Allow user to change luks password

Francis

1/19/24, 10:05 PM

Disk Utility allow to change hard disk encryption password with a simple GUI.

I would like to allow non-admin/non-root user to change their luks password (IT have another slot for recovery).

Unfortunately, when trying to change the luks password as non-admin, Disk Utility prompts the user for an admin password to "unlock the encrypted device".

Is there a way to allow this operation? Maybe by adding the user to a specific security group?

218

1 + 0

luks

gnome-disk-utility

Score:0

Ubuntu

Francis

1/23/24, 6:18 PM

The solution is to add a polkit rule.

I created the group luks-unlock. This group will be allowed to unlock and change the passphrase of an encrypted filesystem in the polkit rule.
I created the file /etc/polkit-1/localauthority/50-local.d/luks-unlock.pkla:

[Change LUKS Password]
Identity=unix-group:luks-unlock
Action=org.freedesktop.udisks2.encrypted-change-passphrase;org.freedesktop.udisks2.encrypted-change-passphrase-system;org.freedesktop.udisks2.encrypted-lock-others;org.freedesktop.udisks2.encrypted-unlock;org.freedesktop.udisks2.encrypted-unlock-crypttab;org.freedesktop.udisks2.encrypted-unlock-other-seat;org.freedesktop.udisks2.encrypted-unlock-system
ResultActive=yes

Add the allowed users to the luks-unlock group.

Work fine on Ubuntu 22.04.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Allow user to change luks password

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.