cryptsetup-luksConvertKey - Linux


cryptsetup-luksConvertKey is a command-line tool that converts a LUKS (Linux Unified Key Setup) encrypted partition from one passphrase to another. It allows users to change the encryption key used to access the partition without losing data.


cryptsetup-luksConvertKey [-d] [-DKRYPT_KEY] [-L LIST] <device> <new_passphrase>


  • -d: Dry run mode. This option validates the conversion without actually performing it.
  • -DKRYPT_KEY: Specify the current passphrase or keyfile.
  • -L LIST: Lists available LUKS headers on the device.


Simple passphrase conversion:

cryptsetup-luksConvertKey /dev/sda2 "new_passphrase"

Complex passphrase conversion with a keyfile:

cryptsetup-luksConvertKey -DKRYPT_KEY=keyfile.bin /dev/sda2 "new_passphrase"

Dry run mode:

cryptsetup-luksConvertKey -d /dev/sda2 "new_passphrase"

Common Issues

  • Incorrect passphrase: Ensure the current passphrase is correct or provide the correct keyfile.
  • Luks header not found: Make sure the device specified has a valid LUKS header.


Use with other commands:

  • cryptsetup: Perform other LUKS-related operations, such as opening, closing, or changing the LUKS header.
  • fdisk: View or modify partition tables.


Convert LUKS keys programmatically by incorporating cryptsetup-luksConvertKey into shell scripts.

Related Commands

  • luks-change-key: Alternative tool for changing LUKS encryption keys.
  • LUKS1: Older encryption format supported by cryptsetup.