Sometimes you only need to change the passphrase that unlocks a LUKS volume. Other times, a policy or security incident may require a new backup key slot, a new volume key, or a full reencrypt with a different cipher. Pick the scenario section that matches your goal—each walkthrough starts from the same inspect-and-backup steps.
This guide uses an existing LUKS2 data volume—/dev/sdc1, mapper secure_data, mount /mnt/secure-data—from encrypt a disk partition with LUKS. Replace those names with your partition and mapper from lsblk.
| If you need… | Go to… |
|---|---|
| Command reference without the walkthrough | cryptsetup cheat sheet |
| Header backup details | LUKS header backup and restore |
| Grow or shrink the encrypted area | Resize a LUKS partition |
| TPM2, FIDO2, or recovery keys | systemd-cryptenroll on LUKS2 |
Tested on: Ubuntu 26.04 LTS (Resolute Raccoon); kernel 7.0.0-27-generic; cryptsetup 2.8.4.
Passphrase, volume key, and cipher
Your passphrase does not encrypt files directly. It unlocks the volume key (master key)—a random key stored in the LUKS header through key slots. That volume key is what actually encrypts and decrypts disk blocks. Changing a passphrase only re-wraps the same volume key; cryptsetup reencrypt generates a new volume key and rewrites the encrypted data.
| What you change | Stored where | Command | Reencrypts file data? |
|---|---|---|---|
| Passphrase or key file in a slot | LUKS header key slots | luksAddKey, luksChangeKey, luksRemoveKey |
No |
| Volume key (master key) | Internal; wrapped by each slot | cryptsetup reencrypt |
Yes |
| Symmetric cipher (for example AES-XTS) | LUKS header + payload | cryptsetup reencrypt --cipher |
Yes |
If a passphrase was exposed, remove or change that passphrase in Change or add a passphrase before you finish Reencrypt the volume key or cipher. Otherwise the old passphrase may still unlock the new volume key after reencryption, because active key slots are what protect access to the volume key.
Before you change anything
Run these two steps before slot changes or reencrypt, no matter which scenario you follow. On Ubuntu or Debian, install cryptsetup with apt command if the binary is missing (sudo apt install cryptsetup). Every cryptsetup example below assumes sudo command on a privileged shell.
Inspect the LUKS volume
Confirm the LUKS version and note the cipher. LUKS2 supports the safer integrated reencrypt workflow used in this guide, including online reencryption when a mapping is active. LUKS1 reencryption is more limited: it must be offline, uses temporary files, and carries higher failure risk—see LUKS1 and old cryptsetup.
sudo cryptsetup luksDump /dev/sdc1 | grep -Ei 'Version|cipher'Sample output:
Version: 2
cipher: aes-xts-plain64List active key slots when you plan to add, change, or remove passphrases:
sudo cryptsetup luksDump /dev/sdc1 | sed -n '/Keyslots:/,/Tokens:/p'Sample output (trimmed):
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
...
1: luks2
Key: 512 bits
...Back up the header
Make two backups: a LUKS header backup and a normal backup of the files you care about. Header backup preserves LUKS metadata and slots—it does not replace a filesystem backup of decrypted content.
sudo cryptsetup luksHeaderBackup --header-backup-file /root/sdc1-luks-header.bin /dev/sdc1
ls -la /root/sdc1-luks-header.binSample output:
-r-------- 1 root root 16777216 Jul 4 23:11 /root/sdc1-luks-header.binStore the file offline with mode 600. Treat this file like a secret. A header backup plus a passphrase that was valid when the backup was created can still be used to unlock the encrypted data later—even after that passphrase is changed or removed from the live header.
Change or add a passphrase
Use this section when you need a new passphrase, an extra backup key slot, or to remove a compromised key. Slot commands do not reencrypt your files—they only change which passphrase unlocks the same volume key.
| Task | Command |
|---|---|
| Add backup passphrase | sudo cryptsetup luksAddKey /dev/sdc1 |
| Add key file to slot 2 | sudo cryptsetup luksAddKey -S 2 /dev/sdc1 /path/to/keyfile |
| Change passphrase in a slot | sudo cryptsetup luksChangeKey /dev/sdc1 |
| Remove a key | sudo cryptsetup luksRemoveKey /dev/sdc1 |
| Wipe slot by number | sudo cryptsetup luksKillSlot /dev/sdc1 1 |
Always leave at least one working slot before luksKillSlot. Clevis, Tang, and systemd-cryptenroll bindings also consume slots—network unlock with Clevis is covered in network-bound disk encryption with Tang and Clevis.
