 1,1G 0 part /boot ├─sda2 8:2 0 10,5G 0 part │ └─luks-92d57f72-cb7f-431e-8446-052f1d569dd3 │ 254:0 0 10,5G 0 crypt / └─sda3 8:3 0 8,4G 0 part └─luks-23b1ab2d-064e-4d58-a365-9c84a4d55cd7 254:1 1 8,4G 0 crypt [SWAP] sr0 11:1 1 1,5G 0 rom /media/test/PureOS 8.0 GNOME Live test@test-pc:~$ █ .. note:: In this case the encrypted volume is called ``sda2`` but your computer can have a different name. Make sure you adjusted these commands to with the name of your device! #. Add a new password. Issue the following command in a terminal emulator: .. code-block:: bash sudo cryptsetup luksAddKey /dev/device_name #. Type the password when prompted, then press ``Enter``. .. code-block:: test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2 [sudo] password for test: █ #. Type the old disk encryption password when prompted, then press ``Enter``. .. code-block:: test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2 [sudo] password for test: Enter any existing passphrase: █ #. Type the new password for the encrypted disk, then press ``Enter``. .. code-block:: test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2 [sudo] password for test: Enter any existing passphrase: Enter new passphrase for key slot: █ #. Confirm the new password and press ``Enter``. .. code-block:: test@test-pc:~$ sudo cryptsetup luksAddKey /dev/sda2 [sudo] password for test: Enter any existing passphrase: Enter new passphrase for key slot: Verify passphrase: █ The new password is now added. #. Remove the old password. Issue the following command in a terminal emulator: .. code-block:: bash sudo cryptsetup luksRemoveKey /dev/device_name #. Type the password to delete and press ``Enter``. .. _pureos_passwords_disk_encryption_change_gnome_disks: Method 2: Using GNOME Disks ~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. _pureos_passwords_disk_encryption_change_gnome_disks_desktop: .. Desktop PureOS collapsible section .. raw:: html
Laptops and desktops #. Launch **GNOME Disks** #. Click the encrypted volume you wish to change the password for. #. Click the gear icon and select **Change Passphrase...**: .. image:: ../img/gnome-disks/changepassphrase2.png :scale: 50% :alt: Change passphrase right-click context menu #. Enter your current and new password: .. image:: ../img/gnome-disks/changepassphrase3.png :scale: 50% :alt: Changing the passphrase .. raw:: html
.. _pureos_passwords_disk_encryption_change_gnome_disks_mobile: .. Mobile PureOS collapsible section .. raw:: html
Mobile devices #. Launch **GNOME Disks**: .. image:: ../img/gnome-disks/launch-disks.png :scale: 50% :alt: GNOME Disks icon #. Select the storage device: .. image:: ../img/gnome-disks/selecting-block-device.png :scale: 50% :alt: Selecting the block device #. Select the LUKS partition and press the settings button: .. image:: ../img/gnome-disks/luks-partition-settings.png :scale: 50% :alt: GNOME Disks UI #. Select **Change Passphrase**: .. image:: ../img/gnome-disks/changing-luks-passphrase.png :scale: 50% :alt: Change Passphrase menu #. Type your ``USER`` password, and press **Authenticate**: .. image:: ../img/gnome-disks/disks-authentication.png :scale: 50% :alt: GNOME Disks authentication #. Type in their respective fields: #. Current Disk Encryption Passphrase #. New Passphrase #. Confirm the new Passphrase #. Press **Change** .. image:: ../img/gnome-disks/confirming-luks-passphrase.png :scale: 50% :alt: Changing the passphrase .. raw:: html
.. _pureos_passwords_changing_user_passwd: Change the user password ------------------------ .. _pureos_passwords_changing_user_passwd_mobile: .. Mobile PureOS collapsible section .. raw:: html
Mobile devices #. Launch the **Settings** application. #. From the main **Settings** page, select **Details**. This opens a page describing the system software and users that have accounts on the device. .. image:: ../img/gnome-control-center/mobile/details-main.png :scale: 50% :align: center :alt: The Details page :class: no-scaled-link #. Select the **Users** page to view and update information about your account on the phone. This is the page you visit when you want to update the password that unlocks the phone. .. image:: ../img/gnome-control-center/mobile/details-users.png :scale: 50% :align: center :alt: The Users page where the PIN/password can be changed :class: no-scaled-link #. Select the button containing the hidden text next to the **Password** label. This will open the **Change Password** dialog where you will need to enter both your old password and a new one. .. image:: ../img/gnome-control-center/mobile/details-users-change-password.png :scale: 50% :align: center :alt: The empty Change Password dialog :class: no-scaled-link #. Enter the old password in the **Current Password** field. Then enter your new password in both the **New Password** and **Confirm** fields. This is designed to ensure that you have not mistyped your password. .. image:: ../img/gnome-control-center/mobile/details-users-change-password-entered.png :scale: 50% :align: center :alt: The Change Password dialog with completed fields :class: no-scaled-link #. When you have entered all the information, press the **Change** button at the top-right of the screen to confirm the change. Otherwise, press the **Cancel** button at the top-left of the screen to continue using your old password. .. image:: ../img/gnome-control-center/mobile/details-users-change-password-same.png :scale: 50% :align: center :alt: A warning about duplicate passwords :class: no-scaled-link .. note:: You cannot use the same code for both old and new passwords. If you submit the same code for both old and new password, the system will reject the change; press **Close** if this occurs. Otherwise, press the **Cancel** button to leave the **Change Password** dialog and continue using the old password. .. raw:: html
.. _pureos_passwords_changing_root_passwd: Change the root password ------------------------ #. :ref:`Launch a terminal emulator ` and execute the following command: .. code-block:: bash sudo su #. Type in your user account password and press ``Enter``. You are now in superuser (root) mode. You can recognize this by looking at the terminal prompt. Before entering root terminal your prompt looks something like this: .. code-block:: username@hostname:~$ and after: .. code-block:: root@hostname:/home/username/ #. To change root password, run: .. code-block:: bash passwd You will be prompted to ``Enter new UNIX password:``. #. Type your desired password (it will not be printed out to the screen) and press ``Enter``. #. Type it in again to confirm. Your new root password is now set.