How to add a passphrase, key, or keyfile to an existing LUKS device

Resolution

See also: How to encrypt a filesystem (LUKS) using exportable keys instead of passphrases for instructions creating new LUKS partitions from scratch

Background:

• LUKS-formatted dm-crypt volumes have 8 key slots

• To fill an empty key slot, the device node path of the encrypted device (from here on referred to as DEV) in question is needed
  Examples: /dev/sda3, /dev/sdb, /dev/VG/LV, /dev/mapper/mpath1
  The blkid command can help with this, i.e., use it to look only for devices of type "crypto_LUKS":

  • blkid -t TYPE=crypto_LUKS

  In RHEL 6 and above, the lsblk command can also be extremely helpful to visualize the relationship between devices

Interactively adding a single-line text-only passphrase to an existing LUKS volume:

1. Add a new passphrase with the command: cryptsetup luksAddKey DEV
   Example:

   [root ~]# cryptsetup luksAddKey /dev/sda3
   Enter any existing passphrase: Existing passphrase which can be used to open DEV
   Enter new passphrase for key slot: New passphrase to add to DEV
   [root ~]# 

Adding a key file to an existing LUKS volume:

1. Prepare a key file, whether it is random data or something specific
   Examples:

   • dd if=/dev/random bs=32 count=1 of=/root/random_data_keyfile1
   • printf "Simple passphrase which can also be used interactively" >/root/plaintext_passphrase_keyfile2

   Take care to ensure the key file is hidden from and unreadable by all untrusted parties

2. Add the key file to the encrypted device with the command: cryptsetup luksAddKey DEV /PATH/TO/KEYFILE
   Example:

   [root ~]# cryptsetup luksAddKey /dev/sda3 /root/random_data_keyfile1
   Enter any passphrase: Existing passphrase which can be used to open DEV
   [root ~]# 

3. If DEV needs to be auto-unlocked at boot time, /etc/crypttab must be edited
   See this section from the above-mentioned solution "How to encrypt a filesystem (LUKS) using exportable keys instead of passphrases" for further details