luksbox revoke

Disable a keyslot without rotating the MVK.

luksbox revoke [OPTIONS] <PATH>

Zeroes a slot's contents (kind = Empty, all fields cleared). The revoked slot can no longer unlock the vault; remaining slots are unaffected.

Examples

# Revoke slot 1 (typically the second-enrolled key)
luksbox revoke my.lbx --slot 1
# You'll be asked to authenticate with another slot first.

To find slot indexes:

luksbox info my.lbx
# Shows: slot 0 = Passphrase, slot 1 = Fido2HmacSecret, ...

Important: revoke does NOT rotate the MVK

After revoking a slot:

• That slot's KEK can no longer derive the MVK from the on-disk ciphertext (the ciphertext is gone).
• BUT, anyone who already extracted the MVK at some point (e.g. an attacker who briefly had your YubiKey) still has it - and the MVK still decrypts every file in the vault.

If you suspect a key was compromised, follow revoke with rotate-mvk:

luksbox revoke my.lbx --slot 1
luksbox rotate-mvk my.lbx

rotate-mvk generates a fresh MVK, re-encrypts every file under it, and re-wraps every remaining keyslot under the new MVK. After that, the previously-extracted MVK is useless against the vault.

Refusing to revoke the last slot

LUKSbox refuses to revoke the only remaining keyslot (would lock you out of the vault). Add a new slot first if you really want to "reset" the vault.