How to non-interactively manage LUKS passphrases

Learn how to non-interactively manage LUKS passphrases on a specific device using files or a named pipe.

Add an additional passphrase non-interactively using files

Store any current passphrase in a file without new-line character.

Use characters from 7-bit ASCII to ensure that your passphrase is future-proof due to encoding differences.
$ printf "anycurrentpassword" | tee current_passphrase

Store additional passphrase in a file without new-line character.

$ printf "badpassword" | tee additional_passphrase

Change passphrase file permissions.

$ chmod 400 current_passphrase
$ chmod 400 additional_passphrase

Add a passphrase to the specified key-slot using current and additional passphrase files.

$ sudo cryptsetup luksAddKey --key-file ./current_passphrase --key-slot 7 /dev/sdb1 ./additional_passphrase

Remove both passphrase files.

$ unlink current_passphrase
$ unlink additional_passphrase

Add an additional passphrase non-interactively using named pipe

Create named pipe.

$ mkfifo -m 600 ./cryptsetup_pipe

Add a passphrase to the specified key-slot using named pipe.

$ sudo cryptsetup luksAddKey --key-slot 7 --key-file ./cryptsetup_pipe /dev/sdb1 ./cryptsetup_pipe &

Provide any current passphrase.

$ printf "anycurrentpassword" > cryptsetup_pipe

Provide additional passphrase.

$ printf "badpassword" > cryptsetup_pipe

Remove named pipe.

$ unlink cryptsetup_pipe

Additional notes

Use these methods to perform other operations as described earlier - How to interactively manage LUKS passphrases.

You can change or remove passphrases non-interactively using intermediate files or a named pipe. Batch-mode is implicitly used when you provide passphrase as described here.

Milosz Galazka's Picture

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.