Set a new secure LUKS2 volume key
Use the zkey-cryptsetup setkey command to set a new secure LUKS2 volume key for a volume encrypted with LUKS2 and the PAES cipher.
Use this command to recover from an invalid secure AES volume key contained in the LUKS2 header. Such a key can become invalid when the CCA or EP11 master key changed without re-enciphering the secure volume key.
You can recover the secure volume key only if you have a copy of the secure key in a file, and
this copy was re-enciphered when the CCA
or EP11 master key has been changed. Thus, the copy of the secure key must be
currently enciphered with the master key in the CURRENT or OLD master key register. Specify the
secure key file with option --master-key-file to set this secure key as the new
volume key. Remember that OLD master key registers are not available on EP11 coprocessors.
In case the LUKS2 header of the volume contains a verification pattern token, it is used to ensure that the new volume key contains the same effective key. If no verification pattern token is available, then you are prompted to confirm that the specified secure key is the correct one.
Example: To set the secure key contained in file seckey.key as the new key for the encrypted volume /dev/mapper/disk1:
# zkey-cryptsetup setkey /dev/mapper/disk1 --master-key-file seckey.key