LUKS: backups and headers

So from the cryptsetup FAQ and man page:

LUKS header: If the header of a LUKS volume gets damaged, all data is permanently lost unless you have a header-backup. If a key-slot is damaged, it can only be restored from a header-backup or if another active key-slot with known passphrase is undamaged. Damaging the LUKS header is something people manage to do with surprising frequency. This risk is the result of a trade-off between security and safety, as LUKS is designed for fast and secure wiping by just overwriting header and key-slot area.”

Since it was better explained by someone else, I refer to their explanation:

Referencing LUKS FAQ, there are two critical components for decryption: the salt values in the header itself and the key-slots. If the salt values are overwritten or changed, nothing (in the cryptographically strong sense) can be done to access the data, unless there is a backup of the LUKS header. If a key-slot is damaged, the data can still be read with a different key-slot, if there is a remaining undamaged and used key-slot.

Making the long story short, if our LUKS header gets damaged, all data is gone. To prevent this from happening, we need to create a header backup. This can be done by issuing the following command:

# cryptsetup luksHeaderBackup <device> --header-backup-file <file>

Where <device> is a LUKS volume disk and <file> is a name of a header backup file to be created. In our case:

# cryptsetup luksHeaderBackup /dev/sdb2 --header-backup-file /root/sdb2-header-backup

Note: It is often recommanded to backup the headers securely, i.e. on a crypted drive. However, as mentioned in this article: “I put mine on /boot, as this is an unencrypted partition, and the file is small (2MiB).
There’s no great security loss in this – anyone with physical access (or root access) to your device can simply dump the header anyway. If you’re really worried though, save it somewhere safe, or print it out, and store it somewhere“.

In case of disaster where our LUKS header gets broken, we can restore it by issuing the following command:

# cryptsetup luksHeaderRestore <device> --header-backup-file <file>

WARNING: LUKS header restoration procedure will replace all key-slots, therefore only the passphrases from the backup will work afterwards!

Another great ressource on this subject:

Leave a Reply