cryptsetup-luksChangeKey - Linux


cryptsetup-luksChangeKey is a utility used to change the passphrase or key of an encrypted LUKS (Linux Unified Key Setup) device. It provides a secure and convenient method to update the encryption key without compromising the integrity of the data on the device.


cryptsetup-luksChangeKey [options/flags] <device> [--new-passphrase] <passphrase> [--new-key-file] <keyfile>


  • -v, –verbose: Enable verbose output with more detailed information about the process.
  • -f, –force: Force the key change without prompting for confirmation.
  • -s, –skip-verify: Skip passphrase verification during key change.
  • -h, –help: Display the command’s help menu.
  • –new-passphrase: Specify a new passphrase to use as the encryption key.
  • –new-key-file: Specify a file containing the new encryption key.


Simple Key Change Using Passphrase

cryptsetup-luksChangeKey /dev/sda2 --new-passphrase --new-passphrase

Key Change Using Key File

cryptsetup-luksChangeKey /dev/sda3 --new-key-file /path/to/newKeyFile

Common Issues

  • Incorrect passphrase: Ensure that the passphrase entered for the existing key is correct.
  • Invalid key file: Check that the specified key file exists and contains valid key data.
  • Key change failed: The key change may fail due to insufficient permissions or a corrupted device. Verify access rights and try again.


cryptsetup-luksChangeKey can be integrated into scripts to automate key management tasks. For example, it can be used to periodically change keys based on a defined schedule.

Related Commands

  • cryptsetup: Primary utility for managing and manipulating LUKS devices.
  • dd: Can be used to write key data to and from key files.
  • gpg: Can be used to encrypt key files for added security.