Change LUKS Passphrase, Volume Key, and Cipher on Linux

Rotate LUKS passphrases and key slots, change cipher or volume key with cryptsetup reencrypt on LUKS2, and back up the header before destructive operations.

Published

Updated

Read time 12 min read

Reviewed byDeepak Prasad

Rotate LUKS passphrases and reencrypt a LUKS2 volume with cryptsetup

Sometimes you only need to change the passphrase that unlocks a LUKS volume. Other times, a policy or security incident may require a new backup key slot, a new volume key, or a full reencrypt with a different cipher. Pick the scenario section that matches your goal—each walkthrough starts from the same inspect-and-backup steps.

This guide uses an existing LUKS2 data volume—/dev/sdc1, mapper secure_data, mount /mnt/secure-data—from encrypt a disk partition with LUKS. Replace those names with your partition and mapper from lsblk.

IMPORTANT
This article covers rotating keys and reencrypting an existing LUKS2 volume—not creating encryption from scratch and not migrating an in-use root filesystem. For a new secondary data partition, use the encrypt walkthrough linked above; for root on LVM, see encrypt root with LUKS.
If you need… Go to…
Command reference without the walkthrough cryptsetup cheat sheet
Header backup details LUKS header backup and restore
Grow or shrink the encrypted area Resize a LUKS partition
TPM2, FIDO2, or recovery keys systemd-cryptenroll on LUKS2

Tested on: Ubuntu 26.04 LTS (Resolute Raccoon); kernel 7.0.0-27-generic; cryptsetup 2.8.4.


Passphrase, volume key, and cipher

Your passphrase does not encrypt files directly. It unlocks the volume key (master key)—a random key stored in the LUKS header through key slots. That volume key is what actually encrypts and decrypts disk blocks. Changing a passphrase only re-wraps the same volume key; cryptsetup reencrypt generates a new volume key and rewrites the encrypted data.

What you change Stored where Command Reencrypts file data?
Passphrase or key file in a slot LUKS header key slots luksAddKey, luksChangeKey, luksRemoveKey No
Volume key (master key) Internal; wrapped by each slot cryptsetup reencrypt Yes
Symmetric cipher (for example AES-XTS) LUKS header + payload cryptsetup reencrypt --cipher Yes

If a passphrase was exposed, remove or change that passphrase in Change or add a passphrase before you finish Reencrypt the volume key or cipher. Otherwise the old passphrase may still unlock the new volume key after reencryption, because active key slots are what protect access to the volume key.


Before you change anything

Run these two steps before slot changes or reencrypt, no matter which scenario you follow. On Ubuntu or Debian, install cryptsetup with apt command if the binary is missing (sudo apt install cryptsetup). Every cryptsetup example below assumes sudo command on a privileged shell.

Inspect the LUKS volume

Confirm the LUKS version and note the cipher. LUKS2 supports the safer integrated reencrypt workflow used in this guide, including online reencryption when a mapping is active. LUKS1 reencryption is more limited: it must be offline, uses temporary files, and carries higher failure risk—see LUKS1 and old cryptsetup.

bash
sudo cryptsetup luksDump /dev/sdc1 | grep -Ei 'Version|cipher'

Sample output:

text
Version:       	2
	cipher: aes-xts-plain64

List active key slots when you plan to add, change, or remove passphrases:

bash
sudo cryptsetup luksDump /dev/sdc1 | sed -n '/Keyslots:/,/Tokens:/p'

Sample output (trimmed):

text
Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	...
  1: luks2
	Key:        512 bits
	...

Back up the header

Make two backups: a LUKS header backup and a normal backup of the files you care about. Header backup preserves LUKS metadata and slots—it does not replace a filesystem backup of decrypted content.

bash
sudo cryptsetup luksHeaderBackup --header-backup-file /root/sdc1-luks-header.bin /dev/sdc1
ls -la /root/sdc1-luks-header.bin

Sample output:

text
-r-------- 1 root root 16777216 Jul  4 23:11 /root/sdc1-luks-header.bin

Store the file offline with mode 600. Treat this file like a secret. A header backup plus a passphrase that was valid when the backup was created can still be used to unlock the encrypted data later—even after that passphrase is changed or removed from the live header.


Change or add a passphrase

Use this section when you need a new passphrase, an extra backup key slot, or to remove a compromised key. Slot commands do not reencrypt your files—they only change which passphrase unlocks the same volume key.

