Home About

Published

- 3 min read

How to backup the header of your LUKS encrypted partition

Back-end Tools Shorts Linux
img of How to backup the header of your LUKS encrypted partition

How Cryptsetup works

If you want to learn how to encrypt block devices: Go this route. This article is gold and teaches you everything you need to know about the tool cryptsetup.

About the dilemma

With this article I only want to highlight that there might be a weak spot in your setup you didn’t know that it exists. The key that you enter at boot or generally speaking when you open a LUKS encrypted partition, is taken to derive another key that is then taken to decrypt the encrypted data on your block device. The other key I’m mentioning is generated randomly when the container is being created. That key must be stored somewhere. And that somewhere is within a small section at the beginning of the partition, which is called the LUKS-Header.

In case you didn’t know: You have 8 key slots available to decrypt your data. That might be handy to i.e. create a new key for a short period of time and then revoke it whenever someone or something shall not have access anymore.

The cure

Run the following to print some information about your setup:

   sudo cryptsetup luksDump /dev/nvme0n1p2

LUKS header information
Version:       	2
Epoch:         	3
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	...
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2id
	Time cost:  12
	Memory:     1048576
	Threads:    4
	Salt:       ...
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 357631
	Salt:       ...
	Digest:     ...

You can see that I have only used key slot 0.

The thing is now, imagine that this header section will get corrupted or destroyed for any weird reason. You failed a dd command or something like that. All of your data will be lost and you will not be able to decrypt your data. Losing your self-chosen key in the first place is as much bad is this. So simply go ahead and create a backup of this header:

   sudo cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file ./headerBackup.img

Put this backup somewhere else where it’s save. Not on the very same encrypted drive of course.

In case you need it, first check if it’s the correct one. Otherwise you might override the wrong header and might lose another key:

   sudo cryptsetup -v --header ./headerBackup.img open /dev/nvme0n1p2 test

If that worked, go ahead (close the container first) and restore your header:

   sudo cryptsetup luksHeaderRestore /dev/nvme0n1p2 --header-backup-file ./headerBackup.img

Best
Sebastian

Image License

Today’s hero image ”Gold Lock” by Mark Fischer is licensed under CC BY-SA 2.0.

Impressum Datenschutz