How to determine which luks slot a passphrase is in on Linux

Linux
, , , ,
#1

I got a luks-encrypted Linux partition called /dev/vda2 and protected by a passphrase running on EC2 AWS cloud. Over time other developers set and use other slots. I think they have 8 slots. How can I find which which luks slot a passphrase is in on Linux?

#2

If device called /dev/vda2, we run:

sudo cryptsetup luksDump /dev/DEVICE
sudo cryptsetup luksDump /dev/vda2

This should list all key slots in use.

How to find and verify which luks slot a passphrase is in on Linux

A little bit tricky but we can do it as follows:

sudo cryptsetup --verbose open --test-passphrase /dev/DEVICE 
sudo cryptsetup --verbose open --test-passphrase /dev/vda3

The command will ask for the passphrase:

Enter passphrase for /dev/vda3: 
Key slot 0 unlocked.
Command successful.

It will tell you correct slot, without any guesswork on your part.

Finding which luks slot a passhrase/password is in on Linux server or laptop

However, above command might not work on an older system/LUKS version, in that case, we can use:

# Use Bash && (AND list operator)
SLOT=2
DEV=/dev/sda1
sudo cryptsetup luksOpen --test-passphrase --key-slot $SLOT $DEV && echo "Correct key found in $SLOT for $DEV"

#
# Add || (OR list operator)
#
sudo cryptsetup open --test-passphrase \
-S $SLOT $DEV \
&& echo "Correct key found in $SLOT for $DEV" \
|| echo "Key NOT found in $SLOT for $DEV"

So I get confirmation from CentOS 7 Linux server:

Enter passphrase for /dev/sda1: 
Correct key found in 2 for /dev/sda1

I tested all commands on a CentOS/RHEL, Debian and Ubuntu Linux.

Options

  • --test-passphrase : Do not activate device, just check
  • --key-slot N : Slot number for new key (0 - 7 only)
  • -S N : Same as --key-slot N option.
    Try it out.
2 Likes
#3

worked perfectly :slight_smile:

Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki