103

I installed Ubuntu 11.10 with the alternate CD and encrypted the whole system (except boot) with the encrypted LVM. Update 2020: Encrypted LVM can be selected at the Installation type step of the Ubuntu install, click on Advanced features and choose Use LVM and Encrypt ...

Everything works great as before, but I would like to change the password of the encrypted LVM. I tried to follow the Tips and Tricks of this article, but it does not work. After typing:

sudo cryptsetup luksDump /dev/sda5

It says: "Device /dev/sd5 doesn't exist or access denied." I thought the encrypted partition is /dev/sda5. Any help how to change the password?

Filbuntu
  • 13,891

7 Answers7

121

Using the Disks application:

In Ubuntu 18.04 or newer there is the possibility of using (Gnome) Disks. Thanks for the hint, Greg Lever, after clicking around I found what Greg mentioned:

  1. Open Gnome Disks.
  2. Choose/Click on the main physical hard drive in the left panel.
  3. Click on the LUKS encrypted partition, in this example it is Partition 3: Screenshot Gnome Disks
  4. Click on the edit icon (cogs, gear wheels) and choose "Change Passphrase".

If you get an error, close GNOME Disks and open it in a terminal: sudo gnome-disks
(This helped @ScriptAutomate, thank you for the tip.)

Or using the command-line:

Here is the answer that worked for me, after Hamish helped me to realize my typo.

WARNING (for older Ubuntu versions, newer (e.g. 19.04) should be bug-fixed but be careful anyway): If you only have one key and remove it before adding another, you will render your disk inaccessible after rebooting! This also means you can not add a new key anymore afterwards. Thanks waffl and khaimovmr for these helpful comments.

First, you need to find out which is the encrypted LVM partition, it may be sda3, but it can also be sda5 (default on Ubuntu LVM), sdX2, ...:

cat /etc/crypttab

To add a new password, use luksAddKey:

sudo cryptsetup luksAddKey /dev/sda3

To remove an existing password, use luksRemoveKey, by typing the passphrase to remove:

sudo cryptsetup luksRemoveKey /dev/sda3

View currently used slots of the encrypted partition (make sure at least one slot is shown):

sudo cryptsetup luksDump /dev/sda3

Cited from this blog. Thanks.

Be aware: Flimm experienced that Ubuntu's system keyboard layout changed from Dvorak to Qwerty. You cannot see which keyboard layout you are using (bug #1862656) and you cannot choose to display the password (bug #1862654). Also, you only get three tries before being forced to wait for 60 seconds (bug #1862660). Thanks flimm for the helpful comment!

Filbuntu
  • 13,891
31

Download "Disks" from Software Manager. Run it. Select your encrypted device partition. Click gear icon. Select "Change passphrase". That's it

zoubak
  • 311
23

To see the slots used:

sudo cryptsetup luksDump /dev/sda5

And to find out which partition to use

cat /etc/crypttab

And if it is listed by uuid, use

ls -l /dev/disk/by-uuid/{insert your uuid here}

Then use

sudo cryptsetup luksAddKey /dev/sda5
sudo cryptsetup luksRemoveKey /dev/sda5

or

sudo cryptsetup luksChangeKey /dev/sda5

and for faster reference (assuming only 1 entry in /etc/crypttab)

sudo cryptsetup luksAddKey /dev/disk/by-uuid/$(cat /etc/crypttab | sed -e "s|\(.*\) UUID=\(.*\) none.*|\2|g")
sudo cryptsetup luksChangeKey /dev/disk/by-uuid/$(cat /etc/crypttab | sed -e "s|\(.*\) UUID=\(.*\) none.*|\2|g")
Cookie
  • 957
15

Without thinking I set the passphrase to be really long, and it became a pain to type. I ended up using the following to change it to something more manageable.

sudo cryptsetup luksChangeKey /dev/sda5
jc00ke
  • 271
7

The encrypted partition may well be using /dev/sda5 (note the a in sda5) and that is the device you probably need to use (unless that is just a typo in your question).

However the encrypted device itself will have another name - something like /dev/mapper/cryptroot. For the device name you could:

  • look in the file /etc/crypttab - this will have both the partition and the mapper name in it, but only for permanent partitions
  • run mount and see what the mapper name is - this is useful when you have plugged in an encrypted disk via USB. (Though I'm not sure how you then find the actual underlying device name).
Hamish Downer
  • 19,506
4

I had issues locating partition name, so created this guide:

  1. Locate your LMV partition

    # install jq if you don't have it
    sudo apt-get install jq
    
    # find LVM partition
    LVMPART=$(lsblk -p --json | jq -r '.blockdevices[] | select(.children) | .children[] | select(.children) as $partition | .children[] | select(.type == "crypt") | $partition.name')
    
    # check if it was found
    echo $LVMPART
    
        # (optional)
        # if above output is empty, locate it in a tree view using this command
        lsblk -p
    
        # partition `/dev/some_name` should be the parent object of the one with TYPE of `crypt`, set it
        LVMPART=`/dev/some_name`
    
  2. Check LVM partition meta by dumping it

    sudo cryptsetup luksDump $LVMPART
    
  3. Add new key (you can have multiple keys)

    sudo cryptsetup luksAddKey $LVMPART
    
  4. After dumping it again, you should see multiple keys

    sudo cryptsetup luksDump $LVMPART
    
  5. Delete old key if desired

    sudo cryptsetup luksRemoveKey $LVMPART
    
4

On Ubuntu 18.04 run gnome-disks and you can point and click to change the passphrase for the encryption.