How to add a passphrase, key, or keyfile to an existing LUKS device

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • LUKS

Issue

  • Need to set multiple passphrases on an encrypted (LUKS) drive
  • Need to add an additional password to a LUKS device
  • Need to configure existing LUKS partition so that it can also be opened with a key file

Resolution

See also: How to encrypt a filesystem (LUKS) using exportable keys instead of passphrases for instructions creating new LUKS partitions from scratch

Background:

  • LUKS-formatted dm-crypt volumes have 8 key slots

  • To fill an empty key slot, the device node path of the encrypted device (from here on referred to as DEV) in question is needed
    Examples: /dev/sda3, /dev/sdb, /dev/VG/LV, /dev/mapper/mpath1
    The blkid command can help with this, i.e., use it to look only for devices of type "crypto_LUKS":

    • blkid -t TYPE=crypto_LUKS

    In RHEL 6 and above, the lsblk command can also be extremely helpful to visualize the relationship between devices

Interactively adding a single-line text-only passphrase to an existing LUKS volume:

  1. Add a new passphrase with the command: cryptsetup luksAddKey DEV
    Example:

    [root ~]# cryptsetup luksAddKey /dev/sda3
    Enter any existing passphrase: Existing passphrase which can be used to open DEV
    Enter new passphrase for key slot: New passphrase to add to DEV
    [root ~]# 

Adding a key file to an existing LUKS volume:

  1. Prepare a key file, whether it is random data or something specific
    Examples:

    • dd if=/dev/random bs=32 count=1 of=/root/random_data_keyfile1
    • printf "Simple passphrase which can also be used interactively" >/root/plaintext_passphrase_keyfile2

    Take care to ensure the key file is hidden from and unreadable by all untrusted parties

  2. Add the key file to the encrypted device with the command: cryptsetup luksAddKey DEV /PATH/TO/KEYFILE
    Example:

    [root ~]# cryptsetup luksAddKey /dev/sda3 /root/random_data_keyfile1
    Enter any passphrase: Existing passphrase which can be used to open DEV
    [root ~]# 

  3. If DEV needs to be auto-unlocked at boot time, /etc/crypttab must be edited
    See this section from the above-mentioned solution "How to encrypt a filesystem (LUKS) using exportable keys instead of passphrases" for further details

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

8 Comments

Is it possible to use RSA key ?

Hi Jos. As the article explains, a new key can be created from ANYTHING -- either a single-line text-only passphrase or a file containing any arbitrary data. So yes, you could pass in a file containing a private RSA key, just as you could pass in an ebook PDF.

So will it authenticate with a public key, as in an ssh connection ?

Jos: whatever file you pass to cryptsetup luksAddKey will be your key. cryptsetup takes the full file-data and generates a key from it. It does zero inspection on the file -- it pays no attention to what is in the file. If you have further questions, please open a support case.

It's wonderful ! be carefull!! don't kill the passphrase and boot if you did entry in fstab and crypttab .! or mention key in crypttab .

Hi, the method works to auto-unlock all the partitions except swap. For some reason system stills hangs at asking password for swap luks partition. Any pointer will be appreciated.

Have you considered to use /swapfile here?

I wanted to send out a script that my users could use to add their own LUKS key so I wrote the following based off this article and wanted to contribute back. The script finds the LUKS disk /dev/sda3: and the 'sed' removes ':' and then uses the value in the cryptsetup command.

#!/bin/bash
LUKSDRIVE=$(blkid -t TYPE=crypto_LUKS | awk '{ print $NR }' | sed -r 's/():/\1/g')
cryptsetup luksAddKey $LUKSDRIVE