How to change luks encryption difficulty on manjaro full disk encrypt
Clash Royale CLAN TAG#URR8PPP
I am using manjaro with full disk encrypt, however, the wait time at boot for decrypt is very long ( i assume because of a high difficulty setting) . How can I change encryption difficulty/ wait time of the encryption setup during install?
encryption luks manjaro
asked Jan 30 at 17:52
Daniel VallandDaniel Valland
1132
add a comment |
I am using manjaro with full disk encrypt, however, the wait time at boot for decrypt is very long ( i assume because of a high difficulty setting) . How can I change encryption difficulty/ wait time of the encryption setup during install?
encryption luks manjaro
asked Jan 30 at 17:52
Daniel VallandDaniel Valland
1132
add a comment |
I am using manjaro with full disk encrypt, however, the wait time at boot for decrypt is very long ( i assume because of a high difficulty setting) . How can I change encryption difficulty/ wait time of the encryption setup during install?
encryption luks manjaro
asked Jan 30 at 17:52
Daniel VallandDaniel Valland
1132
I am using manjaro with full disk encrypt, however, the wait time at boot for decrypt is very long ( i assume because of a high difficulty setting) . How can I change encryption difficulty/ wait time of the encryption setup during install?
encryption luks manjaro
encryption luks manjaro
asked Jan 30 at 17:52
Daniel VallandDaniel Valland
1132
asked Jan 30 at 17:52
Daniel VallandDaniel Valland
1132
asked Jan 30 at 17:52
Daniel VallandDaniel Valland
1132
asked Jan 30 at 17:52
Daniel VallandDaniel Valland
1132
asked Jan 30 at 17:52
Daniel VallandDaniel Valland
1132
1132
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Too much passphrase hashing?
If it's only slow because you're waiting for a lot of passphrase hashing iterations, you could add a new passphrase with a quicker --iter-time, but that could reduce security & allow faster guessing of passphrases. If you wanted to wait 1 second (1000ms) then use a command like:
cryptsetup -v luksAddKey --iter-time 1000 <device>
You might then have to delete the old slow passphrase (with luksKillSlot), unless it's key slot is after the new quick one (they're apparently tested in order, so might have to wait for the first slow slot to be tested before the later quick one). Or change your initial open command to specify the new quicker --key-slot number.
The luksChangeKey command can combine the two steps, adding a new key then deleting the old key (even though the v1.7 man page doesn't specifically say it can use --iter-time, apparently it can):
cryptsetup -v luksAddKey --iter-time 1000 <device>
How slow is it now?
Test how long it takes to decrypt / open your device with:
cryptsetup -v luksOpen --test-passphrase <device>
Or test a specific key slot with the --key-slot option:
cryptsetup -v luksOpen --test-passphrase --key-slot N <device>
Using the time command might help, but also count your typing speed.
You can use the luksDump command to see what the current key slot Iterations: are, this is an example of a very slow slot 0 and a very quick slot 1:
Key Slot 0: ENABLED
Iterations: 4663017
Salt: ......
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 1000
Salt: ......
Key material offset: 264
AF stripes: 4000
From man cryptsetup:
--iter-time,-i
The number of milliseconds to spend with PBKDF2 passphrase processing. This
option is only relevant for LUKS operations that set or change passphrases, such
as luksFormat or luksAddKey. Specifying 0 as parameter selects the compiled-in
default.
luksChangeKey <device> [<new key file>]
Changes an existing passphrase. The passphrase to be changed must be supplied
interactively or via --key-file. The new passphrase can be supplied interactively
or in a file given as positional argument.
If a key-slot is specified (via --key-slot), the passphrase for that key-slot must
be given and the new passphrase will overwrite the specified key-slot. If no key-
slot is specified and there is still a free key-slot, then the new passphrase will
be put into a free key-slot before the key-slot containing the old passphrase is
purged. If there is no free key-slot, then the key-slot with the old passphrase is
overwritten directly.
WARNING: If a key-slot is overwritten, a media failure during this operation can
cause the overwrite to fail after the old passphrase has been wiped and make the
LUKS container inaccessible.
