Managing secure LUKS2 volume keys

Use zkey-cryptsetup to validate and re-encipher secure LUKS2 volume keys of volumes encrypted with LUKS2 and the PAES cipher. These secure LUKS2 volume keys of type AES are produced in two steps: First, a random plain text key is wrapped with an AES master key of a cryptographic coprocessor. Then this secure AES key is again wrapped by LUKS2 with a key derived from a user passphrase or key file. The result is a secure LUKS2 volume key of type AES (sometimes shortly referred to as AES volume key in this documentation).

When you open a key slot contained in the LUKS2 header of the volume using zkey-cryptsetup, a passphrase is required. You are prompted for the passphrase, unless option --key-file is specified. Option --tries specifies how often a passphrase can be re-entered. When option --key-file is specified, the passphrase is read from the specified file. You can specify options --keyfile-offset and --keyfile-size to control which part of the key file is used as passphrase. These options behave in the same way as with cryptsetup.

For detailed information refer to the zkey-cryptsetup man page or to zkey-cryptsetup - Managing LUKS2 volume keys.