Task Command
Add backup passphrase sudo cryptsetup luksAddKey /dev/sdc1
Add key file to slot 2 sudo cryptsetup luksAddKey -S 2 /dev/sdc1 /path/to/keyfile
Change passphrase in a slot sudo cryptsetup luksChangeKey /dev/sdc1
Remove a key sudo cryptsetup luksRemoveKey /dev/sdc1
Wipe slot by number sudo cryptsetup luksKillSlot /dev/sdc1 1

Always leave at least one working slot before luksKillSlot. Clevis, Tang, and systemd-cryptenroll bindings also consume slots—network unlock with Clevis is covered in network-bound disk encryption with Tang and Clevis.

Test a passphrase without opening the volume

bash
sudo cryptsetup open --test-passphrase /dev/sdc1

Silent exit with status 0 means the passphrase matches an active slot.

When passphrase rotation is all you needed, stop here—you do not need the reencrypt section below.


Reencrypt the volume key or cipher

Use this section when policy or compliance requires a new volume key or a different cipher on a populated LUKS2 volume. On cryptsetup 2.x, reencrypt runs on the partition device (/dev/sdc1), not on /dev/mapper/secure_data.

WARNING
Do not run luksFormat on a partition that already holds data when cryptsetup reencrypt is available. luksFormat destroys access to any existing filesystem on the partition by writing a new LUKS header. On LUKS2 with data you care about, use cryptsetup reencrypt instead.

Online or offline reencrypt

On LUKS2, cryptsetup picks the mode from whether a dm-crypt mapping is active on /dev/sdc1:

State Mode What to do before reencrypt
Mapper open (/dev/mapper/secure_data exists) Online reencrypt Leave the mapper open; filesystem may stay mounted
Mapper closed Offline reencrypt umount and cryptsetup close first

LUKS1 reencryption must stay offline with no mounted filesystem—see LUKS1 and old cryptsetup.

Offline reencrypt (mapper closed)

When you can take downtime, unmount and close the mapper first:

bash
sudo umount /mnt/secure-data
sudo cryptsetup close secure_data

Confirm nothing is still using the mapper:

bash
lsblk -o NAME,SIZE,TYPE,FSTYPE,MOUNTPOINT /dev/sdc

Sample output:

text
NAME   SIZE TYPE FSTYPE      MOUNTPOINT
sdc      5G disk
└─sdc1   5G part crypto_LUKS

No secure_data line should appear under sdc1 while the volume is closed.

Online reencrypt (mapper open)

If secure_data is already open, skip unmount and close—cryptsetup detects the active mapping and uses online reencrypt.

bash
lsblk -o NAME,SIZE,TYPE,FSTYPE,MOUNTPOINT /dev/sdc

Sample output (mapper open and mounted):

text
NAME            SIZE TYPE  FSTYPE      MOUNTPOINT
sdc               5G disk              
└─sdc1            5G part  crypto_LUKS 
  └─secure_data   5G crypt ext4        /mnt/secure-data

cryptsetup status confirms the mapping:

bash
sudo cryptsetup status secure_data

Sample output (trimmed):

text
/dev/mapper/secure_data is active and is in use.
  type:    LUKS2
  cipher:  aes-xts-plain64
  device:  /dev/sdc1

To force offline reencrypt on LUKS2 even when a mapping exists, add --force-offline-reencrypt when you run reencrypt (close the mapper first unless you accept the documented restrictions).

Run reencrypt

bash
sudo cryptsetup reencrypt /dev/sdc1

Enter the requested passphrase or passphrases. If the volume has multiple active key slots and you do not use --key-file, cryptsetup may ask for each active slot so it can preserve them after reencryption.

Sample output when reencrypt completes (progress lines omitted):

text
Finished, time 00m47s,    4 GiB written, speed 106.9 MiB/s

To set cipher explicitly:

bash
sudo cryptsetup reencrypt --cipher aes-xts-plain64 /dev/sdc1

Useful flags:

Flag Purpose
--init-only Write reencrypt metadata without moving data yet
--resume-only Continue after --init-only or interruption
--reduce-device-size Shrink encrypted area before partition shrink
--force-offline-reencrypt LUKS2: skip auto online detection

If reencrypt stops mid-run (power loss, full disk, Ctrl+C), fix the underlying issue and resume:

bash
sudo cryptsetup reencrypt --resume-only /dev/sdc1

When more than one key slot is active and you use --key-file, specify --key-slot N. Be careful: in reencryption mode, using --key-slot preserves only the selected slot for the new volume key and can remove the other slots after reencryption. If you want to preserve multiple passphrases, avoid --key-file and enter the requested slot passphrases interactively.

