Restore or regenerate LUKS keyslot #1

After dealing with long boot times with GRUB unlocking for a while, I have finally stopped procrastinating and lowered my LUKS difficulty. However, since I’m dumb, I’ve managed to delete keyslot #1 in the process. This resulted in the boot process going as this:

  • GRUB asks for password
  • I enter password, GRUB opens keyslot 0
  • Plymouth spins for a while
  • I press keys on my keyboard like a monkey for several minutes (page up/down work the best)
  • A screen appears with the following text:
No key available with this passphrase.
Invalid keyfile. Reverting to passphrase.

A password is required to access the luks-8ebc9277-47b3-402b-9eda-3ae78b79f612 volume:
Enter passphrase for /dev/nvme0n1p2:
  • I type my password v e r y s l o w l y several times
  • System boots

The LUKS partition mentioned above is my root partition. I have also found that if I move /crypto_keyfile.bin, it asks me for my password even more times (for swap too).

Is there a way to somehow replace the old keyfile so I don’t have to enter my password multiple times? I have been looking in /boot with no success.

How to increase your chances of solving your issue:

Please provide Information:

Can you not - once you are in - just add another passphrase
or the same one - it doesn’t matter whether old or new, whether you have used it before or not…
(to unlock the encrypted volume)?
Just as you where able and allowed to remove it (the only one …)
add one … or two … ?

Or do you just don’t know how to do this?
… could be … :wink:

@Honbra IMHO you have now 2 options:

1.) In your present Manjaro installation LUKS slot0 is the one in which your password is, slot1 is reserved by the system, do not try to open or overwrite it. But you have 5 slots (slot2 … slot7) free and open for your new passwords. Try to activate one of them with a new password. See instruction: How to change LUKS passphrase in Linux - nixCraft

2.) In case this 1st option does provide you satisfactory solution(s), then try to get in and and restore all your files to external memory and reinstall Manjaro once again including new LUKS password, which will land automatically into slot0.

Pls inform about your results (for my further learning). :grinning:

Hello, thank you for your responses.

I think I worded the initial post wrong. I can log into the system and use it and did change slot #0, however, I also managed to erase slot #1.

Also, here is my system information from inxi:

