https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html
Decrypt a LUKS Key
This can be used on a readonly file system. This can be used to verify that nothing has been changed.
This is great for /boot where change is infrequent.
Backup Disk Header:
>>> lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 465.8G 0 disk
├─nvme0n1p1 259:1 0 1.9G 0 part /boot
└─nvme0n1p2 259:2 0 463.9G 0 part
└─crypt 254:0 0 463.8G 0 crypt
├─lvm-swap 254:1 0 32G 0 lvm
└─lvm-root 254:2 0 431.8G 0 lvm /
>>> sudo cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file /tmp/luksheader
Restore Header if needed:
sudo cryptsetup luksHeaderRestore /dev/nvme0n1p2 --header-backup-file luksheader
Check Header Information:
>>> sudo cryptsetup luksDump /dev/nvme0n1p2
[sudo] password for generalzero:
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 8d0afcd0-4b23-426f-949f-61155f554cdc
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 36
Memory: 1048576
Threads: 4
Salt: 57 bc 5a 6e 36 26 03 f8 c6 50 46 dc 48 03 da e2
0d 48 81 9b 0e d8 01 65 04 3a f3 10 f0 f7 26 ae
AF stripes: 4000
AF hash: sha512
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha512
Iterations: 173835
Salt: b5 f3 22 2d e3 eb 1e fe f6 be 62 37 a3 8a c8 6a
ec 04 59 92 68 ad 48 c1 67 1f 8f 2b 35 e8 60 ca
Digest: df 7f a8 95 c8 ff eb f9 24 d6 d1 eb 23 4f 7d 60
35 ff ba 16 bd 41 d5 d6 ec 1b 25 f6 cb 44 7b b9
bf a5 f1 c1 13 f5 12 34 ff e9 67 22 dc 47 3d f5
02 63 2e 18 e5 ac ad 02 93 1e ed 0f 15 1b 21 74
Change Key Generation Algorithm:
>>> sudo cryptsetup luksConvertKey /dev/nvme0n1p2 --pbkdf argon2id
Enter passphrase for keyslot to be converted: