Change User Password and LUKS Passphrase
Changing user password
If you can't log into your computer, you can follow these instructions to reset the password for any user. Pop!_OS and Ubuntu allow for the root user to reset the password for any user account. In order to get to the root user, we need to restart the computer and use what's called "single user mode", which is the low level repair system for the computer.
Pop!_OS 18.04 and Later
On a fresh install Pop!_OS 18.04 and later, systemd-boot is used rather than GRUB. Please follow these instructions to reset your password. If your operating system is anything other than Pop!_OS 18.04 and later, please use the GRUB section.
First, bring up the systemd-boot menu by holding down SPACE or the ESC key. On the menu, choose Recovery Mode.
Once the live disk boots move to a new workspace, to do this on Ubuntu use the Activities button in the top left and on Pop!_OS use the Workspaces button in the top left (be sure not to choose any install or repair options in the installer window, as this could result in data loss).
Mounting the Installed OS
On Pop!_OS press +T or on Ubuntu press +Alt+T to open a terminal, and type in these commands:
This will show what the main internal drive is named, which will have 4 partitions on it. We will be working with the 3rd partition. If the main drive is an NVMe drive, it will be
/dev/nvme0n1p3 and if the drive is a SATA or regular M.2 drive, it will be
Next, run this command:
sudo mount /dev/sda3 /mnt
If the command fails and says
mount: /mnt: unknown filesystem type 'crypto_LUKS', then the hard drive has been encrypted, and additional commands are needed to unlock it. If the command succeeds (no output), then skip these next steps:
sudo cryptsetup luksOpen /dev/sda3 volume
sudo vgchange -ay
Take note as to what the volume group is called, substituting the correct info into this command. Make sure that '-root' is on the end:
sudo mount /dev/mapper/data-root /mnt
Next, regardless of whether the drive is encrypted or not, run these commands:
sudo chroot /mnt
Take note of the users on this computer, then run this command to change a user's password:
Type in your new password, and then enter these commands:
Changing LUKS passphrase
If you would like to change the password on a LUKS encrypted partition, run this command (replace the example partition with your root partition):
cryptsetup luksChangeKey /dev/sda3 -S 0
Enter the original pass-phrase, and follow the prompts for the new pass-phrase ( and to confirm the new pass-phrase).
Adding LUKS passphrases
Full Disk Encryption supports up to 8 total pass-phrases to unlock the encryption. This is useful if you would like to allow more than a single user to unlock the encryption and not share a pass-phrase. The default pass-phrase is in slot 0, with space for additional pass-phrases in slots 1 through 7 (for a total of 8).
First let's list the partitions of all of the installed drives:
lsblk -o name,mountpoints
The output may be different based on the drive setup and partition table. You can see the root partition at mountpoint '/'. From there we can use that output to run this command:
sudo cryptsetup luksDump /dev/sda3
Replacing '/dev/sda3' with the location of the root partition on your system. With the output of this command we can see the seven extra slots that we have for passwords to decrypt the drive. On a normal install Slot 0 is the initial passphrase and you can add up to 6 more for a total of 7.
Set Extra Password
Following the partition scheme from the previous command we can form the next command to add a new key to the open Key Slot:
sudo cryptsetup luksAddKey /dev/sda3
This command will require the current encryption password before new password can be added.
Confirm The Password
Let's run this command again to confirm that the additional pass-phrase is set:
sudo cryptsetup luksDump /dev/sda3
You should see that Key Slot 1 is now enabled so this confirms the new pass-phrase is set.