From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <michael@kjorling.se>
Received: from nekare.kjorling.se (nekare.kjorling.se [89.221.249.175])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Thu, 30 Mar 2017 12:57:41 +0200 (CEST)
Received: from yeono.kjorling.se (h-9-65.a328.priv.bahnhof.se [46.59.9.65])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "yeono", Issuer "yeono" (not verified))
 by nekare.kjorling.se (Postfix) with ESMTPS id 66B9A114501
 for <dm-crypt@saout.de>; Thu, 30 Mar 2017 10:57:34 +0000 (UTC)
Received: from yeono.kjorling.se (localhost [127.0.0.1])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by yeono (Postfix) with ESMTPS id 1CE2111BC
 for <dm-crypt@saout.de>; Thu, 30 Mar 2017 12:57:34 +0200 (CEST)
Date: Thu, 30 Mar 2017 10:57:32 +0000
From: Michael =?utf-8?B?S2rDtnJsaW5n?= <michael@kjorling.se>
Message-ID: <20170330105732.GA20553@yeono.kjorling.se>
References: <CAHQv9o+RUfiLt+K=zM5PeE_Wo5+-0T-92kojPA3UhudnS=Oasg@mail.gmail.com>
 <20170329183243.GA16156@tansi.org>
 <CAHQv9oJmxj0653nOTuL9PKv_GKa+bijbjoEz_S5PJ_M_-7_XFQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAHQv9oJmxj0653nOTuL9PKv_GKa+bijbjoEz_S5PJ_M_-7_XFQ@mail.gmail.com>
Subject: Re: [dm-crypt] Best practice for storing header backup and
 protecting against mistakes/misuse.
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 30 Mar 2017 11:18 +0100, from waqark3389temp@gmail.com (Waqar Khan):
> As a follow up. I will have a decrypted version of the master key
> which I got via luksDump --dump-master-key. I checked the FAQ and cant
> find something on how to overwrite a key slot with a good master key.
> If I have this master key, what would be the process to replace the
> passphrase in keyslot 0 with a new passphrase?

If you have a full header backup, then you can use that to restore the
container header via `cryptsetup luksHeaderRestore`, or you can use a
detached header via `cryptsetup --header`.

If you have only the master key, then you can write a new header
(possibly detached) with that specific master key using `cryptsetup
luksFormat --master-key-file`. I recommend making a fresh header
backup first in that case, in case you make a mistake.

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)