Thomas Damgaard's Blog

How to determine which LUKS passphrase belongs to what key slot

27 May 2022 - Thomas Damgaard

Linux Unified Key Setup (LUKS) supports multiple key slots. This means that you can have multiple passphrases to unlock your LUKS volume.

If you want to erase or change a key you need to know the slot number. This is how you determine which key slot a certain passphrase belongs to:

First, use cryptsetup luksDump to see which slots have keys.

Then, for each key populated key slot, check the passphrase for a particular slot using the command:

cryptsetup luksOpen --test-passphrase --key-slot $slot_number /dev/sdX && echo correct || echo incorrect

Where $slot_number is replaced with the actual slot number and /dev/sdX is replaced with the actual device path of your LUKS volume.

Example:

cryptsetup luksOpen --test-passphrase --key-slot 0 /dev/sda1 && echo correct || echo incorrect

The cryptsetup command returns 0 if you enter the connrect passphrase for slot 0 and returns non-zero otherwise - including if the provided passphrase is corect for some other key slot!

In case you forgot a passphrase and want to find out which key slot it belongs to you can find its key slot by elimination.

In order to erase a key slot, you can run:

cryptsetup luksKillSlot <device> <key slot number>

From the man page:

Wipe the key-slot number from the LUKS device. Except running in batch-mode (-q) a remaining passphrase must be supplied, either interactively or via --key-file. This command can remove the last remaining key-slot, but requires an interactive confirmation when doing so. Removing the last passphrase makes a LUKS container permanently inaccessible.

Filed under: linux, luks, security, tips