How to remove an unknown key from LUKS with cryptsetup?












1















My LUKS encrypted drive has 3 passphrases. Two of them are secure (and long), the other one is lost. However, I dimly remember that it was not up to par; it was used during experiments and should have been wiped afterwards. How can I get rid of that key, given I do not know it anymore, but at least the other two?










share|improve this question



























    1















    My LUKS encrypted drive has 3 passphrases. Two of them are secure (and long), the other one is lost. However, I dimly remember that it was not up to par; it was used during experiments and should have been wiped afterwards. How can I get rid of that key, given I do not know it anymore, but at least the other two?










    share|improve this question

























      1












      1








      1








      My LUKS encrypted drive has 3 passphrases. Two of them are secure (and long), the other one is lost. However, I dimly remember that it was not up to par; it was used during experiments and should have been wiped afterwards. How can I get rid of that key, given I do not know it anymore, but at least the other two?










      share|improve this question














      My LUKS encrypted drive has 3 passphrases. Two of them are secure (and long), the other one is lost. However, I dimly remember that it was not up to par; it was used during experiments and should have been wiped afterwards. How can I get rid of that key, given I do not know it anymore, but at least the other two?







      luks






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Mar 13 at 8:12









      MPiMPi

      1,1121024




      1,1121024






















          1 Answer
          1






          active

          oldest

          votes


















          1














          The magic option is luksKillSlot.



          The point is to figure out which of your three keyslots contains the
          key to be deleted. If you don't know it yet, you can check this out by trying
          all the known keys one after another and let cryptsetup tell you
          which key refers to which slot. The unknown key then refers to the remaining slot.



          Check which slots are used (in my case slots 0, 1, and 2 are used). Replace /dev/sdb4
          with your actual device:



          root@host:~# cryptsetup luksDump /dev/sdb4
          LUKS header information for /dev/sdb4
          ...
          Key Slot 0: ENABLED
          ...
          Key Slot 1: ENABLED
          ...
          Key Slot 2: ENABLED
          ...
          Key Slot 3: DISABLED
          Key Slot 4: DISABLED
          Key Slot 5: DISABLED
          Key Slot 6: DISABLED
          Key Slot 7: DISABLED


          Now open (=decrypt) your device with your first key and let cryptsetup be verbose
          so it shows which slot was used to unlock the device:



          root@host:~# cryptsetup -v open --type luks /dev/sdb4 someAlias
          [enter one of your two known keys]
          Key slot 2 unlocked.
          Command successful.


          Remember which slot (2 in this case) the first key refered to and undo the step:



          root@host:~# cryptsetup close someAlias


          Repeat with your second known key:



          root@host:~# cryptsetup -v open --type luks /dev/sdb4 someAlias
          [enter the second of your two known keys]
          Key slot 0 unlocked.
          Command successful.
          root@host:~# cryptsetup close someAlias


          Now you know that the two known keys refer to slot 2 and slot 0. So slot 1
          must be the one that contains the unknown key. Delete it with:



          root@host:~# cryptsetup -v luksKillSlot /dev/sdb4 1
          Keyslot 1 is selected for deletion.
          Enter any remaining passphrase:
          [enter one of the two known keys]
          Key slot 0 unlocked.
          Command successful.


          Check it out:



          root@host:~# cryptsetup luksDump /dev/sdb4
          LUKS header information for /dev/sdb4
          ...
          Key Slot 0: ENABLED
          ...
          Key Slot 1: DISABLED
          Key Slot 2: ENABLED
          ...
          Key Slot 3: DISABLED
          Key Slot 4: DISABLED
          Key Slot 5: DISABLED
          Key Slot 6: DISABLED
          Key Slot 7: DISABLED





          share|improve this answer
























          • Yes, luksKillSlot was what I had overlooked. However, I could not play with opening the device (is always open). Luckily, luksKillSlot will ask for a remaining passphrase, so I could go one by one.

            – MPi
            Mar 14 at 9:58











          • @MPi Nice to hear and thank you for your vote. If the device was already opened, you maybe could have issued cryptsetup close someAlias first.

