LUKS (Linux Unified Key Setup) is the disk encryption software that's available on Debian. It sits between the file system and the block device, and encrypts all data as it passes through.

Since LUKS works directly on the block device, all commands listed below must be executed as root.

Cryptsetup is the command used to manage LUKS. You can install it like this:

apt-get install cryptsetup

cryptsetup -y -v --type luks2 luksFormat /dev/DEVICE

cryptsetup luksOpen /dev/DEVICE volumename

The volume should then become available at /dev/mapper/volumename

Each method that can unlock a disk is stored in a slot, in a header on the LUKS partition. You can list all slots (and other metadata) by issuing the following command:

cryptsetup luksDump /dev/sda3

This would list the slots for disk sda3.

You can add an additional password that can unlock the disk by executing:

cryptsetup luksAddKey /dev/sda3

This will add a new password for disk sda3. You will be prompted for an existing password!

This method uses a file to unlock the disk. You can add it entirely the same as a new password, with just an additional parameter for the file:

cryptsetup luksAddKey /dev/sda3 /home/keyfile.txt

This will add a new keyfile (located in /home/keyfile.txt) for disk sda3. You will be prompted to authenticate with an existing method!

See Unlocking Debian LUKS with a Yubikey at boot.

If you want to remove an authentication method, you need to clear the corresponding slot. You can do so by issuing the following command:

cryptsetup -v luksKillSlot /dev/sda3 0

This would clear slot 0 (slots are zero-based) on disk sda3. Note that you will be asked to authenticate with an authentication method stored in another slot.

• man cryptsetup
• https://askubuntu.com/questions/1319688/luks-how-can-i-add-more-password-slots-or-remove-change-a-password