I tried the following

sudo cryptsetup luksChangekey /dev/nvme0n1p3 < new passphrase >

It then asks for the Sudo password, then asks for the old passphrase, but then it prints this error message

Failed to open key file.

what went wrong ?

Edit: turns out using GNOME Disks is way more straightforward.. 😅, thank you all

  • NoamParenti [they/them]
    ·
    4 months ago

    The correct syntax is cryptsetup luksChangeKey <device> <key file>. So what you tried is opening a file that is named like your new passphrase. Such a file of course (hopefully) doesn't exist.

    Just omit the last parameter, i.e. sudo cryptsetup luksChangekey /dev/nvme0n1p3 and enter the new password when it asks you to.

  • booooop [any]
    ·
    4 months ago

    What is the output if you run sudo cryptsetup --verbose open --test-passphrase /dev/nvme0n1p3?

    • 乇ㄥ乇¢ㄒ尺ㄖ@infosec.pub
      ·
      4 months ago

      It asks for the sudo password, then it prints

      No usable token is available.

      Then it asks : Enter passphrase for /dev/nvme0n1p3:

      After entering my old passphrase it prints:

      Key slot 0 unlocked
Command Successful.
      • booooop [any]
        ·
        4 months ago

        Alright so no permission issue, what if you run the changekey command in a separate bash subprocess? sudo bash -c '($your-changekey-command-here)'

        • 乇ㄥ乇¢ㄒ尺ㄖ@infosec.pub
          ·
          4 months ago

          Is it like the same first "cryptsetup luksChangekey..." But inside parentheses ? Im sure I'm getting the syntax wrong.. It prints

          bash: line 1: -luksChangekey: command not found
  • scsi@lemm.ee
    ·
    4 months ago

    Refer to the cryptsetup-luksChangeKey man page --key-file options, you cannot change the password directly on a commandline; you either (a) type it interactively, (b) put it in a keyfile, or (c) accept input from STDIN with the standard use of - on the end (e.g. echo "mypass" | cryptsetup luksChangeKey /dev/sda - )