[dm-crypt] password recovery for a luksOpened device?

Milan Broz mbroz at redhat.com
Wed Nov 2 08:23:33 CET 2011

On 11/02/2011 04:14 AM, mike dentifrice wrote:
> Or do I necessarily have to jump towards the "How do I recover the
> master key from a mapped LUKS container?" FAQ entry?

You can run that script mentioned there (it will generate master-key-file
from active mapping).

And then (instead of format) just run

cryptsetup luksAddKey --master-key-file=<master-key-file> <luks device>

and add new arbitrary passphrase.

(If cryptsetup there doesn't support this option, you can do it on LUKS
header clone outside of server and copy it back with new keyslot.)

Without using dictionary or brute force attack you cannot recover original
passphrase though.

In any case, save "dmsetup table --showkeys" output, it will allow to map
device even if you destroy LUKS header.


More information about the dm-crypt mailing list