Skip to content

Instantly share code, notes, and snippets.

Forked from kravietz/
Last active April 29, 2024 02:11
Show Gist options
  • Save Edu4rdSHL/8f97eb1bab454fb2b348f1167cee7cd2 to your computer and use it in GitHub Desktop.
Save Edu4rdSHL/8f97eb1bab454fb2b348f1167cee7cd2 to your computer and use it in GitHub Desktop.
Ubuntu LUKS cryptsetup upgrade

If you installed your #ubuntu with full-disk #encryption a while, you may want to upgrade your #luks header version to enjoy improved #security and stronger password hashing algorithms.

Boot from USB

You can't change LUKS header from a live system - you need to boot a live Ubuntu USB to be able to access the encrypted partition. First, create a bootable USB stick using a regular Ubuntu installer image.

  • Just get the latest installer ISO available
  • You need the full installer, the mini network installer won't work
  • You may need to disable Secure Boot in BIOS temporarily to boot from USB

After booting run lsblk as root and you'll see a number of partitions on your built-in hard drive, usually sda. In default Ubuntu setup the encrypted one will be the largest and it usually will be sda3.

Upgrade LUKS

Check what version of LUKS header you have:

cryptsetup luksDump /dev/sda3

If it's Version: 2 just sit back and relax. If it's Version: 1 then you want to upgrade. But not without a backup:

cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file backup.dat

Now the actual conversion - you need to confirm, and then it's quick and easy:

cryptsetup convert /dev/sda3 --type luks2

Just make sure you've got Version: 2 afterwards:

cryptsetup luksDump /dev/sda3

Now, why not change your full-disk encryption passphrase using a stronger hash:

cryptsetup luksChangeKey /dev/sda3 --pbkdf argon2id

Again, check what we got - you should see PBKDF: argon2id:

cryptsetup luksDump /dev/sda3

Just double check if everything is fine (it will not mount anything):

cryptsetup open /dev/sda3 /mnt --test-passphrase

If yes, get rid of the previously created backup (even if it's just a ramdisk):

shred backup.dat

And reboot!

Copy link

Thanks for preserving this, very useful!

Copy link

plz add a space for cryptsetupluksChangeKey

Copy link


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment