How to add a passphrase, key, or keyfile to an existing LUKS device
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 5
- LUKS
Issue
- Need to set multiple passphrases on an encrypted (LUKS) drive
- Need to add an additional password to a LUKS device
- Need to configure existing LUKS partition so that it can also be opened with a key file
Resolution
See also: How to encrypt a filesystem (LUKS) using exportable keys instead of passphrases for instructions creating new LUKS partitions from scratch
Background:
-
LUKS-formatted dm-crypt volumes have 8 key slots
-
To fill an empty key slot, the device node path of the encrypted device (from here on referred to as
DEV) in question is needed
Examples:/dev/sda3,/dev/sdb,/dev/VG/LV,/dev/mapper/mpath1
Theblkidcommand can help with this, i.e., use it to look only for devices of type "crypto_LUKS":blkid -t TYPE=crypto_LUKS
In RHEL 6 and above, the
lsblkcommand can also be extremely helpful to visualize the relationship between devices
Interactively adding a single-line text-only passphrase to an existing LUKS volume:
-
Add a new passphrase with the command:
cryptsetup luksAddKey DEV
Example:[root ~]# cryptsetup luksAddKey /dev/sda3 Enter any existing passphrase: Existing passphrase which can be used to open DEV Enter new passphrase for key slot: New passphrase to add to DEV [root ~]#
Adding a key file to an existing LUKS volume:
-
Prepare a key file, whether it is random data or something specific
Examples:dd if=/dev/random bs=32 count=1 of=/root/random_data_keyfile1printf "Simple passphrase which can also be used interactively" >/root/plaintext_passphrase_keyfile2
Take care to ensure the key file is hidden from and unreadable by all untrusted parties
-
Add the key file to the encrypted device with the command:
cryptsetup luksAddKey DEV /PATH/TO/KEYFILE
Example:[root ~]# cryptsetup luksAddKey /dev/sda3 /root/random_data_keyfile1 Enter any passphrase: Existing passphrase which can be used to open DEV [root ~]#
-
If
DEVneeds to be auto-unlocked at boot time,/etc/crypttabmust be edited
See this section from the above-mentioned solution "How to encrypt a filesystem (LUKS) using exportable keys instead of passphrases" for further details
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
9 Comments
Is it possible to use RSA key ?
Hi Jos. As the article explains, a new key can be created from ANYTHING -- either a single-line text-only passphrase or a file containing any arbitrary data. So yes, you could pass in a file containing a private RSA key, just as you could pass in an ebook PDF.
So will it authenticate with a public key, as in an ssh connection ?
Jos: whatever file you pass to
cryptsetup luksAddKeywill be your key.cryptsetuptakes the full file-data and generates a key from it. It does zero inspection on the file -- it pays no attention to what is in the file. If you have further questions, please open a support case.It's wonderful ! be carefull!! don't kill the passphrase and boot if you did entry in fstab and crypttab .! or mention key in crypttab .
Hi, the method works to auto-unlock all the partitions except swap. For some reason system stills hangs at asking password for swap luks partition. Any pointer will be appreciated.
Have you considered to use /swapfile here?
I have a similar problem. I am using NBDE (Tang) for auto-unlocking. The system is still asking for the swap passphrase at boot. Any help??
I wanted to send out a script that my users could use to add their own LUKS key so I wrote the following based off this article and wanted to contribute back. The script finds the LUKS disk /dev/sda3: and the 'sed' removes ':' and then uses the value in the cryptsetup command.