archive mirror
 help / color / mirror / Atom feed
From: Felix Rubio <>
To: Milan Broz <>
Subject: Re: How to protect header and on.... paper?
Date: Sat, 03 Jun 2023 12:31:26 +0200	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

Hi Milan,

Thank you for your answer. In this case, would this be the correct 

1. BACKUP: Get the master key, encoded, printed. The master key is 
obtained by executing the command "cryptsetup luksDump --dump-master-key 
<device>", and is the concatenated result of the lines on the entry "MK 

2. RESTORE: In case LUKS header gets corrupted
   2.1 create a file containing the master key (e.g., master.key)
   2.2 convert the key from hex to binary "xxd -r -p master.key 
   2.3 Use the key to setup a new LUKS header "cryptsetup luksAddKey 
--master-key-file master.bin <device>", will ask for a new wrapping key
   2.4 Open the device with the new wrapping key "cryptsetup luksOpen 
<device> luksrec"
   2.5 Data should be accessible at /dev/mapper/luksrec

Thank you,

Felix Rubio
"Don't believe what you're told. Double check."

On 2023-06-03 10:29, Milan Broz wrote:
> Hi,
> On 6/3/23 09:29, Felix Rubio wrote:
>> I have setup a my FDE using LUKS, and tying the decryption key to my
>> TPM+recovery key. Now I am wondering: I know I can get a backup of the
>> LUKS header on a file, store it somewhere and done... but what happens
>> if the USB is corrupted by the time I need it? what if I put it on an
>> optical disk and has been scratched? This kept me thinking: is there 
>> any
>> possibility/process to have the required information for the header
>> printed on paper, that could be stored on a safe?
> You cannot have full text backup of LUKS keyslot metadata, but you can 
> dump
> volume encryption key that allows mapping data device without LUKS 
> header.
> Actually, paper backup was motivation for --dump-volume-key option, 
> use:
>  cryptsetup luksDump --dump-volume-key <device>
> (in very old cryptsetup use --dump-master-key instead)
> There is no automated script that maps dm-crypt automatically from this
> info, but it is quite trivial and should contain all info dm-crypt 
> needs
> to decrypt data area.
> You can also dump metadata keyslot info with luksDump command, for 
> even in JSON format:
>  cryptsetup luksDump --dump-json-metadata <device>
> NOTE - this contains only configuration, not the binary area content
> of keyslots (but it can be useful anyway).
> Milan

      reply	other threads:[~2023-06-03 10:46 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-03  7:29 How to protect header and on.... paper? Felix Rubio
2023-06-03  8:29 ` Milan Broz
2023-06-03 10:31   ` Felix Rubio [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).