You are not logged in.
I have a LUKS2 container taking up almost an entire NVMe SSD which houses my root Btrfs subvolume. I'm using UKI with Secure Boot and a TPM. I have two populated LUKS2 key slots, 1 and 2. 1 is my recovery key set up with systemd-cryptenroll --recovery-key, which I set up without a GUI (so no QR code was printed for it). The other is a key from the TPM, also set up with systemd-cryptenroll. The LUKS2 container is currently unlocked, and I'm booted into my Arch system.
I'm trying to test my transcription of the recovery key (I only have a photo of it). Whenever I try to pass --test-passphrase to cryptsetup open, it merely exits with status code 0, even if I tell it the key slot (1) of the recovery key. It does this whether I pipe the recovery key through stdin, or try to let it prompt me for the recovery key. I suspect this is basically a no-op, since the LUKS2 container is already open. Or else the TPM key is automatically unlocking it (even if I pass --key-slot=1 (though I believe this is less likely).
How do I test this recovery key before I store it in my password manager? I would rather not disable Secure Boot by entering Setup Mode, or wipe the TPM key slot.
As I was writing this, I found systemd-cryptsetup(8). It does throw errors since my LUKS2 volume is already open, but it does prompt for the recovery key anyway, and gives different errors if the passphrase is incorrect, versus entered correctly. Here's the output as evidence:
# systemd-cryptsetup attach blah /dev/nvme0n1p2
Cannot use device /dev/nvme0n1p2 which is in use (already mapped or mounted).
? Please enter recovery key for disk enc (blah): •••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/nvme0n1p2.
Cannot use device /dev/nvme0n1p2 which is in use (already mapped or mounted).
Failed to activate with specified passphrase: Device or resource busy
# systemd-cryptsetup attach blah /dev/nvme0n1p2
Cannot use device /dev/nvme0n1p2 which is in use (already mapped or mounted).
? Please enter recovery key for disk enc (blah): •••••••••••
Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/nvme0n1p2.
Failed to activate with specified passphrase. (Passphrase incorrect?)
? Please enter recovery key for disk enc (blah): (press TAB for no echo)Offline