I would like to change my full disk encryption passphrase (to make it stronger). I’m kinda anxious - if something goes wrong then I won’t be able to get into my system again.
Can someone please verify whether the below steps I plan to carry out is correct?
Step 1. Get a list of disks and Partitions
sudo fdisk -l
Disk is /dev/nvme0n1
Partitions are
/dev/nvme0n1p1 EFI System
/dev/nvme0n1p2 Linux LVM
and a few /dev/mapper/…
Step 2. Find what is encrypted, disk or partition?
I went through the disk and partitions one by one until I found it.
sudo cryptsetup luksDump /dev/nvme0n1p2
Although /etc/crypttab
points to a weird looking /dev/mapper/
when I try luksDump on this there is no encryption on it.
Step 3. Remove existing passphrase
sudo cryptsetup luksRemoveKey /dev/nvme0n1p2
Step 4. Add new passphrase
sudo cryptsetup luksAddKey /dev/nvme0n1p2
Step 5. Verify encryption
sudo cryptsetup luksDump /dev/nvme0n1p2
I noticed in Step 2 above only Slot 0 was used, i.e. only 1 passphrase.
Q. So if I add two passphrases (i.e. Slot 0 and Slot 1 enabled), does this mean at boot I will have to enter two passphrases?