I am using Ubuntu 15.10 and encrypted my partition with the default partitioning tool that is being displayed during installation. Now I want to be able to give my Laptop to somebody else without having to decrypt my drive and without giving him my passphrase. I already have a second user for him, but he doesn't even get to the point where you can login yourself because he can't encrypt the drive. So is it possible to have 2 keys for encryption?
Yes, LUKS supports multiple keyslots (8 in total) which all can unlock the master key.
See the manpage of
cryptsetup
on how to manage LUKS keyslots. E.g. if your LUKS partition is /dev/sda2, then:While you're at it, also consider providing an
--iter-time N
(wereN
is the time in miliseconds) option to lower the risk of bruteforcing a keyslot. E.g. for a 2 seconds hashing time:to list your current key slots:
Adding a new key slot first is also how I would recommende to change a current passphrase. First add a new one with the instruction above, reboot, verify the new passphrase works (you never know about keyboard layout mismatches etc.), then delete the old keyslot.
You'll then be asked to provide the passphrase to be removed.
In case you want to remove a key slot without providing the current passphrase, you can use
luksKillSlot
, but do that with great care and be sure to provide the right slot ID.