Test a passphrase without opening the volume
sudo cryptsetup open --test-passphrase /dev/sdc1Silent exit with status 0 means the passphrase matches an active slot.
When passphrase rotation is all you needed, stop here—you do not need the reencrypt section below.
Reencrypt the volume key or cipher
Use this section when policy or compliance requires a new volume key or a different cipher on a populated LUKS2 volume. On cryptsetup 2.x, reencrypt runs on the partition device (/dev/sdc1), not on /dev/mapper/secure_data.
luksFormat on a partition that already holds data when cryptsetup reencrypt is available. luksFormat destroys access to any existing filesystem on the partition by writing a new LUKS header. On LUKS2 with data you care about, use cryptsetup reencrypt instead.
Online or offline reencrypt
On LUKS2, cryptsetup picks the mode from whether a dm-crypt mapping is active on /dev/sdc1:
| State | Mode | What to do before reencrypt |
|---|---|---|
Mapper open (/dev/mapper/secure_data exists) |
Online reencrypt | Leave the mapper open; filesystem may stay mounted |
| Mapper closed | Offline reencrypt | umount and cryptsetup close first |
LUKS1 reencryption must stay offline with no mounted filesystem—see LUKS1 and old cryptsetup.
Offline reencrypt (mapper closed)
When you can take downtime, unmount and close the mapper first:
sudo umount /mnt/secure-data
sudo cryptsetup close secure_dataConfirm nothing is still using the mapper:
lsblk -o NAME,SIZE,TYPE,FSTYPE,MOUNTPOINT /dev/sdcSample output:
NAME SIZE TYPE FSTYPE MOUNTPOINT
sdc 5G disk
└─sdc1 5G part crypto_LUKSNo secure_data line should appear under sdc1 while the volume is closed.
Online reencrypt (mapper open)
If secure_data is already open, skip unmount and close—cryptsetup detects the active mapping and uses online reencrypt.
lsblk -o NAME,SIZE,TYPE,FSTYPE,MOUNTPOINT /dev/sdcSample output (mapper open and mounted):
NAME SIZE TYPE FSTYPE MOUNTPOINT
sdc 5G disk
└─sdc1 5G part crypto_LUKS
└─secure_data 5G crypt ext4 /mnt/secure-datacryptsetup status confirms the mapping:
sudo cryptsetup status secure_dataSample output (trimmed):
/dev/mapper/secure_data is active and is in use.
type: LUKS2
cipher: aes-xts-plain64
device: /dev/sdc1To force offline reencrypt on LUKS2 even when a mapping exists, add --force-offline-reencrypt when you run reencrypt (close the mapper first unless you accept the documented restrictions).
Run reencrypt
sudo cryptsetup reencrypt /dev/sdc1Enter the requested passphrase or passphrases. If the volume has multiple active key slots and you do not use --key-file, cryptsetup may ask for each active slot so it can preserve them after reencryption.
Sample output when reencrypt completes (progress lines omitted):
Finished, time 00m47s, 4 GiB written, speed 106.9 MiB/sTo set cipher explicitly:
sudo cryptsetup reencrypt --cipher aes-xts-plain64 /dev/sdc1Useful flags:
| Flag | Purpose |
|---|---|
--init-only |
Write reencrypt metadata without moving data yet |
--resume-only |
Continue after --init-only or interruption |
--reduce-device-size |
Shrink encrypted area before partition shrink |
--force-offline-reencrypt |
LUKS2: skip auto online detection |
If reencrypt stops mid-run (power loss, full disk, Ctrl+C), fix the underlying issue and resume:
sudo cryptsetup reencrypt --resume-only /dev/sdc1When more than one key slot is active and you use --key-file, specify --key-slot N. Be careful: in reencryption mode, using --key-slot preserves only the selected slot for the new volume key and can remove the other slots after reencryption. If you want to preserve multiple passphrases, avoid --key-file and enter the requested slot passphrases interactively.
