1 = cryptsetup-luksChangeKey(8)
3 :manmanual: Maintenance Commands
4 :mansource: cryptsetup {release-version}
5 :man-linkstyle: pass:[blue R < >]
11 cryptsetup-luksChangeKey - change an existing passphrase
15 *cryptsetup _luksChangeKey_ [<options>] <device> [<new key file>]*
19 Changes an existing passphrase. The passphrase to be changed must be
20 supplied interactively or via --key-file. The new passphrase can be
21 supplied interactively or in a file given as the positional argument.
23 If a key-slot is specified (via --key-slot), the passphrase for that
24 key-slot must be given and the new passphrase will overwrite the
25 specified key-slot. If no key-slot is specified and there is still a
26 free key-slot, then the new passphrase will be put into a free key-slot
27 before the key-slot containing the old passphrase is purged. If there is
28 no free key-slot, then the key-slot with the old passphrase is
31 *WARNING:* If a key-slot is overwritten, a media failure during this
32 operation can cause the overwrite to fail after the old passphrase has
33 been wiped and make the LUKS container inaccessible.
35 *NOTE:* some parameters are effective only if used with LUKS2 format
36 that supports per-keyslot parameters. For LUKS1, PBKDF type and hash
37 algorithm is always the same for all keyslots.
39 *<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
40 --new-keyfile-offset, --iter-time, --pbkdf, --pbkdf-force-iterations,
41 --pbkdf-memory, --pbkdf-parallel, --new-keyfile-size, --key-slot,
42 --force-password, --hash, --header, --disable-locks, --type,
43 --keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
45 include::man/common_options.adoc[]
46 include::man/common_footer.adoc[]