Changing the password for a LUKS encrypted partition on Linux

Learning that lasts. Online courses from $14.99

If you need to change the password, i.e., the encryption key, used to encrypt a partition with Linux Unified Key Setup (LUKS) on a Linux system, you can open a terminal window and use the command sudo cryptsetup luksChangeKey /dev/sdaX where sdaX is the relevant partition. E.g., I needed to change the password on a Ubuntu Linux system where the user's data was stored on /dev/sda3. 

jim@Firefly:~$ sudo cryptsetup luksChangeKey /dev/sda3
Enter passphrase to be changed:
Enter new passphrase:
Verify passphrase:
jim@Firefly:~$

If you don't know the designation for the encrypted partition, e.g., if I didn't know it was sda3, I could use the lsblk command (it is part of the util-linux package) to determine it. E.g.:

jim@Firefly:~$ lsblk
NAME                      MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
loop0                       7:0    0     4K  1 loop  /snap/bare/5
loop1                       7:1    0  73.9M  1 loop  /snap/core22/2133
loop2                       7:2    0  11.8M  1 loop  /snap/desktop-security-center/59
loop3                       7:3    0 247.6M  1 loop  /snap/firefox/6966
loop4                       7:4    0  11.1M  1 loop  /snap/firmware-updater/167
loop5                       7:5    0  91.7M  1 loop  /snap/gtk-common-themes/1535
loop6                       7:6    0  14.4M  1 loop  /snap/prompting-client/104
loop7                       7:7    0 516.2M  1 loop  /snap/gnome-42-2204/226
loop8                       7:8    0  17.5M  1 loop  /snap/snap-store/1300
loop9                       7:9    0  50.8M  1 loop  /snap/snapd/25202
loop10                      7:10   0   576K  1 loop  /snap/snapd-desktop-integration/315
loop11                      7:11   0 226.2M  1 loop  /snap/thunderbird/812
sda                         8:0    0 953.9G  0 disk
├─sda1                      8:1    0     1G  0 part  /boot/efi
├─sda2                      8:2    0     2G  0 part  /boot
└─sda3                      8:3    0 950.8G  0 part
  └─dm_crypt-0            252:0    0 950.8G  0 crypt
    └─ubuntu--vg-ubuntu--lv
                          252:1    0 950.8G  0 lvm   /
jim@Firefly:~$

From the above output, I can see that the disk drive in the system is designated as sda and the encrypted partition is sda3 (it is listed as type "crypt").

Since LUKS allows multiple keys to be specified, I could have added another key first and then deleted the existing one, if I wished, or even had two or more keys. Adding another key and then rebooting the system to test it would allow you to confirm it is working before removing the existing key. To add a new key, you would use sudo cryptsetup luksAddKey /dev/sdX where sdX is the relevant encrypted drive. When prompted, enter the old passphrase followed by the new one you wish to add. You can reboot the system to test it and, when you are satisifed the new one is working, you can delete the old key with sudo cryptsetup luksRemoveKey /dev/sdX. Enter the old passphrase to delete it.

Changing the password is an almost instant process because the entire partition on the drive does not have to be re-encrypted as the keys you provide are used to decrypt a master key that was actually used to encrypt the partition. Since the keys you provide allow you to access the master key, you can have multiple keys, which is why you can add a new key before deleting the old one or maintain multiple keys if you wish.