Linux Unified Key Setup (LUKS) supports multiple key slots. This means that you can have multiple passphrases to unlock your LUKS volume.

If you want to erase or change a key you need to know the slot number. This is how you determine which key slot a certain passphrase belongs to:

First, use cryptsetup luksDump to see which slots have keys.

Then, for each key populated key slot, check the passphrase for a particular slot using the command:

cryptsetup luksOpen --test-passphrase --key-slot $slot_number /dev/sdX && echo correct || echo incorrect

Where $slot_number is replaced with the actual slot number and /dev/sdX is replaced with the actual device path of your LUKS volume.

Example:

cryptsetup luksOpen --test-passphrase --key-slot 0 /dev/sda1 && echo correct || echo incorrect

The cryptsetup command returns 0 if you enter the connrect passphrase for slot 0 and returns non-zero otherwise - including if the provided passphrase is corect for some other key slot!

In case you forgot a passphrase and want to find out which key slot it belongs to you can find its key slot by elimination.

In order to erase a key slot, you can run:

cryptsetup luksKillSlot <device> <key slot number>

From the man page:

Wipe the key-slot number from the LUKS device. Except running in batch-mode (-q) a remaining passphrase must be supplied, either interactively or via --key-file. This command can remove the last remaining key-slot, but requires an interactive confirmation when doing so. Removing the last passphrase makes a LUKS container permanently inaccessible.