            – PerlDuck
            Mar 14 at 21:19











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1125246%2fhow-to-remove-an-unknown-key-from-luks-with-cryptsetup%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          The magic option is luksKillSlot.



          The point is to figure out which of your three keyslots contains the
          key to be deleted. If you don't know it yet, you can check this out by trying
          all the known keys one after another and let cryptsetup tell you
          which key refers to which slot. The unknown key then refers to the remaining slot.



          Check which slots are used (in my case slots 0, 1, and 2 are used). Replace /dev/sdb4
          with your actual device:



          root@host:~# cryptsetup luksDump /dev/sdb4
          LUKS header information for /dev/sdb4
          ...
          Key Slot 0: ENABLED
          ...
          Key Slot 1: ENABLED
          ...
          Key Slot 2: ENABLED
          ...
          Key Slot 3: DISABLED
          Key Slot 4: DISABLED
          Key Slot 5: DISABLED
          Key Slot 6: DISABLED
          Key Slot 7: DISABLED


          Now open (=decrypt) your device with your first key and let cryptsetup be verbose
          so it shows which slot was used to unlock the device:



          root@host:~# cryptsetup -v open --type luks /dev/sdb4 someAlias
          [enter one of your two known keys]
          Key slot 2 unlocked.
          Command successful.


          Remember which slot (2 in this case) the first key refered to and undo the step:



          root@host:~# cryptsetup close someAlias


          Repeat with your second known key:



          root@host:~# cryptsetup -v open --type luks /dev/sdb4 someAlias
          [enter the second of your two known keys]
          Key slot 0 unlocked.
          Command successful.
          root@host:~# cryptsetup close someAlias


          Now you know that the two known keys refer to slot 2 and slot 0. So slot 1
          must be the one that contains the unknown key. Delete it with:



          root@host:~# cryptsetup -v luksKillSlot /dev/sdb4 1
          Keyslot 1 is selected for deletion.
          Enter any remaining passphrase:
          [enter one of the two known keys]
          Key slot 0 unlocked.
          Command successful.


          Check it out:



          root@host:~# cryptsetup luksDump /dev/sdb4
          LUKS header information for /dev/sdb4
          ...
          Key Slot 0: ENABLED
          ...
          Key Slot 1: DISABLED
          Key Slot 2: ENABLED
          ...
          Key Slot 3: DISABLED
          Key Slot 4: DISABLED
          Key Slot 5: DISABLED
          Key Slot 6: DISABLED
          Key Slot 7: DISABLED





          share|improve this answer
























          • Yes, luksKillSlot was what I had overlooked. However, I could not play with opening the device (is always open). Luckily, luksKillSlot will ask for a remaining passphrase, so I could go one by one.

            – MPi
            Mar 14 at 9:58











          • @MPi Nice to hear and thank you for your vote. If the device was already opened, you maybe could have issued cryptsetup close someAlias first.

            – PerlDuck
            Mar 14 at 21:19
















          1














          The magic option is luksKillSlot.



          The point is to figure out which of your three keyslots contains the
          key to be deleted. If you don't know it yet, you can check this out by trying
          all the known keys one after another and let cryptsetup tell you
          which key refers to which slot. The unknown key then refers to the remaining slot.



          Check which slots are used (in my case slots 0, 1, and 2 are used). Replace /dev/sdb4
          with your actual device:



          root@host:~# cryptsetup luksDump /dev/sdb4
          LUKS header information for /dev/sdb4
          ...
          Key Slot 0: ENABLED
          ...
          Key Slot 1: ENABLED
          ...
          Key Slot 2: ENABLED
          ...
          Key Slot 3: DISABLED
          Key Slot 4: DISABLED
          Key Slot 5: DISABLED
          Key Slot 6: DISABLED
          Key Slot 7: DISABLED


          Now open (=decrypt) your device with your first key and let cryptsetup be verbose
          so it shows which slot was used to unlock the device:



          root@host:~# cryptsetup -v open --type luks /dev/sdb4 someAlias
          [enter one of your two known keys]
          Key slot 2 unlocked.
          Command successful.