System:
  Kernel: 5.15.25-1-MANJARO x86_64 bits: 64 compiler: gcc v: 11.2.0
    parameters: BOOT_IMAGE=/boot/vmlinuz-5.15-x86_64
    root=UUID=b5823c98-f173-4a9b-a69a-e96cdaafbfa0 rw quiet
    cryptdevice=UUID=8ebc9277-47b3-402b-9eda-3ae78b79f612:luks-8ebc9277-47b3-402b-9eda-3ae78b79f612
    root=/dev/mapper/luks-8ebc9277-47b3-402b-9eda-3ae78b79f612 splash
    apparmor=1 security=apparmor
    resume=/dev/mapper/luks-fc818d93-b852-4296-be53-f9f3a41460f9
    udev.log_priority=3 snd_intel_dspcfg.dsp_driver=1
    acpi_enforce_resources=lax
  Console: pty pts/0 wm: gnome-shell DM: GDM 41.3 Distro: Manjaro Linux
    base: Arch Linux
Machine:
  Type: Convertible System: HP product: HP Spectre x360 Convertible 14-ea0xxx
    v: N/A serial: <filter> Chassis: type: 31 serial: <filter>
  Mobo: HP model: 87F6 v: 40.43 serial: <filter> UEFI: AMI v: F.09
    date: 01/13/2021
Battery:
  ID-1: BAT0 charge: 5.4 Wh (8.7%) condition: 62.2/66.5 Wh (93.4%) volts: 7.9
    min: 7.7 model: HP Primary type: Li-ion serial: <filter> status: Charging
    cycles: 131
  Device-1: hid-0018:04F3:2BEB.0001-battery model: ELAN2514:00 04F3:2BEB
    serial: N/A charge: N/A status: N/A
Memory:
  RAM: total: 15.28 GiB used: 2.86 GiB (18.7%)
  Array-1: capacity: 16 GiB slots: 2 EC: None max-module-size: 8 GiB
    note: est.
  Device-1: Bottom - on board size: 8 GiB speed: spec: 4267 MT/s
    actual: 3733 MT/s type: LPDDR4 detail: synchronous bus-width: 16 bits
    total: 16 bits manufacturer: Micron Technology
    part-no: MT53E1G32D4NQ-046:E serial: N/A
  Device-2: Bottom - on board size: 8 GiB speed: spec: 4267 MT/s
    actual: 3733 MT/s type: LPDDR4 detail: synchronous bus-width: 16 bits
    total: 16 bits manufacturer: Micron Technology
    part-no: MT53E1G32D4NQ-046:E serial: N/A
CPU:
  Info: model: 11th Gen Intel Core i7-1165G7 socket: U3E1 bits: 64
    type: MT MCP arch: Tiger Lake family: 6 model-id: 0x8C (140) stepping: 1
    microcode: 0x9A
  Topology: cpus: 1x cores: 4 tpc: 2 threads: 8 smt: enabled cache:
    L1: 320 KiB desc: d-4x48 KiB; i-4x32 KiB L2: 5 MiB desc: 4x1.2 MiB
    L3: 12 MiB desc: 1x12 MiB
  Speed (MHz): avg: 1713 high: 2730 min/max: 400/4700 base/boost: 2800/4700
    scaling: driver: intel_pstate governor: powersave volts: 0.8 V
    ext-clock: 100 MHz cores: 1: 1471 2: 1478 3: 1655 4: 1200 5: 2730 6: 1200
    7: 2553 8: 1421 bogomips: 44864
  Flags: 3dnowprefetch abm acpi adx aes aperfmperf apic arat
    arch_capabilities arch_perfmon art avx avx2 avx512_bitalg avx512_vbmi2
    avx512_vnni avx512_vp2intersect avx512_vpopcntdq avx512bw avx512cd
    avx512dq avx512f avx512ifma avx512vbmi avx512vl bmi1 bmi2 bts cat_l2
    cdp_l2 clflush clflushopt clwb cmov constant_tsc cpuid cpuid_fault cx16
    cx8 de ds_cpl dtes64 dtherm dts epb ept ept_ad erms est f16c flexpriority
    flush_l1d fma fpu fsgsbase fsrm fxsr gfni ht hwp hwp_act_window hwp_epp
    hwp_notify hwp_pkg_req ibpb ibrs ibrs_enhanced ida intel_pt invpcid
    invpcid_single lahf_lm lm mca mce md_clear mmx monitor movbe movdir64b
    movdiri msr mtrr nonstop_tsc nopl nx ospke pae pat pbe pcid pclmulqdq pdcm
    pdpe1gb pebs pge pku pln pni popcnt pse pse36 pts rdpid rdrand rdseed