Treat online reencrypt as planned maintenance: make sure you have a verified backup, stable power, and a maintenance window. Avoid unnecessary writes to the mounted filesystem while reencryption is running.
Verify after reencrypt
After offline reencrypt, reopen and mount before you check files. For crypttab and boot-time unlock after you change passphrases, see auto mount LUKS at boot.
sudo cryptsetup open /dev/sdc1 secure_data
sudo mount /dev/mapper/secure_data /mnt/secure-dataAfter online reencrypt, skip open and mount if the volume stayed mounted—run the checks below directly.
sudo cryptsetup luksDump /dev/sdc1 | grep cipher
cat /mnt/secure-data/check.txtSample output:
cipher: aes-xts-plain64If your files are present and luksDump shows the expected header details, the volume is usable after reencryption. When you only rotate the volume key, the cipher line may look unchanged; the successful cryptsetup reencrypt completion is the important signal.
When not to tweak cipher defaults
Modern LUKS2 defaults are already sensible for most systems: AES-XTS for the data cipher, a 512-bit XTS key on common distributions, and Argon2id for LUKS2 passphrase stretching. The encryption sector size is selected from the underlying device, so it may be 512 or 4096 bytes depending on the disk. The Ubuntu installer and cryptsetup luksFormat pick these without extra flags on a fresh volume too.
Swapping cipher because it “sounds stronger” rarely improves real-world security. A weak passphrase, a leaked key file, or a missing header backup is a far bigger risk than sticking with AES-XTS. Full reencrypt also takes downtime, stresses the disk, and can fail mid-run if power or space runs out—reserve it for cases that actually require a different algorithm or key size.
| Situation | Sensible action |
|---|---|
| Routine key hygiene | Change or add a passphrase plus header backup |
| Passphrase may have leaked | New slot + remove old slot, or luksChangeKey; then reencrypt if policy also requires a new volume key |
| Compliance mandates a specific cipher | Reencrypt the volume key or cipher with --cipher after backup and a maintenance window |
| Curiosity or blog-post FUD | Leave defaults; invest in passphrase quality and backups instead |
| Very old LUKS1 volume on legacy hardware | Plan migration to LUKS2 rather than exotic cipher tweaks on LUKS1 |
If policy only asks you to “rotate encryption keys” after an incident, clarify whether that means passphrase slots or volume-key reencrypt. Many audits are satisfied with slot rotation plus proof of header backup—without rewriting every encrypted block on disk.
LUKS1 and old cryptsetup
Use this section when the volume is LUKS1, when you need the higher-risk LUKS1 offline reencrypt path, when cryptsetup reencrypt is unavailable on a very old release, or when the partition is empty and you are laying down encryption from scratch.
luksFormat destroys access to any existing filesystem on the partition by writing a new LUKS header. Treat it as destructive and back up first. If you have LUKS2 with data on the volume, use cryptsetup reencrypt instead—not this section.
LUKS1 cryptsetup reencrypt must run offline: the device cannot have an active dm-crypt mapping or mounted filesystem, the current working directory must be writable, and temporary files created during reencryption must remain available. The LUKS1 reencryption code is not resistant to hardware or kernel failures mid-run—you can lose data if power fails during the operation. When you can migrate to LUKS2 instead, that is usually the safer long-term fix.
Back up decrypted data
With the volume open, copy files to another disk or directory before you touch the LUKS header. The rsync command example below uses -aXv to preserve permissions and extended attributes; tar command or cp -a work for smaller trees.
sudo mount /dev/mapper/secure_data /mnt/secure-data
sudo rsync -aXv /mnt/secure-data/ /backup/secure-data/
ls -la /backup/secure-data/Confirm the backup is readable before you continue.