          Remember which slot (2 in this case) the first key refered to and undo the step:



          root@host:~# cryptsetup close someAlias


          Repeat with your second known key:



          root@host:~# cryptsetup -v open --type luks /dev/sdb4 someAlias
          [enter the second of your two known keys]
          Key slot 0 unlocked.
          Command successful.
          root@host:~# cryptsetup close someAlias


          Now you know that the two known keys refer to slot 2 and slot 0. So slot 1
          must be the one that contains the unknown key. Delete it with:



          root@host:~# cryptsetup -v luksKillSlot /dev/sdb4 1
          Keyslot 1 is selected for deletion.
          Enter any remaining passphrase:
          [enter one of the two known keys]
          Key slot 0 unlocked.
          Command successful.


          Check it out:



          root@host:~# cryptsetup luksDump /dev/sdb4
          LUKS header information for /dev/sdb4
          ...
          Key Slot 0: ENABLED
          ...
          Key Slot 1: DISABLED
          Key Slot 2: ENABLED
          ...
          Key Slot 3: DISABLED
          Key Slot 4: DISABLED
          Key Slot 5: DISABLED
          Key Slot 6: DISABLED
          Key Slot 7: DISABLED





          share|improve this answer
























          • Yes, luksKillSlot was what I had overlooked. However, I could not play with opening the device (is always open). Luckily, luksKillSlot will ask for a remaining passphrase, so I could go one by one.

            – MPi
            Mar 14 at 9:58











          • @MPi Nice to hear and thank you for your vote. If the device was already opened, you maybe could have issued cryptsetup close someAlias first.

            – PerlDuck
            Mar 14 at 21:19














          1












          1








          1







          The magic option is luksKillSlot.



          The point is to figure out which of your three keyslots contains the
          key to be deleted. If you don't know it yet, you can check this out by trying
          all the known keys one after another and let cryptsetup tell you
          which key refers to which slot. The unknown key then refers to the remaining slot.



          Check which slots are used (in my case slots 0, 1, and 2 are used). Replace /dev/sdb4
          with your actual device:



          root@host:~# cryptsetup luksDump /dev/sdb4
          LUKS header information for /dev/sdb4
          ...
          Key Slot 0: ENABLED
          ...
          Key Slot 1: ENABLED
          ...
          Key Slot 2: ENABLED
          ...
          Key Slot 3: DISABLED
          Key Slot 4: DISABLED
          Key Slot 5: DISABLED
          Key Slot 6: DISABLED
          Key Slot 7: DISABLED


          Now open (=decrypt) your device with your first key and let cryptsetup be verbose
          so it shows which slot was used to unlock the device:



          root@host:~# cryptsetup -v open --type luks /dev/sdb4 someAlias
          [enter one of your two known keys]
          Key slot 2 unlocked.
          Command successful.


          Remember which slot (2 in this case) the first key refered to and undo the step:



          root@host:~# cryptsetup close someAlias


          Repeat with your second known key:



          root@host:~# cryptsetup -v open --type luks /dev/sdb4 someAlias
          [enter the second of your two known keys]
          Key slot 0 unlocked.
          Command successful.
          root@host:~# cryptsetup close someAlias


          Now you know that the two known keys refer to slot 2 and slot 0. So slot 1
          must be the one that contains the unknown key. Delete it with:



          root@host:~# cryptsetup -v luksKillSlot /dev/sdb4 1
          Keyslot 1 is selected for deletion.
          Enter any remaining passphrase:
          [enter one of the two known keys]
          Key slot 0 unlocked.
          Command successful.


          Check it out:



          root@host:~# cryptsetup luksDump /dev/sdb4
          LUKS header information for /dev/sdb4
          ...
          Key Slot 0: ENABLED
          ...
          Key Slot 1: DISABLED
          Key Slot 2: ENABLED
          ...
          Key Slot 3: DISABLED
          Key Slot 4: DISABLED
          Key Slot 5: DISABLED
          Key Slot 6: DISABLED
          Key Slot 7: DISABLED





          share|improve this answer













          The magic option is luksKillSlot.



          The point is to figure out which of your three keyslots contains the
          key to be deleted. If you don't know it yet, you can check this out by trying
          all the known keys one after another and let cryptsetup tell you
          which key refers to which slot. The unknown key then refers to the remaining slot.



