Passphrase keyslots

Argon2id-stretched passphrase, the universal fallback keyslot.

The passphrase keyslot is what every vault has by default. It's universal (works without hardware), recoverable (memorise it, write it down), and the slowest to brute-force (Argon2id is memory-hard).

How it works

1. You type a passphrase at create or unlock time.
2. LUKSbox runs Argon2id with the slot's stored salt + parameters (default: 256 MiB memory, 3 iterations, 4 lanes).
3. The output is the wrap-KEK, a 256-bit key.
4. The wrap-KEK is used with AES-256-GCM-SIV to either:
   • Wrap the random Master Volume Key (MVK) at create time, or
   • Unwrap the stored ciphertext at unlock time.

The passphrase itself is never stored. Only the salt, the AEAD nonce, and the wrapped MVK ciphertext + tag live on disk.

KDF presets

LUKSbox ships two presets controllable via --kdf:

sensitive multiplies the brute-force cost by 6x at the price of a slower interactive unlock. Use it for vaults you want to protect against state-level adversaries who'd burn CPU-weeks on a single target.

luksbox create my-vault.lbx --kdf sensitive

Choosing a passphrase

Headline:

Practical recommendation: use a 6-word passphrase from the EFF long wordlist. 6 words = 78 bits of entropy, comfortably past any feasible attacker horizon.

Adding a passphrase keyslot to an existing vault

luksbox enroll my-vault.lbx --passphrase
# Enter the existing passphrase (or touch FIDO2) to unlock.
# Enter the NEW passphrase twice to enroll the second slot.

Now the vault has two passphrase slots. Either works; revoking one doesn't affect the other.

Revoking a passphrase keyslot

luksbox revoke my-vault.lbx --slot 1

The revoked slot is zeroed and can no longer unlock. The MVK is NOT rotated, so previously-extracted plaintext is still readable by whoever has it. For a true "this passphrase no longer reveals anything new" rotation, see luksbox rotate-mvk.