Setup Multiple Passphrases for a LUKS Device

September 13, 2023 #100DaysToOffload #Linux #LUKS

Let’s say you have a computer at home shared by multiple people. And, you want to encrypt your hard drive with LUKS but not have to use the same passphrase.

You can do that. LUKS has 8 key slots (LUKS1 does, LUKS2 can support more).

When you set up a LUKS encrypted device you are configuring the first key slot only.

But by running the following command you can set up an additional passphrase:

cryptsetup luksAddKey <device>

Example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# Create an empty image file that we will turn into a LUKS device. You will probably be using a real device.
truncate --size=512MB dummy.img

# Create a LUKS device. You will be setting up your first passphrase here.
cryptsetup luksFormat dummy.img

# Add a second passphrase.
cryptsetup luksAddKey dummy.img

# Test both passphrases.
cryptsetup open --test-passphrase dummy.img
echo $? # If you enter the correct passphrase, the `cryptsetup open` command will exit with status 0.

This post is 42nd of my #100DaysToOffload challenge. Want to get involved? Find out more at 100daystooffload.com.

comments powered by Disqus