From: Felix Rubio <felix@kngnt.org>
To: Milan Broz <gmazyland@gmail.com>
Cc: cryptsetup@lists.linux.dev
Subject: Re: How to protect header and on.... paper?
Date: Sat, 03 Jun 2023 12:31:26 +0200 [thread overview]
Message-ID: <2b4a7cd077e772e546d2f1528764e054@kngnt.org> (raw)
In-Reply-To: <a4bc8457-c127-55b2-5a65-388c3d836bf2@gmail.com>
Hi Milan,
Thank you for your answer. In this case, would this be the correct
process?
1. BACKUP: Get the master key, encoded, printed. The master key is
obtained by executing the command "cryptsetup luksDump --dump-master-key
<device>", and is the concatenated result of the lines on the entry "MK
dump"
2. RESTORE: In case LUKS header gets corrupted
2.1 create a file containing the master key (e.g., master.key)
2.2 convert the key from hex to binary "xxd -r -p master.key
master.bin"
2.3 Use the key to setup a new LUKS header "cryptsetup luksAddKey
--master-key-file master.bin <device>", will ask for a new wrapping key
2.4 Open the device with the new wrapping key "cryptsetup luksOpen
<device> luksrec"
2.5 Data should be accessible at /dev/mapper/luksrec
Thank you,
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-06-03 10:29, Milan Broz wrote:
> Hi,
>
> On 6/3/23 09:29, Felix Rubio wrote:
>> I have setup a my FDE using LUKS, and tying the decryption key to my
>> TPM+recovery key. Now I am wondering: I know I can get a backup of the
>> LUKS header on a file, store it somewhere and done... but what happens
>> if the USB is corrupted by the time I need it? what if I put it on an
>> optical disk and has been scratched? This kept me thinking: is there
>> any
>> possibility/process to have the required information for the header
>> printed on paper, that could be stored on a safe?
>
> You cannot have full text backup of LUKS keyslot metadata, but you can
> dump
> volume encryption key that allows mapping data device without LUKS
> header.
>
> Actually, paper backup was motivation for --dump-volume-key option,
> use:
> cryptsetup luksDump --dump-volume-key <device>
>
> (in very old cryptsetup use --dump-master-key instead)
>
> There is no automated script that maps dm-crypt automatically from this
> info, but it is quite trivial and should contain all info dm-crypt
> needs
> to decrypt data area.
>
>
> You can also dump metadata keyslot info with luksDump command, for
> LUKS2
> even in JSON format:
> cryptsetup luksDump --dump-json-metadata <device>
>
> NOTE - this contains only configuration, not the binary area content
> of keyslots (but it can be useful anyway).
>
> Milan
prev parent reply other threads:[~2023-06-03 10:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-03 7:29 How to protect header and on.... paper? Felix Rubio
2023-06-03 8:29 ` Milan Broz
2023-06-03 10:31 ` Felix Rubio [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2b4a7cd077e772e546d2f1528764e054@kngnt.org \
--to=felix@kngnt.org \
--cc=cryptsetup@lists.linux.dev \
--cc=gmazyland@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).