It's not the passphrase hashing?
- There's lots of reasons for a slow boot time, maybe it's unrelated to the encryption.
Or if the actual encryption/decryption itself is too slow, then changing the algorithm or key size might be required, and that would require decrypting and re-encrypting everything. There are programs (or commands in newer versions) that can do it in-place, hopefully without losing anything, but having a backup would be more than an excellent idea.
But in that case, it wouldn't just be a long initial wait but all reads & writes would be a little slower.
You can use the cryptsetup -v benchmark command to see some speed tests, but "NOTE: This benchmark is using memory only and is only informative. You cannot
directly predict real storage encryption speed from it."
answered Jan 31 at 12:57
Xen2050Xen2050
1,289813
Excellent answer, thank you :)
– Daniel Valland
Jan 31 at 20:54
Only problem i now have is the message "No key with this passphrase. Passphrase required to access luks volume...." after creating a new slot, and deleting the old. There were two slots occupied, and I deleted both, and added only one new... could this be the problem? I am able to unlock by typing the password twice (once in grub, and another after grub...)
– Daniel Valland
Jan 31 at 21:00
That's worrying... if you use the--key-slotoption for open then it only checks that slot, so maybe it's because "If the given passphrase would only match a different key-slot, the operation fails." But it does eventually unlock... I don't know why it's asking twice, unless that's just how manjaro is set up? I'm not sure, maybe it was storing the passphrase somewhere else on disk and now it's changed, or maybe there's two encrypted partitions? Keeping a header backup is in general always a good idea, or possibly even a--dump-master-keyif you're worried about losing all passphrases
– Xen2050
Feb 1 at 10:27
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f497746%2fhow-to-change-luks-encryption-difficulty-on-manjaro-full-disk-encrypt%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Too much passphrase hashing?
If it's only slow because you're waiting for a lot of passphrase hashing iterations, you could add a new passphrase with a quicker --iter-time, but that could reduce security & allow faster guessing of passphrases. If you wanted to wait 1 second (1000ms) then use a command like:
cryptsetup -v luksAddKey --iter-time 1000 <device>
You might then have to delete the old slow passphrase (with luksKillSlot), unless it's key slot is after the new quick one (they're apparently tested in order, so might have to wait for the first slow slot to be tested before the later quick one). Or change your initial open command to specify the new quicker --key-slot number.
The luksChangeKey command can combine the two steps, adding a new key then deleting the old key (even though the v1.7 man page doesn't specifically say it can use --iter-time, apparently it can):
cryptsetup -v luksAddKey --iter-time 1000 <device>
How slow is it now?
Test how long it takes to decrypt / open your device with:
cryptsetup -v luksOpen --test-passphrase <device>
Or test a specific key slot with the --key-slot option:
cryptsetup -v luksOpen --test-passphrase --key-slot N <device>
Using the time command might help, but also count your typing speed.
You can use the luksDump command to see what the current key slot Iterations: are, this is an example of a very slow slot 0 and a very quick slot 1:
Key Slot 0: ENABLED
Iterations: 4663017
Salt: ......
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 1000
Salt: ......
Key material offset: 264
AF stripes: 4000
From man cryptsetup:
--iter-time,-i
The number of milliseconds to spend with PBKDF2 passphrase processing. This
option is only relevant for LUKS operations that set or change passphrases, such
as luksFormat or luksAddKey. Specifying 0 as parameter selects the compiled-in
default.
luksChangeKey <device> [<new key file>]
Changes an existing passphrase. The passphrase to be changed must be supplied
interactively or via --key-file. The new passphrase can be supplied interactively
or in a file given as positional argument.
If a key-slot is specified (via --key-slot), the passphrase for that key-slot must
be given and the new passphrase will overwrite the specified key-slot. If no key-
slot is specified and there is still a free key-slot, then the new passphrase will
be put into a free key-slot before the key-slot containing the old passphrase is
purged. If there is no free key-slot, then the key-slot with the old passphrase is
overwritten directly.
