1. Using the Cockpit Web Console
  2. Storage Management Tasks
  3. Encrypt Block Devices With LUKS
  4. Change Passphrase Key for LUKS Encryption

Change Passphrase Key for LUKS Encryption

Cockpit administrators can use the Storage page in the web console to change the LUKS passphrase key.

What Do You Need?

  • The Cockpit web console must be installed and accessible.

    For details, see these topics: Install and Enable Cockpit and Log in to the Cockpit Web Console.

  • The cockpit-storaged package must be installed.

    Note:

    If the cockpit-storaged package isn't installed, see this section Install and Manage Add-on Applications
  • An unmounted LUKS1 formatted file system.

    Important:

    You can re-encrypt encrypted devices while the devices are in use (change encryption key or algorithm) using the LUKS2 format. The LUKS1 format doesn't provide online re-encryption. In this case, devices encrypted with LUKS1 format might require you to unmount the file system to apply encryption property changes.
  • Administrator privileges.

Steps

Using the Cockpit web console, follow these steps to change the LUKS primary or slot passphrases assigned to a host encrypted partition or logical volume.

  1. In the Storage page, select a drive from the Drives table.

  2. In the Storage [model name] page, navigate to the Partitions table.
  3. In the Partitions table, find the row with the encrypted partition or volume and then click the down arrow icon to expand the table information.

    An Encryption tab appears.

  4. Click the Encryption tab and configure the applicable passphrase properties as needed.
    Stored passphrase Click the Edit link to change the LUKs primary encryption passphrase.
    Keys - passphrase

    Important:

    For information about configuring Tang server keys, see Unlock Encrypted Devices Using Tang Server Key.

    LUKS provides the ability for users to configure multiple passphrase keys per slots (up to 8 slots). Any one of the configured keys can open the encrypted partition.

    Note:

    LUKS encryption passphrases are stored in slots in the header of the partition.

    Click the Edit icon to change an existing encryption passphrase that's assigned to a specific slot #.

    -OR-

    Click the plus [+] icon to add a new storage slot and assign a passphrase.

    -OR-

    Click the minus [-] icon to remove a passphrase storage slot configuration.