Treat online reencrypt as planned maintenance: make sure you have a verified backup, stable power, and a maintenance window. Avoid unnecessary writes to the mounted filesystem while reencryption is running.

Verify after reencrypt

After offline reencrypt, reopen and mount before you check files. For crypttab and boot-time unlock after you change passphrases, see auto mount LUKS at boot.

bash
sudo cryptsetup open /dev/sdc1 secure_data
sudo mount /dev/mapper/secure_data /mnt/secure-data

After online reencrypt, skip open and mount if the volume stayed mounted—run the checks below directly.

bash
sudo cryptsetup luksDump /dev/sdc1 | grep cipher
cat /mnt/secure-data/check.txt

Sample output:

text
cipher: aes-xts-plain64

If your files are present and luksDump shows the expected header details, the volume is usable after reencryption. When you only rotate the volume key, the cipher line may look unchanged; the successful cryptsetup reencrypt completion is the important signal.


When not to tweak cipher defaults

Modern LUKS2 defaults are already sensible for most systems: AES-XTS for the data cipher, a 512-bit XTS key on common distributions, and Argon2id for LUKS2 passphrase stretching. The encryption sector size is selected from the underlying device, so it may be 512 or 4096 bytes depending on the disk. The Ubuntu installer and cryptsetup luksFormat pick these without extra flags on a fresh volume too.

Swapping cipher because it “sounds stronger” rarely improves real-world security. A weak passphrase, a leaked key file, or a missing header backup is a far bigger risk than sticking with AES-XTS. Full reencrypt also takes downtime, stresses the disk, and can fail mid-run if power or space runs out—reserve it for cases that actually require a different algorithm or key size.

Situation Sensible action
Routine key hygiene Change or add a passphrase plus header backup
Passphrase may have leaked New slot + remove old slot, or luksChangeKey; then reencrypt if policy also requires a new volume key
Compliance mandates a specific cipher Reencrypt the volume key or cipher with --cipher after backup and a maintenance window
Curiosity or blog-post FUD Leave defaults; invest in passphrase quality and backups instead
Very old LUKS1 volume on legacy hardware Plan migration to LUKS2 rather than exotic cipher tweaks on LUKS1

If policy only asks you to “rotate encryption keys” after an incident, clarify whether that means passphrase slots or volume-key reencrypt. Many audits are satisfied with slot rotation plus proof of header backup—without rewriting every encrypted block on disk.


LUKS1 and old cryptsetup

Use this section when the volume is LUKS1, when you need the higher-risk LUKS1 offline reencrypt path, when cryptsetup reencrypt is unavailable on a very old release, or when the partition is empty and you are laying down encryption from scratch.

WARNING
luksFormat destroys access to any existing filesystem on the partition by writing a new LUKS header. Treat it as destructive and back up first. If you have LUKS2 with data on the volume, use cryptsetup reencrypt instead—not this section.

LUKS1 cryptsetup reencrypt must run offline: the device cannot have an active dm-crypt mapping or mounted filesystem, the current working directory must be writable, and temporary files created during reencryption must remain available. The LUKS1 reencryption code is not resistant to hardware or kernel failures mid-run—you can lose data if power fails during the operation. When you can migrate to LUKS2 instead, that is usually the safer long-term fix.

Back up decrypted data

With the volume open, copy files to another disk or directory before you touch the LUKS header. The rsync command example below uses -aXv to preserve permissions and extended attributes; tar command or cp -a work for smaller trees.

bash
sudo mount /dev/mapper/secure_data /mnt/secure-data
sudo rsync -aXv /mnt/secure-data/ /backup/secure-data/
ls -la /backup/secure-data/

Confirm the backup is readable before you continue.

Close the mapper and lay down new LUKS

Unmount, close the mapper, then run luksFormat on the partition—not on /dev/mapper/secure_data. Prefer LUKS2 unless the target system cannot read it:

bash
sudo umount /mnt/secure-data
sudo cryptsetup close secure_data
sudo cryptsetup luksFormat --type luks2 /dev/sdc1

Type YES when prompted, then enter a new passphrase twice. For LUKS1-only targets, use --type luks1 instead of luks2. Only add --cipher and --key-size when a policy explicitly requires specific encryption parameters. The encrypt partition guide linked at the top of this page walks through luksFormat on a new volume.