WARNING: If a key-slot is overwritten, a media failure during this operation can
cause the overwrite to fail after the old passphrase has been wiped and make the
LUKS container inaccessible.
It's not the passphrase hashing?
- There's lots of reasons for a slow boot time, maybe it's unrelated to the encryption.
Or if the actual encryption/decryption itself is too slow, then changing the algorithm or key size might be required, and that would require decrypting and re-encrypting everything. There are programs (or commands in newer versions) that can do it in-place, hopefully without losing anything, but having a backup would be more than an excellent idea.
But in that case, it wouldn't just be a long initial wait but all reads & writes would be a little slower.
You can use the cryptsetup -v benchmark command to see some speed tests, but "NOTE: This benchmark is using memory only and is only informative. You cannot
directly predict real storage encryption speed from it."
answered Jan 31 at 12:57
Xen2050Xen2050
1,289813
Excellent answer, thank you :)
– Daniel Valland
Jan 31 at 20:54
Only problem i now have is the message "No key with this passphrase. Passphrase required to access luks volume...." after creating a new slot, and deleting the old. There were two slots occupied, and I deleted both, and added only one new... could this be the problem? I am able to unlock by typing the password twice (once in grub, and another after grub...)
– Daniel Valland
Jan 31 at 21:00
That's worrying... if you use the--key-slotoption for open then it only checks that slot, so maybe it's because "If the given passphrase would only match a different key-slot, the operation fails." But it does eventually unlock... I don't know why it's asking twice, unless that's just how manjaro is set up? I'm not sure, maybe it was storing the passphrase somewhere else on disk and now it's changed, or maybe there's two encrypted partitions? Keeping a header backup is in general always a good idea, or possibly even a--dump-master-keyif you're worried about losing all passphrases
– Xen2050
Feb 1 at 10:27
add a comment |
Too much passphrase hashing?
If it's only slow because you're waiting for a lot of passphrase hashing iterations, you could add a new passphrase with a quicker --iter-time, but that could reduce security & allow faster guessing of passphrases. If you wanted to wait 1 second (1000ms) then use a command like:
cryptsetup -v luksAddKey --iter-time 1000 <device>
You might then have to delete the old slow passphrase (with luksKillSlot), unless it's key slot is after the new quick one (they're apparently tested in order, so might have to wait for the first slow slot to be tested before the later quick one). Or change your initial open command to specify the new quicker --key-slot number.
The luksChangeKey command can combine the two steps, adding a new key then deleting the old key (even though the v1.7 man page doesn't specifically say it can use --iter-time, apparently it can):
cryptsetup -v luksAddKey --iter-time 1000 <device>
How slow is it now?
Test how long it takes to decrypt / open your device with:
cryptsetup -v luksOpen --test-passphrase <device>
Or test a specific key slot with the --key-slot option:
cryptsetup -v luksOpen --test-passphrase --key-slot N <device>
Using the time command might help, but also count your typing speed.
You can use the luksDump command to see what the current key slot Iterations: are, this is an example of a very slow slot 0 and a very quick slot 1:
Key Slot 0: ENABLED
Iterations: 4663017
Salt: ......
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 1000
Salt: ......
Key material offset: 264
AF stripes: 4000
From man cryptsetup:
--iter-time,-i
The number of milliseconds to spend with PBKDF2 passphrase processing. This
option is only relevant for LUKS operations that set or change passphrases, such
as luksFormat or luksAddKey. Specifying 0 as parameter selects the compiled-in
default.
luksChangeKey <device> [<new key file>]
Changes an existing passphrase. The passphrase to be changed must be supplied
interactively or via --key-file. The new passphrase can be supplied interactively
or in a file given as positional argument.
If a key-slot is specified (via --key-slot), the passphrase for that key-slot must
be given and the new passphrase will overwrite the specified key-slot. If no key-
slot is specified and there is still a free key-slot, then the new passphrase will
be put into a free key-slot before the key-slot containing the old passphrase is
purged. If there is no free key-slot, then the key-slot with the old passphrase is
overwritten directly.
