How do I re-encrypt my EOS partition? (LUKS)

I used the Calameres installer to encrypt my entire system+swap with hibernation. However, I am dissatisfied with the defaults of the Calamares installer and I need to change the password. With LUKS2, there is a newly introduced re-encrypt function which allows the user to change any settings they wish and re-encrypt the drive while it is running. For some reason, EOS uses LUKS2 even with the warnings with compatibility with GRUB.

But anyways, I am having a problem with how to do this in general. First of all, I have a crypto_keyfile.bin file that (obviously in its name) is a key file that is made by Calameres. How do I point GRUB to this key file when I enter my password?

Additionally, there are several encrypted partitions, such as the main partition I use on the system, the encrypted bootloader, and the encrypted swap. How do I make sure that all of these are mounted upon entering the password, AND are mounted without having me to manually enter a password for mounting each partition, and only typing the password on startup?

In other words, how do I keep the convenience of simply entering the password at boot, and then having access instantly as Calameres made it, while changing the defaults? I just want to change the cipher, rounds of hashing, and password.

I’m sorry if this seems incoherent, but TL;DR: How do I re-encrypt my EOS system and not bork it?

We don’t use luks2 in the installer currently. Although, you can convert a volume to luks2 after the fact.

You don’t point grub to it. That keyfile is used to unlock all your luks encrypted devices once the keyfile itself is unlocked by grub.

That is all handled by the keyfile. As long as that keyfile is still attached to a slot on all your luks volumes, it should work fine.

I don’t think changing any of those requires re-encryption. As long as you don’t change the PBKDF I don’t think re-encryption is required. You should be able to change those even with luks1 since you can add a new key slot and remove the old one.

1 Like

Like dalto wrote you can change the luks password without re-encrypting. For once i find the arch wiki on the subject unsatisfactory. This guide will show you how to do it via the command line:

It may also be possible via the gnome-disks utility.

1 Like

The gnome-disk utility showed random gibberish for the current password when I used it. I’ll mark the guide as the solution unless for some reason it doesn’t work.

Okay, but what would I point the cryptsetup command to for a device name? The main drive? I have an NVME naming system on my computer if that helps.

The luks partition. If you use lsblk -o name,type,fstype,size you should see it from the fstype field.

nvme0n1                                       disk              476.9G
├─nvme0n1p1                                   part  vfat         1000M
├─nvme0n1p2                                   part  crypto_LUKS 467.2G
│ └─luks-313cc9fc-b5fb-488a-85f4-94d9fc85506c crypt xfs         467.2G
└─nvme0n1p3                                   part  crypto_LUKS   8.8G
  └─luks-38df2a9d-d615-47d7-b3da-63ead849ac5c crypt swap          8.8G

I assume then that the arg should be nvme0n1p2 for my main disk and nvme0n1p3 for swap, yes? And I also have to link the crypto-keyfile where? And how do I ensure that I do not need to manually mount swap?

I’m sorry if this is causing too much of a headache for you, but I cant risk data loss from a stupid command mistake.

Yes. More specifically /dev/nvme0n1p2

You add it to a slot on the luks volume but it should already be there. If all you are doing is changing things related to your passphrase it should be unaffected as long as you don’t remove it.

Try it with swap first.

Also, backup your data first.

It worked with my swap without getting rid of the keyfile (I decided to just change key for now with luksChangeKeys) Hope it works for the main device now.

It worked. Marking as solution.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.