Close the mapper and lay down new LUKS
Unmount, close the mapper, then run luksFormat on the partition—not on /dev/mapper/secure_data. Prefer LUKS2 unless the target system cannot read it:
sudo umount /mnt/secure-data
sudo cryptsetup close secure_data
sudo cryptsetup luksFormat --type luks2 /dev/sdc1Type YES when prompted, then enter a new passphrase twice. For LUKS1-only targets, use --type luks1 instead of luks2. Only add --cipher and --key-size when a policy explicitly requires specific encryption parameters. The encrypt partition guide linked at the top of this page walks through luksFormat on a new volume.
Open, create the filesystem, and restore
Create ext4 on the mapper (same pattern as a new encrypted volume), mount it, and copy your backup back:
sudo cryptsetup open /dev/sdc1 secure_data
sudo mkfs.ext4 -L secure-data /dev/mapper/secure_data
sudo mount /dev/mapper/secure_data /mnt/secure-data
sudo rsync -aXv /backup/secure-data/ /mnt/secure-data/
ls -la /mnt/secure-data/Run mkfs only when you used luksFormat and need a new filesystem. If you used LUKS1 offline reencrypt below and kept the existing filesystem inside the encrypted area, skip mkfs and mount after open.
LUKS1 offline reencrypt (keep LUKS1)
When you must stay on LUKS1, run reencrypt on the partition (/dev/sdc1) with the mapper closed—never on /dev/mapper/secure_data. Confirm the header version first:
sudo cryptsetup luksDump /dev/sdc1 | grep VersionSample output:
Version: 1Unmount, close the mapper, and run reencrypt from a persistent writable directory—not /tmp. LUKS1 reencryption creates temporary files in the current working directory; if the operation is interrupted, those files may be needed to resume.
sudo umount /mnt/secure-data
sudo cryptsetup close secure_data
sudo mkdir -p /root/luks1-reencrypt-work
cd /root/luks1-reencrypt-work
sudo cryptsetup reencrypt /dev/sdc1Enter the slot passphrase when prompted. To change cipher at the same time, add --cipher:
sudo cryptsetup reencrypt --cipher aes-xts-plain64 /dev/sdc1On LUKS1, --write-log updates the reencrypt log after every block and slows the run but limits data loss if the system crashes mid-operation. If reencrypt stops, fix the underlying issue and resume:
sudo cryptsetup reencrypt --resume-only /dev/sdc1When reencrypt finishes, reopen and mount—the existing filesystem inside the encrypted area is preserved; do not run mkfs:
sudo cryptsetup open /dev/sdc1 secure_data
sudo mount /dev/mapper/secure_data /mnt/secure-data
cat /mnt/secure-data/check.txtSample completion line (timing varies by disk size):
Finished, time 00m09s, 2040 MiB written, speed 221.5 MiB/sTroubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
No key available with this passphrase |
No slot matches | luksDump; try another backup key or a recovery key from systemd-cryptenroll |
Key file ... only with --key-slot |
You used --key-file while multiple key slots are active |
Specify --key-slot N, or avoid --key-file and enter passphrases interactively if you want to preserve multiple slots |
Device reencryption not in progress |
No init or already finished | Run reencrypt without --resume-only, or use --init-only first |
Device is not a valid LUKS device |
Wrong device or LUKS1 mismatch | Confirm with luksDump; LUKS1 may need LUKS1 and old cryptsetup |
| Reencrypt interrupted | Power loss or full disk | cryptsetup reencrypt --resume-only /dev/sdc1 after fixing space/power; on LUKS1, run from the same persistent working directory that still contains the temporary reencryption files |
| Only one slot left and policy needs two | Clevis or enroll consumed slots | luksAddKey before luksKillSlot |
References
- cryptsetup-reencrypt(8)
- cryptsetup FAQ — reencryption
- cryptsetup(8)
- Ubuntu man page: cryptsetup-reencrypt(8)
Summary
Inspect and back up the header first, then follow the scenario that matches your goal: Change or add a passphrase for slot rotation only, or Reencrypt the volume key or cipher on LUKS2 when you need a new volume key or cipher. Use LUKS1 and old cryptsetup for LUKS1, high-risk LUKS1 reencrypt, or empty volumes.