Open, create the filesystem, and restore

Create ext4 on the mapper (same pattern as a new encrypted volume), mount it, and copy your backup back:

bash
sudo cryptsetup open /dev/sdc1 secure_data
sudo mkfs.ext4 -L secure-data /dev/mapper/secure_data
sudo mount /dev/mapper/secure_data /mnt/secure-data
sudo rsync -aXv /backup/secure-data/ /mnt/secure-data/
ls -la /mnt/secure-data/

Run mkfs only when you used luksFormat and need a new filesystem. If you used LUKS1 offline reencrypt below and kept the existing filesystem inside the encrypted area, skip mkfs and mount after open.

LUKS1 offline reencrypt (keep LUKS1)

When you must stay on LUKS1, run reencrypt on the partition (/dev/sdc1) with the mapper closed—never on /dev/mapper/secure_data. Confirm the header version first:

bash
sudo cryptsetup luksDump /dev/sdc1 | grep Version

Sample output:

text
Version:       	1

Unmount, close the mapper, and run reencrypt from a persistent writable directory—not /tmp. LUKS1 reencryption creates temporary files in the current working directory; if the operation is interrupted, those files may be needed to resume.

bash
sudo umount /mnt/secure-data
sudo cryptsetup close secure_data
sudo mkdir -p /root/luks1-reencrypt-work
cd /root/luks1-reencrypt-work
sudo cryptsetup reencrypt /dev/sdc1

Enter the slot passphrase when prompted. To change cipher at the same time, add --cipher:

bash
sudo cryptsetup reencrypt --cipher aes-xts-plain64 /dev/sdc1

On LUKS1, --write-log updates the reencrypt log after every block and slows the run but limits data loss if the system crashes mid-operation. If reencrypt stops, fix the underlying issue and resume:

bash
sudo cryptsetup reencrypt --resume-only /dev/sdc1

When reencrypt finishes, reopen and mount—the existing filesystem inside the encrypted area is preserved; do not run mkfs:

bash
sudo cryptsetup open /dev/sdc1 secure_data
sudo mount /dev/mapper/secure_data /mnt/secure-data
cat /mnt/secure-data/check.txt

Sample completion line (timing varies by disk size):

text
Finished, time 00m09s, 2040 MiB written, speed 221.5 MiB/s

Troubleshooting

Symptom Likely cause Fix
No key available with this passphrase No slot matches luksDump; try another backup key or a recovery key from systemd-cryptenroll
Key file ... only with --key-slot You used --key-file while multiple key slots are active Specify --key-slot N, or avoid --key-file and enter passphrases interactively if you want to preserve multiple slots
Device reencryption not in progress No init or already finished Run reencrypt without --resume-only, or use --init-only first
Device is not a valid LUKS device Wrong device or LUKS1 mismatch Confirm with luksDump; LUKS1 may need LUKS1 and old cryptsetup
Reencrypt interrupted Power loss or full disk cryptsetup reencrypt --resume-only /dev/sdc1 after fixing space/power; on LUKS1, run from the same persistent working directory that still contains the temporary reencryption files
Only one slot left and policy needs two Clevis or enroll consumed slots luksAddKey before luksKillSlot

References


Summary

Inspect and back up the header first, then follow the scenario that matches your goal: Change or add a passphrase for slot rotation only, or Reencrypt the volume key or cipher on LUKS2 when you need a new volume key or cipher. Use LUKS1 and old cryptsetup for LUKS1, high-risk LUKS1 reencrypt, or empty volumes.


Frequently Asked Questions

1. What is the difference between passphrase and volume key?

Passphrases live in key slots and wrap the volume key. Changing a passphrase with luksChangeKey keeps the volume key. cryptsetup reencrypt rotates the volume key and re-encrypts data.

2. Should I change the default AES-XTS cipher?

Usually no. Modern LUKS2 defaults are sound. Change cipher only for compliance requirements, and prefer cryptsetup reencrypt over luksFormat on a populated volume.

3. How many key slots can I use?

LUKS2 supports multiple slots (typically up to 32). Add backup passphrases with luksAddKey; remove compromised keys with luksRemoveKey or luksKillSlot. Export luksDump to see active slots.

4. Do I need a header backup before reencrypt?

Yes. Take luksHeaderBackup before any reencrypt or luksFormat. Header backup saves metadata and slots—not a substitute for filesystem backup of decrypted content.

5. Does this guide encrypt a new disk or migrate root?

No. This page assumes you already have a LUKS2 volume (for example /dev/sdc1 from the encrypt-partition walkthrough). For a new secondary data disk, use the encrypt guide; for root migration, use the LVM migration guide.
Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …