Linux Unified Key Setup (LUKS) supports multiple key slots. This means that you can have multiple passphrases to unlock your LUKS volume.
If you want to erase or change a key you need to know the slot number. This is how you determine which key slot a certain passphrase belongs to:
First, use cryptsetup luksDump
to see which slots have keys.
Then, for each key populated key slot, check the passphrase for a particular slot using the command:
cryptsetup luksOpen --test-passphrase --key-slot $slot_number /dev/sdX && echo correct || echo incorrect
Where $slot_number
is replaced with the actual slot number and /dev/sdX
is
replaced with the actual device path of your LUKS volume.
Example:
cryptsetup luksOpen --test-passphrase --key-slot 0 /dev/sda1 && echo correct || echo incorrect
The cryptsetup command returns 0 if you enter the connrect passphrase for slot 0 and returns non-zero otherwise - including if the provided passphrase is corect for some other key slot!
In case you forgot a passphrase and want to find out which key slot it belongs to you can find its key slot by elimination.
In order to erase a key slot, you can run:
cryptsetup luksKillSlot <device> <key slot number>
From the man page:
Wipe the key-slot number
from the LUKS device. Except running in batch-mode (-q) a remaining passphrase must be supplied, either interactively or via --key-file. This command can remove the last remaining key-slot, but requires an interactive confirmation when doing so. Removing the last passphrase makes a LUKS container permanently inaccessible.