    rdt_a rdtscp rep_good sdbg sep sha_ni smap smep split_lock_detect ss ssbd
    sse sse2 sse4_1 sse4_2 ssse3 stibp syscall tm tm2 tpr_shadow tsc
    tsc_adjust tsc_deadline_timer tsc_known_freq umip vaes vme vmx vnmi
    vpclmulqdq vpid x2apic xgetbv1 xsave xsavec xsaveopt xsaves xtopology xtpr
  Vulnerabilities:
  Type: itlb_multihit status: Not affected
  Type: l1tf status: Not affected
  Type: mds status: Not affected
  Type: meltdown status: Not affected
  Type: spec_store_bypass
    mitigation: Speculative Store Bypass disabled via prctl and seccomp
  Type: spectre_v1
    mitigation: usercopy/swapgs barriers and __user pointer sanitization
  Type: spectre_v2 mitigation: Enhanced IBRS, IBPB: conditional, RSB filling
  Type: srbds status: Not affected
  Type: tsx_async_abort status: Not affected
Graphics:
  Device-1: Intel TigerLake-LP GT2 [Iris Xe Graphics] vendor: Hewlett-Packard
    driver: i915 v: kernel ports: active: eDP-1 empty: DP-1,DP-2
    bus-ID: 0000:00:02.0 chip-ID: 8086:9a49 class-ID: 0300
  Display: server: X.org v: 1.21.1.3 compositor: gnome-shell driver:
    gpu: i915 note:  X driver n/a display-ID: :0 screens: 1
  Screen-1: 0 s-res: 1920x1280 s-size: <missing: xdpyinfo>
  Monitor-1: XWAYLAND0 mapped: eDP-1 model: LG built: 2020 res: 1920x1280
    hz: 60 dpi: 174 gamma: 1.2 size: 280x190mm (11.0x7.5") diag: 343mm (13.5")
    ratio: 3:2 modes: 1920x1280
  OpenGL: renderer: Mesa Intel Xe Graphics (TGL GT2) v: 4.6 Mesa 21.3.7
    direct render: Yes
Audio:
  Device-1: Intel Tiger Lake-LP Smart Sound Audio vendor: Hewlett-Packard
    driver: snd_hda_intel v: kernel alternate: snd_sof_pci_intel_tgl
    bus-ID: 0000:00:1f.3 chip-ID: 8086:a0c8 class-ID: 0401
  Sound Server-1: ALSA v: k5.15.25-1-MANJARO running: yes
  Sound Server-2: JACK v: 1.9.20 running: no
  Sound Server-3: PulseAudio v: 15.0 running: yes
  Sound Server-4: PipeWire v: 0.3.47 running: yes
Network:
  Device-1: Intel Wi-Fi 6 AX201 driver: iwlwifi v: kernel bus-ID: 0000:00:14.3
    chip-ID: 8086:a0f0 class-ID: 0280
  IF: wlo1 state: up mac: <filter>
  IP v4: <filter> type: dynamic noprefixroute scope: global
    broadcast: <filter>
  IP v6: <filter> type: noprefixroute scope: link
  WAN IP: <filter>
Bluetooth:
  Device-1: Intel AX201 Bluetooth type: USB driver: btusb v: 0.8
    bus-ID: 3-10:4 chip-ID: 8087:0026 class-ID: e001
  Report: rfkill ID: hci0 rfk-id: 1 state: up address: see --recommends
Logical:
  Message: No logical block device data found.
  Device-1: luks-8ebc9277-47b3-402b-9eda-3ae78b79f612 maj-min: 254:0
    type: LUKS dm: dm-0 size: 936.76 GiB
  Components:
  p-1: nvme0n1p2 maj-min: 259:2 size: 936.76 GiB
  Device-2: luks-fc818d93-b852-4296-be53-f9f3a41460f9 maj-min: 254:1
    type: LUKS dm: dm-1 size: 16.8 GiB
  Components:
  p-1: nvme0n1p3 maj-min: 259:3 size: 16.8 GiB
RAID:
  Hardware-1: Intel Volume Management Device NVMe RAID Controller driver: vmd
    v: 0.6 port: N/A bus-ID: 0000:00:0e.0 chip-ID: 8086:9a0b rev: class-ID: 0104
Drives:
  Local Storage: total: 981.12 GiB used: 167.05 GiB (17.0%)
  SMART Message: Required tool smartctl not installed. Check --recommends
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Intel model: HBRPEKNX0203AH
