Validating a secure key used with a LUKS2 volume
Using the zkey-cryptsetup validate command, you can obtain validation information about a secure key in the LUKS2 header of an encrypted volume.
Specifying the zkey-cryptsetup validate command checks if the specified LUKS2 volume contains a valid secure key. It also displays further attributes of its secure key, such as the key size, whether it is a secure key that can be used for the XTS cipher mode, and the master key register (CURRENT or OLD) with which the secure key is enciphered. It also displays the verification pattern of the secure key, if available, that is, if it had been set using the setvp command.
For further information about master key registers, see Re-enciphering AES secure keys.
Example: To validate the secure key of the encrypted volume /dev/mapper/disk<n> and display its attributes, enter:
# zkey-cryptsetup validate /dev/mapper/disk<n> Enter passphrase for '/dev/mapper/disk<n>': disk<n>pw Validation of secure volume key of device '/dev/mapper/disk<n>': Status: Valid Secure key size: 272 bytes XTS type key: Yes Key type: CCA-AESCIPHER Clear key size: 512 bits Enciphered with: CURRENT master key (MKVP: 26d69731a66f4255) Verification pattern: 477a8608f06743569e2c62fc5fe00085 08b18a80d7616094eceaa746be4a2edd
If the secure key is not valid because the master key with which it was wrapped is no longer
available, the zkey utility shows a similar output
as for a valid secure key, but with Status: Invalid, and some other
properties are indicated as (unknown).