          Check which slots are used (in my case slots 0, 1, and 2 are used). Replace /dev/sdb4
          with your actual device:



          root@host:~# cryptsetup luksDump /dev/sdb4
          LUKS header information for /dev/sdb4
          ...
          Key Slot 0: ENABLED
          ...
          Key Slot 1: ENABLED
          ...
          Key Slot 2: ENABLED
          ...
          Key Slot 3: DISABLED
          Key Slot 4: DISABLED
          Key Slot 5: DISABLED
          Key Slot 6: DISABLED
          Key Slot 7: DISABLED


          Now open (=decrypt) your device with your first key and let cryptsetup be verbose
          so it shows which slot was used to unlock the device:



          root@host:~# cryptsetup -v open --type luks /dev/sdb4 someAlias
          [enter one of your two known keys]
          Key slot 2 unlocked.
          Command successful.


          Remember which slot (2 in this case) the first key refered to and undo the step:



          root@host:~# cryptsetup close someAlias


          Repeat with your second known key:



          root@host:~# cryptsetup -v open --type luks /dev/sdb4 someAlias
          [enter the second of your two known keys]
          Key slot 0 unlocked.
          Command successful.
          root@host:~# cryptsetup close someAlias


          Now you know that the two known keys refer to slot 2 and slot 0. So slot 1
          must be the one that contains the unknown key. Delete it with:



          root@host:~# cryptsetup -v luksKillSlot /dev/sdb4 1
          Keyslot 1 is selected for deletion.
          Enter any remaining passphrase:
          [enter one of the two known keys]
          Key slot 0 unlocked.
          Command successful.


          Check it out:



          root@host:~# cryptsetup luksDump /dev/sdb4
          LUKS header information for /dev/sdb4
          ...
          Key Slot 0: ENABLED
          ...
          Key Slot 1: DISABLED
          Key Slot 2: ENABLED
          ...
          Key Slot 3: DISABLED
          Key Slot 4: DISABLED
          Key Slot 5: DISABLED
          Key Slot 6: DISABLED
          Key Slot 7: DISABLED






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Mar 13 at 13:16









          PerlDuckPerlDuck

          7,74611636




          7,74611636













          • Yes, luksKillSlot was what I had overlooked. However, I could not play with opening the device (is always open). Luckily, luksKillSlot will ask for a remaining passphrase, so I could go one by one.

            – MPi
            Mar 14 at 9:58











          • @MPi Nice to hear and thank you for your vote. If the device was already opened, you maybe could have issued cryptsetup close someAlias first.

            – PerlDuck
            Mar 14 at 21:19



















          • Yes, luksKillSlot was what I had overlooked. However, I could not play with opening the device (is always open). Luckily, luksKillSlot will ask for a remaining passphrase, so I could go one by one.

            – MPi
            Mar 14 at 9:58











          • @MPi Nice to hear and thank you for your vote. If the device was already opened, you maybe could have issued cryptsetup close someAlias first.

            – PerlDuck
            Mar 14 at 21:19

















          Yes, luksKillSlot was what I had overlooked. However, I could not play with opening the device (is always open). Luckily, luksKillSlot will ask for a remaining passphrase, so I could go one by one.

          – MPi
          Mar 14 at 9:58





          Yes, luksKillSlot was what I had overlooked. However, I could not play with opening the device (is always open). Luckily, luksKillSlot will ask for a remaining passphrase, so I could go one by one.

          – MPi
          Mar 14 at 9:58













          @MPi Nice to hear and thank you for your vote. If the device was already opened, you maybe could have issued cryptsetup close someAlias first.

          – PerlDuck
          Mar 14 at 21:19





          @MPi Nice to hear and thank you for your vote. If the device was already opened, you maybe could have issued cryptsetup close someAlias first.

          – PerlDuck
          Mar 14 at 21:19


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1125246%2fhow-to-remove-an-unknown-key-from-luks-with-cryptsetup%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          數位音樂下載

          When can things happen in Etherscan, such as the picture below?

          格利澤436b