    size: 953.87 GiB block-size: physical: 512 B logical: 512 B speed: 15.8 Gb/s
    lanes: 2 type: SSD serial: <filter> rev: HPS2 temp: 36.9 C scheme: GPT
  ID-2: /dev/nvme1n1 maj-min: 259:4 vendor: Intel model: HBRPEKNX0203AHO
    size: 27.25 GiB block-size: physical: 512 B logical: 512 B speed: 15.8 Gb/s
    lanes: 2 type: SSD serial: <filter> rev: HPS3 temp: 43.9 C scheme: GPT
  Message: No optical or floppy data found.
Partition:
  ID-1: / raw-size: 936.76 GiB size: 920.98 GiB (98.32%)
    used: 167.05 GiB (18.1%) fs: ext4 block-size: 4096 B dev: /dev/dm-0
    maj-min: 254:0 mapped: luks-8ebc9277-47b3-402b-9eda-3ae78b79f612
    label: N/A uuid: b5823c98-f173-4a9b-a69a-e96cdaafbfa0
  ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%)
    used: 440 KiB (0.1%) fs: vfat block-size: 512 B dev: /dev/nvme0n1p1
    maj-min: 259:1 label: NO_LABEL uuid: 9CA0-4900
Swap:
  Kernel: swappiness: 60 (default) cache-pressure: 100 (default)
  ID-1: swap-1 type: partition size: 16.8 GiB used: 0 KiB (0.0%)
    priority: -2 dev: /dev/dm-1 maj-min: 254:1
    mapped: luks-fc818d93-b852-4296-be53-f9f3a41460f9 label: swap
    uuid: d4423c32-3434-42d9-a2e1-6f2eb89f7b4a
Unmounted:
  ID-1: /dev/nvme1n1p1 maj-min: 259:5 size: 27.25 GiB fs: ext4 label: Backup
    uuid: 22086eb6-fcd7-4afa-873e-c8f4be0b40fa
USB:
  Hub-1: 1-0:1 info: Hi-speed hub with single TT ports: 1 rev: 2.0
    speed: 480 Mb/s chip-ID: 1d6b:0002 class-ID: 0900
  Hub-2: 2-0:1 info: Super-speed hub ports: 4 rev: 3.1 speed: 10 Gb/s
    chip-ID: 1d6b:0003 class-ID: 0900
  Hub-3: 3-0:1 info: Hi-speed hub with single TT ports: 12 rev: 2.0
    speed: 480 Mb/s chip-ID: 1d6b:0002 class-ID: 0900
  Device-1: 3-9:3 info: Elan Micro ELAN:ARM-M4 type: <vendor specific>
    driver: N/A interfaces: 1 rev: 2.0 speed: 12 Mb/s power: 100mA
    chip-ID: 04f3:0c4c class-ID: 0000
  Device-2: 3-10:4 info: Intel AX201 Bluetooth type: Bluetooth driver: btusb
    interfaces: 2 rev: 2.0 speed: 12 Mb/s power: 100mA chip-ID: 8087:0026
    class-ID: e001
  Hub-4: 4-0:1 info: Super-speed hub ports: 4 rev: 3.1 speed: 10 Gb/s
    chip-ID: 1d6b:0003 class-ID: 0900
Sensors:
  System Temperatures: cpu: 46.0 C mobo: N/A
  Fan Speeds (RPM): N/A
Info:
  Processes: 305 Uptime: 9m wakeups: 683 Init: systemd v: 250 tool: systemctl
  Compilers: gcc: 11.2.0 clang: 13.0.1 Packages: 1636 pacman: 1558 lib: 358
  flatpak: 78 Shell: Zsh (sudo) v: 5.8.1 default: Bash v: 5.1.16
  running-in: gnome-terminal inxi: 3.3.13

Hello @Honbra,

I did the same mistake, thank very much for the explanation (specially the v e r y s l o w l y part). I was able to decrypt my partition.

After that I managed to re-add the key with :

sudo cryptsetup --verbose luksAddKey /dev/nvme0n1p2 --key-slot 1 /crypto_keyfile.bin

I also, this time, took the time to check what I did with :

sudo cryptsetup --verbose -test-passphrase /dev/nvme0n1p2 --key-file /crypto_keyfile.bin

and next reboot…
My goal was initially to decrease the iterations. I set the -i option to a lower value for the key 0 (I win few seconds for the first decrypt stage), and following this issue, I did the same when re-adding the keyfile to slot 1, and also win some seconds for the next decryption stage.