<span style="color:#323232;">root@ubuntu:/home/ubuntu/Downloads# cryptsetup -v luksOpen /dev/sda3 luks-01 --key-file ./key-file.key
</span><span style="color:#323232;">No usable token is available.
</span><span style="color:#323232;">Warning: keyslot operation could fail as it requires more than available memory.
</span><span style="color:#323232;">Key slot 1 unlocked.
</span><span style="color:#323232;">Command successful.
</span><span style="color:#323232;">root@ubuntu:/home/ubuntu/Downloads# cryptsetup -v luksOpen /dev/sda4 luks-02 --key-file ./key-file.key
</span><span style="color:#323232;">No usable token is available.
</span><span style="color:#323232;">Warning: keyslot operation could fail as it requires more than available memory.
</span><span style="color:#323232;">Key slot 1 unlocked.
</span><span style="color:#323232;">Command successful.
</span>
Success on the first volume, which I picked as first because it was only 53M in size. Mounted it to /mnt… And guess what I found inside it?
<span style="color:#323232;">root@ubuntu:/home/ubuntu/Downloads# ls -l /mnt/device/private-keys-v1/
</span><span style="color:#323232;">total 4
</span><span style="color:#323232;">-rw------- 1 root root 2459 Oct 18 18:29 O8CbAEpnfm7jGKkMqnokmdMBlE1oV6Xma_bUNudlshDYPxE4aJNhbhiGnF360Ze4
</span>
That is a key, but not connected to either LUKS container there… I dumped the headers of both LUKS. There are 2 key-slots, and the key translated from the recovery key is in slot one of both containers, The second key-slot’s key must be the TPM’s key, which is unknown if that is stored anywhere except the TPM…
But is shouldn’t matter now… Because that key-file did work to add a new passphrase to both LUKS containers.