cryptsetup.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
* How to protect header and on.... paper?
@ 2023-06-03  7:29 Felix Rubio
  2023-06-03  8:29 ` Milan Broz
  0 siblings, 1 reply; 3+ messages in thread
From: Felix Rubio @ 2023-06-03  7:29 UTC (permalink / raw)
  To: cryptsetup

Hi everybody,

I have setup a my FDE using LUKS, and tying the decryption key to my 
TPM+recovery key. Now I am wondering: I know I can get a backup of the 
LUKS header on a file, store it somewhere and done... but what happens 
if the USB is corrupted by the time I need it? what if I put it on an 
optical disk and has been scratched? This kept me thinking: is there any 
possibility/process to have the required information for the header 
printed on paper, that could be stored on a safe?

Thank you very much for your time,

-- 
Felix Rubio
"Don't believe what you're told. Double check."

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: How to protect header and on.... paper?
  2023-06-03  7:29 How to protect header and on.... paper? Felix Rubio
@ 2023-06-03  8:29 ` Milan Broz
  2023-06-03 10:31   ` Felix Rubio
  0 siblings, 1 reply; 3+ messages in thread
From: Milan Broz @ 2023-06-03  8:29 UTC (permalink / raw)
  To: Felix Rubio, cryptsetup

Hi,

On 6/3/23 09:29, Felix Rubio wrote:
> I have setup a my FDE using LUKS, and tying the decryption key to my
> TPM+recovery key. Now I am wondering: I know I can get a backup of the
> LUKS header on a file, store it somewhere and done... but what happens
> if the USB is corrupted by the time I need it? what if I put it on an
> optical disk and has been scratched? This kept me thinking: is there any
> possibility/process to have the required information for the header
> printed on paper, that could be stored on a safe?

You cannot have full text backup of LUKS keyslot metadata, but you can dump
volume encryption key that allows mapping data device without LUKS header.

Actually, paper backup was motivation for --dump-volume-key option, use:
  cryptsetup luksDump --dump-volume-key <device>

(in very old cryptsetup use --dump-master-key instead)

There is no automated script that maps dm-crypt automatically from this
info, but it is quite trivial and should contain all info dm-crypt needs
to decrypt data area.


You can also dump metadata keyslot info with luksDump command, for LUKS2
even in JSON format:
  cryptsetup luksDump --dump-json-metadata <device>

NOTE - this contains only configuration, not the binary area content
of keyslots (but it can be useful anyway).

Milan

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: How to protect header and on.... paper?
  2023-06-03  8:29 ` Milan Broz
@ 2023-06-03 10:31   ` Felix Rubio
  0 siblings, 0 replies; 3+ messages in thread
From: Felix Rubio @ 2023-06-03 10:31 UTC (permalink / raw)
  To: Milan Broz; +Cc: cryptsetup

Hi Milan,

Thank you for your answer. In this case, would this be the correct 
process?

1. BACKUP: Get the master key, encoded, printed. The master key is 
obtained by executing the command "cryptsetup luksDump --dump-master-key 
<device>", and is the concatenated result of the lines on the entry "MK 
dump"

2. RESTORE: In case LUKS header gets corrupted
   2.1 create a file containing the master key (e.g., master.key)
   2.2 convert the key from hex to binary "xxd -r -p master.key 
master.bin"
   2.3 Use the key to setup a new LUKS header "cryptsetup luksAddKey 
--master-key-file master.bin <device>", will ask for a new wrapping key
   2.4 Open the device with the new wrapping key "cryptsetup luksOpen 
<device> luksrec"
   2.5 Data should be accessible at /dev/mapper/luksrec

Thank you,

---
Felix Rubio
"Don't believe what you're told. Double check."

On 2023-06-03 10:29, Milan Broz wrote:
> Hi,
> 
> On 6/3/23 09:29, Felix Rubio wrote:
>> I have setup a my FDE using LUKS, and tying the decryption key to my
>> TPM+recovery key. Now I am wondering: I know I can get a backup of the
>> LUKS header on a file, store it somewhere and done... but what happens
>> if the USB is corrupted by the time I need it? what if I put it on an
>> optical disk and has been scratched? This kept me thinking: is there 
>> any
>> possibility/process to have the required information for the header
>> printed on paper, that could be stored on a safe?
> 
> You cannot have full text backup of LUKS keyslot metadata, but you can 
> dump
> volume encryption key that allows mapping data device without LUKS 
> header.
> 
> Actually, paper backup was motivation for --dump-volume-key option, 
> use:
>  cryptsetup luksDump --dump-volume-key <device>
> 
> (in very old cryptsetup use --dump-master-key instead)
> 
> There is no automated script that maps dm-crypt automatically from this
> info, but it is quite trivial and should contain all info dm-crypt 
> needs
> to decrypt data area.
> 
> 
> You can also dump metadata keyslot info with luksDump command, for 
> LUKS2
> even in JSON format:
>  cryptsetup luksDump --dump-json-metadata <device>
> 
> NOTE - this contains only configuration, not the binary area content
> of keyslots (but it can be useful anyway).
> 
> Milan

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-06-03 10:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-03  7:29 How to protect header and on.... paper? Felix Rubio
2023-06-03  8:29 ` Milan Broz
2023-06-03 10:31   ` Felix Rubio

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).