* How to protect header and on.... paper?
@ 2023-06-03 7:29 Felix Rubio
2023-06-03 8:29 ` Milan Broz
0 siblings, 1 reply; 3+ messages in thread
From: Felix Rubio @ 2023-06-03 7:29 UTC (permalink / raw)
To: cryptsetup
Hi everybody,
I have setup a my FDE using LUKS, and tying the decryption key to my
TPM+recovery key. Now I am wondering: I know I can get a backup of the
LUKS header on a file, store it somewhere and done... but what happens
if the USB is corrupted by the time I need it? what if I put it on an
optical disk and has been scratched? This kept me thinking: is there any
possibility/process to have the required information for the header
printed on paper, that could be stored on a safe?
Thank you very much for your time,
--
Felix Rubio
"Don't believe what you're told. Double check."
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to protect header and on.... paper?
2023-06-03 7:29 How to protect header and on.... paper? Felix Rubio
@ 2023-06-03 8:29 ` Milan Broz
2023-06-03 10:31 ` Felix Rubio
0 siblings, 1 reply; 3+ messages in thread
From: Milan Broz @ 2023-06-03 8:29 UTC (permalink / raw)
To: Felix Rubio, cryptsetup
Hi,
On 6/3/23 09:29, Felix Rubio wrote:
> I have setup a my FDE using LUKS, and tying the decryption key to my
> TPM+recovery key. Now I am wondering: I know I can get a backup of the
> LUKS header on a file, store it somewhere and done... but what happens
> if the USB is corrupted by the time I need it? what if I put it on an
> optical disk and has been scratched? This kept me thinking: is there any
> possibility/process to have the required information for the header
> printed on paper, that could be stored on a safe?
You cannot have full text backup of LUKS keyslot metadata, but you can dump
volume encryption key that allows mapping data device without LUKS header.
Actually, paper backup was motivation for --dump-volume-key option, use:
cryptsetup luksDump --dump-volume-key <device>
(in very old cryptsetup use --dump-master-key instead)
There is no automated script that maps dm-crypt automatically from this
info, but it is quite trivial and should contain all info dm-crypt needs
to decrypt data area.
You can also dump metadata keyslot info with luksDump command, for LUKS2
even in JSON format:
cryptsetup luksDump --dump-json-metadata <device>
NOTE - this contains only configuration, not the binary area content
of keyslots (but it can be useful anyway).
Milan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to protect header and on.... paper?
2023-06-03 8:29 ` Milan Broz
@ 2023-06-03 10:31 ` Felix Rubio
0 siblings, 0 replies; 3+ messages in thread
From: Felix Rubio @ 2023-06-03 10:31 UTC (permalink / raw)
To: Milan Broz; +Cc: cryptsetup
Hi Milan,
Thank you for your answer. In this case, would this be the correct
process?
1. BACKUP: Get the master key, encoded, printed. The master key is
obtained by executing the command "cryptsetup luksDump --dump-master-key
<device>", and is the concatenated result of the lines on the entry "MK
dump"
2. RESTORE: In case LUKS header gets corrupted
2.1 create a file containing the master key (e.g., master.key)
2.2 convert the key from hex to binary "xxd -r -p master.key
master.bin"
2.3 Use the key to setup a new LUKS header "cryptsetup luksAddKey
--master-key-file master.bin <device>", will ask for a new wrapping key
2.4 Open the device with the new wrapping key "cryptsetup luksOpen
<device> luksrec"
2.5 Data should be accessible at /dev/mapper/luksrec
Thank you,
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2023-06-03 10:29, Milan Broz wrote:
> Hi,
>
> On 6/3/23 09:29, Felix Rubio wrote:
>> I have setup a my FDE using LUKS, and tying the decryption key to my
>> TPM+recovery key. Now I am wondering: I know I can get a backup of the
>> LUKS header on a file, store it somewhere and done... but what happens
>> if the USB is corrupted by the time I need it? what if I put it on an
>> optical disk and has been scratched? This kept me thinking: is there
>> any
>> possibility/process to have the required information for the header
>> printed on paper, that could be stored on a safe?
>
> You cannot have full text backup of LUKS keyslot metadata, but you can
> dump
> volume encryption key that allows mapping data device without LUKS
> header.
>
> Actually, paper backup was motivation for --dump-volume-key option,
> use:
> cryptsetup luksDump --dump-volume-key <device>
>
> (in very old cryptsetup use --dump-master-key instead)
>
> There is no automated script that maps dm-crypt automatically from this
> info, but it is quite trivial and should contain all info dm-crypt
> needs
> to decrypt data area.
>
>
> You can also dump metadata keyslot info with luksDump command, for
> LUKS2
> even in JSON format:
> cryptsetup luksDump --dump-json-metadata <device>
>
> NOTE - this contains only configuration, not the binary area content
> of keyslots (but it can be useful anyway).
>
> Milan
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-06-03 10:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-03 7:29 How to protect header and on.... paper? Felix Rubio
2023-06-03 8:29 ` Milan Broz
2023-06-03 10:31 ` Felix Rubio
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).