WARNING: If a key-slot is overwritten, a media failure during this operation can
cause the overwrite to fail after the old passphrase has been wiped and make the
LUKS container inaccessible.
It's not the passphrase hashing?
- There's lots of reasons for a slow boot time, maybe it's unrelated to the encryption.
Or if the actual encryption/decryption itself is too slow, then changing the algorithm or key size might be required, and that would require decrypting and re-encrypting everything. There are programs (or commands in newer versions) that can do it in-place, hopefully without losing anything, but having a backup would be more than an excellent idea.
But in that case, it wouldn't just be a long initial wait but all reads & writes would be a little slower.
You can use the cryptsetup -v benchmark command to see some speed tests, but "NOTE: This benchmark is using memory only and is only informative. You cannot
directly predict real storage encryption speed from it."
answered Jan 31 at 12:57
Xen2050Xen2050
1,289813
Excellent answer, thank you :)
– Daniel Valland
Jan 31 at 20:54
Only problem i now have is the message "No key with this passphrase. Passphrase required to access luks volume...." after creating a new slot, and deleting the old. There were two slots occupied, and I deleted both, and added only one new... could this be the problem? I am able to unlock by typing the password twice (once in grub, and another after grub...)
– Daniel Valland
Jan 31 at 21:00
That's worrying... if you use the--key-slotoption for open then it only checks that slot, so maybe it's because "If the given passphrase would only match a different key-slot, the operation fails." But it does eventually unlock... I don't know why it's asking twice, unless that's just how manjaro is set up? I'm not sure, maybe it was storing the passphrase somewhere else on disk and now it's changed, or maybe there's two encrypted partitions? Keeping a header backup is in general always a good idea, or possibly even a--dump-master-keyif you're worried about losing all passphrases
– Xen2050
Feb 1 at 10:27
add a comment |
Too much passphrase hashing?
If it's only slow because you're waiting for a lot of passphrase hashing iterations, you could add a new passphrase with a quicker --iter-time, but that could reduce security & allow faster guessing of passphrases. If you wanted to wait 1 second (1000ms) then use a command like:
cryptsetup -v luksAddKey --iter-time 1000 <device>
You might then have to delete the old slow passphrase (with luksKillSlot), unless it's key slot is after the new quick one (they're apparently tested in order, so might have to wait for the first slow slot to be tested before the later quick one). Or change your initial open command to specify the new quicker --key-slot number.
The luksChangeKey command can combine the two steps, adding a new key then deleting the old key (even though the v1.7 man page doesn't specifically say it can use --iter-time, apparently it can):
cryptsetup -v luksAddKey --iter-time 1000 <device>
How slow is it now?
Test how long it takes to decrypt / open your device with:
cryptsetup -v luksOpen --test-passphrase <device>
Or test a specific key slot with the --key-slot option:
cryptsetup -v luksOpen --test-passphrase --key-slot N <device>
Using the time command might help, but also count your typing speed.
You can use the luksDump command to see what the current key slot Iterations: are, this is an example of a very slow slot 0 and a very quick slot 1:
Key Slot 0: ENABLED
Iterations: 4663017
Salt: ......
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 1000
Salt: ......
Key material offset: 264
AF stripes: 4000
From man cryptsetup:
--iter-time,-i
The number of milliseconds to spend with PBKDF2 passphrase processing. This
option is only relevant for LUKS operations that set or change passphrases, such
as luksFormat or luksAddKey. Specifying 0 as parameter selects the compiled-in
default.
luksChangeKey <device> [<new key file>]
Changes an existing passphrase. The passphrase to be changed must be supplied
interactively or via --key-file. The new passphrase can be supplied interactively
or in a file given as positional argument.
If a key-slot is specified (via --key-slot), the passphrase for that key-slot must
be given and the new passphrase will overwrite the specified key-slot. If no key-
slot is specified and there is still a free key-slot, then the new passphrase will
be put into a free key-slot before the key-slot containing the old passphrase is
purged. If there is no free key-slot, then the key-slot with the old passphrase is
overwritten directly.
