You are not logged in.
- Topics: Active | Unanswered
#1 2023-11-12 20:16:24
- v3n0m19
- Member
- Registered: 2017-10-08
- Posts: 8
Running sudo cryptsetup luksChangeKey on wrong device name
I just want to know if running this is safe as I did it:
sudo cryptsetup luksChangeKey /dev/mapper/root
It gave an error saying not a luks device
As this was the name of the opened encrypted device and the original name was /dev/sda2
I then realised my mistake and ran:
sudo cryptsetup luksChangeKey /dev/sda2
and I changed the passphrase.
Also I didn't close and umount the luks partition i.e /dev/mapper/root before changing passphrase.
Last edited by v3n0m19 (2023-11-12 20:21:18)
Offline
#2 2023-11-12 20:36:49
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,647
Re: Running sudo cryptsetup luksChangeKey on wrong device name
It should work as intended. You can test with luksAddKey. It should accept your changed passphrase...
Also cryptsetup 2.6.1 has a bug where luksChangeKey makes the luks header invalid in rare cases - this is already fixed in git but there's no release yet. ( https://gitlab.com/cryptsetup/cryptsetup/-/issues/839 )
Even with this fix, I don't recommend luksChangeKey. It's safer to luksAddKey a new passphrase, and luksRemoveKey remove the old key at a later time, once you're sure the new one works. Also never a bad idea to have a backup passphrase for emergencies, if not a full header backup.
Offline
#3 2023-11-13 09:26:56
- v3n0m19
- Member
- Registered: 2017-10-08
- Posts: 8
Re: Running sudo cryptsetup luksChangeKey on wrong device name
It should work as intended. You can test with luksAddKey. It should accept your changed passphrase...
Also cryptsetup 2.6.1 has a bug where luksChangeKey makes the luks header invalid in rare cases - this is already fixed in git but there's no release yet. ( https://gitlab.com/cryptsetup/cryptsetup/-/issues/839 )
Even with this fix, I don't recommend luksChangeKey. It's safer to luksAddKey a new passphrase, and luksRemoveKey remove the old key at a later time, once you're sure the new one works. Also never a bad idea to have a backup passphrase for emergencies, if not a full header backup.
Thanks. I wanted to know if running the command sudo luksChangeKey /dev/mapper/root would cause problems, it gave an error which it should but I don't know about the repercussions of it, if any, by running it on the mapper device.
Offline
#4 2023-11-13 10:05:52
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,647
Re: Running sudo cryptsetup luksChangeKey on wrong device name
None, it simply tells you that it was the wrong device.
It would be a problem if you ran luksFormat ... ;-) it might tell you there is something else but if you confirm, it will overwrite whatever is there...
Cryptsetup could be nice about it, follow the mapper device back to its LUKS source device, and perform the luksChangeKey there. However there are also odd setups where the LUKS header is external, or people could put LUKS inside LUKS anyway, so... you have to provide the correct device yourself (the one with the LUKS header, not the mapper device), no magic done for you. That's just how it works.
Last edited by frostschutz (2023-11-13 10:08:17)
Offline
#5 2023-11-13 19:04:15
- v3n0m19
- Member
- Registered: 2017-10-08
- Posts: 8
Re: Running sudo cryptsetup luksChangeKey on wrong device name
I have noticed that videos on youtube when full screen sometimes freezes for a second or two, and the audio remains okay. This behavior wasn't there I guess before changing passphrase.
That's why I asked this question.
Offline
#6 2023-11-14 17:08:13
- v3n0m19
- Member
- Registered: 2017-10-08
- Posts: 8
Re: Running sudo cryptsetup luksChangeKey on wrong device name
None, it simply tells you that it was the wrong device.
It would be a problem if you ran luksFormat ... ;-) it might tell you there is something else but if you confirm, it will overwrite whatever is there...
Cryptsetup could be nice about it, follow the mapper device back to its LUKS source device, and perform the luksChangeKey there. However there are also odd setups where the LUKS header is external, or people could put LUKS inside LUKS anyway, so... you have to provide the correct device yourself (the one with the LUKS header, not the mapper device), no magic done for you. That's just how it works.
Any idea? Read my above post.
Offline