cryptsetup-luksRemoveKey - Linux


cryptsetup-luksRemoveKey is a command-line utility used to remove encryption keys (passphrases or key files) from Linux Unified Key Setup (LUKS) encrypted block devices. It enhances security by revoking access permissions for obsolete or compromised keys.


cryptsetup luksRemoveKey <device> <key-slot>




  • Remove a key from the 2nd key slot of the /dev/sda3 device:
cryptsetup luksRemoveKey /dev/sda3 2
  • Remove all keys from the /dev/sdb1 device:
for i in $(seq 1 $(cryptsetup luksDump /dev/sdb1 | grep -cE "Key Slot")); do cryptsetup luksRemoveKey /dev/sdb1 $i; done

Common Issues

  • Error: Device is not a LUKS device. Ensure the device is correctly identified and is indeed a LUKS-encrypted block device.
  • Error: Key slot not found. Verify the key slot number is valid for the device.
  • Device is locked. Unlock the device before removing the key.


cryptsetup-luksRemoveKey can be used in conjunction with other commands:

  • cryptsetup luksDump: Lists key slots and their associated keys.
  • cryptsetup luksOpen: Opens a LUKS device using the remaining keys after removal.

Related Commands

  • cryptsetup: Main LUKS management utility.
  • luksformat: Creates and initializes LUKS-encrypted block devices.
  • luksDump: Retrieves metadata from LUKS-encrypted block devices.