WARNING: If a key-slot is overwritten, a media failure during this operation can
cause the overwrite to fail after the old passphrase has been wiped and make the
LUKS container inaccessible.
It's not the passphrase hashing?
- There's lots of reasons for a slow boot time, maybe it's unrelated to the encryption.
Or if the actual encryption/decryption itself is too slow, then changing the algorithm or key size might be required, and that would require decrypting and re-encrypting everything. There are programs (or commands in newer versions) that can do it in-place, hopefully without losing anything, but having a backup would be more than an excellent idea.
But in that case, it wouldn't just be a long initial wait but all reads & writes would be a little slower.
You can use the cryptsetup -v benchmark command to see some speed tests, but "NOTE: This benchmark is using memory only and is only informative. You cannot
directly predict real storage encryption speed from it."
answered Jan 31 at 12:57
Xen2050Xen2050
1,289813
Too much passphrase hashing?
If it's only slow because you're waiting for a lot of passphrase hashing iterations, you could add a new passphrase with a quicker --iter-time, but that could reduce security & allow faster guessing of passphrases. If you wanted to wait 1 second (1000ms) then use a command like:
cryptsetup -v luksAddKey --iter-time 1000 <device>
You might then have to delete the old slow passphrase (with luksKillSlot), unless it's key slot is after the new quick one (they're apparently tested in order, so might have to wait for the first slow slot to be tested before the later quick one). Or change your initial open command to specify the new quicker --key-slot number.
The luksChangeKey command can combine the two steps, adding a new key then deleting the old key (even though the v1.7 man page doesn't specifically say it can use --iter-time, apparently it can):
cryptsetup -v luksAddKey --iter-time 1000 <device>
How slow is it now?
Test how long it takes to decrypt / open your device with:
cryptsetup -v luksOpen --test-passphrase <device>
Or test a specific key slot with the --key-slot option:
cryptsetup -v luksOpen --test-passphrase --key-slot N <device>
Using the time command might help, but also count your typing speed.
You can use the luksDump command to see what the current key slot Iterations: are, this is an example of a very slow slot 0 and a very quick slot 1:
Key Slot 0: ENABLED
Iterations: 4663017
Salt: ......
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 1000
Salt: ......
Key material offset: 264
AF stripes: 4000
From man cryptsetup:
--iter-time,-i
The number of milliseconds to spend with PBKDF2 passphrase processing. This
option is only relevant for LUKS operations that set or change passphrases, such
as luksFormat or luksAddKey. Specifying 0 as parameter selects the compiled-in
default.
luksChangeKey <device> [<new key file>]
Changes an existing passphrase. The passphrase to be changed must be supplied
interactively or via --key-file. The new passphrase can be supplied interactively
or in a file given as positional argument.
If a key-slot is specified (via --key-slot), the passphrase for that key-slot must
be given and the new passphrase will overwrite the specified key-slot. If no key-
slot is specified and there is still a free key-slot, then the new passphrase will
be put into a free key-slot before the key-slot containing the old passphrase is
purged. If there is no free key-slot, then the key-slot with the old passphrase is
overwritten directly.
WARNING: If a key-slot is overwritten, a media failure during this operation can
cause the overwrite to fail after the old passphrase has been wiped and make the
LUKS container inaccessible.
It's not the passphrase hashing?
- There's lots of reasons for a slow boot time, maybe it's unrelated to the encryption.
Or if the actual encryption/decryption itself is too slow, then changing the algorithm or key size might be required, and that would require decrypting and re-encrypting everything. There are programs (or commands in newer versions) that can do it in-place, hopefully without losing anything, but having a backup would be more than an excellent idea.
But in that case, it wouldn't just be a long initial wait but all reads & writes would be a little slower.
