How to assign binary key to LUKS key-slot

Learn how to create and assign binary key instead of passphrase to LUKS key-slot on a specific device.

Generate random binary key.

$ openssl rand -out additional_key 4096

Change binary key permissions.

$ chmod 400 additional_binary_key

Inspect binary key size and permissions.

$ ls -lh additional_key
-r-------- 1 milosz milosz 4.0K Dec 31 02:11 additional_binary_key

Add an additional key stored in a file to the specified key-slot.

$ sudo cryptsetup luksAddKey --key-slot 7 /dev/sdb1 ./additional_binary_key
Enter any existing passphrase: **********

Additional notes

You can use additional file or a named pipe to provide current passphrase as described in how to non-interactively manage LUKS passphrases blog post.

Please read NOTES ON PASSPHRASE PROCESSING FOR LUKS in cryptsetup manual page to understand the implications of the way you provide key contents. Using a key file will ensure that the whole key is read.

Milosz Galazka's Picture

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.