cryptsetup-luksAddKey - Linux


cryptsetup-luksAddKey is a command used to add an additional passphrase or keyfile to an existing LUKS (Linux Unified Key Setup) encrypted device. This enhances the security of the encrypted device by requiring multiple authentication factors for unlocking.


cryptsetup luksAddKey <device>


  • -d, –devicename : Specify the name of the device to add the key to.
  • -k, –key-file : Path to the keyfile containing the passphrase.
  • -p, –passphrase : The passphrase used to unlock the device.
  • -s, –size : Size of the key in bits (default: 256).
  • -t, –type : Type of key to add (default: passphrase). Valid options are:
    • passphrase
    • keyfile
  • -h, –help: Display help information.


Add a passphrase to an encrypted device:

cryptsetup luksAddKey /dev/sda1

Add a keyfile to an encrypted device:

cryptsetup luksAddKey /dev/sda1 -t keyfile -k mykeyfile.bin

Add a passphrase and a keyfile to an encrypted device:

cryptsetup luksAddKey /dev/sda1 -k mykeyfile.bin -p mypassphrase

Common Issues

  • Error: Device is not a LUKS device.
    • Make sure the device you are trying to add the key to is a LUKS-encrypted device.
  • Error: Incorrect passphrase.
    • Verify that the passphrase or keyfile provided is correct.
  • Error: Key size must be multiple of 8 bits.
    • Specify a key size that is a multiple of 8 bits, such as 128, 256, or 512.


cryptsetup-luksAddKey can be combined with other commands to enhance security or automate tasks. For example:

  • Integration with Systemd: Create a systemd unit to automatically unlock a LUKS-encrypted device at boot using a keyfile:
Description=Unlock LUKS device /dev/sda1 with keyfile

ExecStart=/usr/bin/cryptsetup luksOpen /dev/sda1 mykeyfile.bin
ExecStop=/usr/bin/cryptsetup luksClose /dev/sda1


Related Commands

  • cryptsetup: Main command for managing LUKS-encrypted devices.
  • cryptsetup-luksFormat: Create a new LUKS-encrypted device.
  • cryptsetup-luksOpen: Unlock a LUKS-encrypted device.
  • cryptsetup-luksClose: Lock a LUKS-encrypted device.