You can use the cryptsetup -v benchmark command to see some speed tests, but "NOTE: This benchmark is using memory only and is only informative. You cannot
directly predict real storage encryption speed from it."
answered Jan 31 at 12:57
Xen2050Xen2050
1,289813
edited Jan 31 at 13:04
answered Jan 31 at 12:57
Xen2050Xen2050
1,289813
answered Jan 31 at 12:57
Xen2050Xen2050
1,289813
answered Jan 31 at 12:57
Xen2050Xen2050
1,289813
1,289813
Excellent answer, thank you :)
– Daniel Valland
Jan 31 at 20:54
Only problem i now have is the message "No key with this passphrase. Passphrase required to access luks volume...." after creating a new slot, and deleting the old. There were two slots occupied, and I deleted both, and added only one new... could this be the problem? I am able to unlock by typing the password twice (once in grub, and another after grub...)
– Daniel Valland
Jan 31 at 21:00
That's worrying... if you use the--key-slotoption for open then it only checks that slot, so maybe it's because "If the given passphrase would only match a different key-slot, the operation fails." But it does eventually unlock... I don't know why it's asking twice, unless that's just how manjaro is set up? I'm not sure, maybe it was storing the passphrase somewhere else on disk and now it's changed, or maybe there's two encrypted partitions? Keeping a header backup is in general always a good idea, or possibly even a--dump-master-keyif you're worried about losing all passphrases
– Xen2050
Feb 1 at 10:27
add a comment |
Excellent answer, thank you :)
– Daniel Valland
Jan 31 at 20:54
Only problem i now have is the message "No key with this passphrase. Passphrase required to access luks volume...." after creating a new slot, and deleting the old. There were two slots occupied, and I deleted both, and added only one new... could this be the problem? I am able to unlock by typing the password twice (once in grub, and another after grub...)
– Daniel Valland
Jan 31 at 21:00
That's worrying... if you use the--key-slotoption for open then it only checks that slot, so maybe it's because "If the given passphrase would only match a different key-slot, the operation fails." But it does eventually unlock... I don't know why it's asking twice, unless that's just how manjaro is set up? I'm not sure, maybe it was storing the passphrase somewhere else on disk and now it's changed, or maybe there's two encrypted partitions? Keeping a header backup is in general always a good idea, or possibly even a--dump-master-keyif you're worried about losing all passphrases
– Xen2050
Feb 1 at 10:27
Excellent answer, thank you :)
– Daniel Valland
Jan 31 at 20:54
Excellent answer, thank you :)
– Daniel Valland
Jan 31 at 20:54
Only problem i now have is the message "No key with this passphrase. Passphrase required to access luks volume...." after creating a new slot, and deleting the old. There were two slots occupied, and I deleted both, and added only one new... could this be the problem? I am able to unlock by typing the password twice (once in grub, and another after grub...)
– Daniel Valland
Jan 31 at 21:00
Only problem i now have is the message "No key with this passphrase. Passphrase required to access luks volume...." after creating a new slot, and deleting the old. There were two slots occupied, and I deleted both, and added only one new... could this be the problem? I am able to unlock by typing the password twice (once in grub, and another after grub...)
– Daniel Valland
Jan 31 at 21:00
That's worrying... if you use the
--key-slot option for open then it only checks that slot, so maybe it's because "If the given passphrase would only match a different key-slot, the operation fails." But it does eventually unlock... I don't know why it's asking twice, unless that's just how manjaro is set up? I'm not sure, maybe it was storing the passphrase somewhere else on disk and now it's changed, or maybe there's two encrypted partitions? Keeping a header backup is in general always a good idea, or possibly even a --dump-master-key if you're worried about losing all passphrases– Xen2050
Feb 1 at 10:27
That's worrying... if you use the
--key-slot option for open then it only checks that slot, so maybe it's because "If the given passphrase would only match a different key-slot, the operation fails." But it does eventually unlock... I don't know why it's asking twice, unless that's just how manjaro is set up? I'm not sure, maybe it was storing the passphrase somewhere else on disk and now it's changed, or maybe there's two encrypted partitions? Keeping a header backup is in general always a good idea, or possibly even a --dump-master-key if you're worried about losing all passphrases– Xen2050
Feb 1 at 10:27
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f497746%2fhow-to-change-luks-encryption-difficulty-on-manjaro-full-disk-encrypt%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
