Add new LUKS passphrase or key using existing keyfile for LUKS2 encrypted partition

Question

I have two partitions in my laptop where EFI and /boot resides on the first partition and the rest of linux directories including root resides in second partition which is encrypted with dm-crypt and LUKS2.

/dev/nvme0n1p1: UUID="7AF4-D518" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="4679ac1e-34a2-4ef8-aa7b-3d650ed32cca"
/dev/nvme0n1p2: UUID="440abce6-d1ac-41de-8ae1-ebaefa51823c" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="9bc4085a-05ce-41dc-9b4e-ed75c5901965"

I have boot entry to auto decrypt without using passphrase (I was using USB but after USB started giving issues, i had stored and use the keyfile from the EFI partition itself). My boot entry at /boot/loader/entries/arch-zen-auto.conf:

title Arch Linux (Zen) Auto
linux /vmlinuz-linux-zen
initrd /intel-ucode.img
initrd /initramfs-linux-zen.img
options cryptdevice=UUID=440abce6-d1ac-41de-8ae1-ebaefa51823c:luks:allow-discards cryptkey=/dev/disk/by-uuid/7AF4-D518:vfat:keyfile root=/dev/mapper/luks rootflags=subvol=@ rd.luks.options=discard rw mem_sleep_default=deep

So, I can boot and use my system without providing the passphrase. After a few months now, I forgot my passphrase :(. I can't find my header backup either.

Is there a way I can add another passphrase using existing keyfile I have in EFI partition, without using my forgotten passphrase? What are my options since I forgot my original passphrase?

I have tried to open the partition using existing keyfile, even that does not work:

x1# cryptsetup luksOpen /dev/nvme0n1p2 test --master-key-file /dev/disk/by-uuid/7AF4-D518
Volume key does not match the volume.
or
x1# cryptsetup luksOpen /dev/nvme0n1p2 test --master-key-file /boot/keyfile
Volume key does not match the volume.

my /etc/fstab if that helps in anyway:

# <file system> <dir> <type> <options> <dump> <pass>
# /dev/mapper/luks UUID=50d843f7-2f8e-4c56-ac3d-0b5a7d35110e
/dev/mapper/luks        /               btrfs           rw,noatime,nodiratime,compress=lzo,ssd,space_cache,subvolid=256,subvol=/@,subvol=@     0 0
/dev/nvme0n1p1 UUID=7AF4-D518
/dev/nvme0n1p1          /boot           vfat            rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro      0 2
/dev/mapper/luks UUID=50d843f7-2f8e-4c56-ac3d-0b5a7d35110e
/dev/mapper/luks        /home           btrfs           rw,noatime,nodiratime,compress=lzo,ssd,space_cache,subvolid=257,subvol=/@home,subvol=@home     0 0
/dev/mapper/luks UUID=50d843f7-2f8e-4c56-ac3d-0b5a7d35110e
/dev/mapper/luks        /data           btrfs           rw,noatime,nodiratime,compress=lzo,ssd,space_cache,subvolid=259,subvol=/@data,subvol=@data     0 0
/dev/mapper/luks UUID=50d843f7-2f8e-4c56-ac3d-0b5a7d35110e
/dev/mapper/luks        /var            btrfs           rw,noatime,nodiratime,compress=lzo,ssd,space_cache,subvolid=258,subvol=/@var,subvol=@var       0 0

I have all lines commented in /etc/crypttab so nothing there.

What I have tried (Some LUKS (not LUKS2) related information that did not help me):

• cryptsetup luksAddKey <DEVICE> --master-key-file <(dmsetup table --showkey /dev/mapper/<MAP> | awk '{print$5}' | xxd -r -p) Is it possible to add a key to an open luks volume whithout providing a current key?
• https://www.thegeekstuff.com/2016/03/cryptsetup-lukskey/
• Tried to remember my passwords with brute-forcing some of my known and likely passwords: https://blog.sleeplessbeastie.eu/2019/03/27/how-to-test-luks-passphrase/

Answer 1

Using --key-file

According to the manual:

luksAddKey <device> [<key file with new key>]

Adds a new passphrase. An existing passphrase must be supplied interactively or via --key-file. The new passphrase to be added can be specified interactively or read from the file given as positional argument.

You should use this command:

cryptsetup luksAddKey --key-file /boot/keyfile --verify-passphrase /dev/nvme0n1p2

Note: --master-key-file represents the final symmetric key used by the kernel to do the actual encryption/decryption and is always stored in a protected form and should be handled with care. This master key used to be retrievable from the kernel's device mapper using dmsetup table --showkeys with LUKS1, but is no more available with LUKS2 running on kernel >= 4.10 (unless opened with --disable-keyring): the entry is now a write-only kernel keyring name. The keyring's content is used by the kernel's device mapper, but is unavailable to userspace, root included. So if all passphrases/keyfiles are lost, and there's no older LUKS header dump with a former known passphrase/keyfile available, there doesn't appear to be anymore any way to recover the master key, even when the LUKS2 volume is still opened (but if it's opened, its data are still available for an emergency backup).