* How to protect header and on.... paper? @ 2023-06-03 7:29 Felix Rubio 2023-06-03 8:29 ` Milan Broz 0 siblings, 1 reply; 3+ messages in thread From: Felix Rubio @ 2023-06-03 7:29 UTC (permalink / raw) To: cryptsetup Hi everybody, I have setup a my FDE using LUKS, and tying the decryption key to my TPM+recovery key. Now I am wondering: I know I can get a backup of the LUKS header on a file, store it somewhere and done... but what happens if the USB is corrupted by the time I need it? what if I put it on an optical disk and has been scratched? This kept me thinking: is there any possibility/process to have the required information for the header printed on paper, that could be stored on a safe? Thank you very much for your time, -- Felix Rubio "Don't believe what you're told. Double check." ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to protect header and on.... paper? 2023-06-03 7:29 How to protect header and on.... paper? Felix Rubio @ 2023-06-03 8:29 ` Milan Broz 2023-06-03 10:31 ` Felix Rubio 0 siblings, 1 reply; 3+ messages in thread From: Milan Broz @ 2023-06-03 8:29 UTC (permalink / raw) To: Felix Rubio, cryptsetup Hi, On 6/3/23 09:29, Felix Rubio wrote: > I have setup a my FDE using LUKS, and tying the decryption key to my > TPM+recovery key. Now I am wondering: I know I can get a backup of the > LUKS header on a file, store it somewhere and done... but what happens > if the USB is corrupted by the time I need it? what if I put it on an > optical disk and has been scratched? This kept me thinking: is there any > possibility/process to have the required information for the header > printed on paper, that could be stored on a safe? You cannot have full text backup of LUKS keyslot metadata, but you can dump volume encryption key that allows mapping data device without LUKS header. Actually, paper backup was motivation for --dump-volume-key option, use: cryptsetup luksDump --dump-volume-key <device> (in very old cryptsetup use --dump-master-key instead) There is no automated script that maps dm-crypt automatically from this info, but it is quite trivial and should contain all info dm-crypt needs to decrypt data area. You can also dump metadata keyslot info with luksDump command, for LUKS2 even in JSON format: cryptsetup luksDump --dump-json-metadata <device> NOTE - this contains only configuration, not the binary area content of keyslots (but it can be useful anyway). Milan ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to protect header and on.... paper? 2023-06-03 8:29 ` Milan Broz @ 2023-06-03 10:31 ` Felix Rubio 0 siblings, 0 replies; 3+ messages in thread From: Felix Rubio @ 2023-06-03 10:31 UTC (permalink / raw) To: Milan Broz; +Cc: cryptsetup Hi Milan, Thank you for your answer. In this case, would this be the correct process? 1. BACKUP: Get the master key, encoded, printed. The master key is obtained by executing the command "cryptsetup luksDump --dump-master-key <device>", and is the concatenated result of the lines on the entry "MK dump" 2. RESTORE: In case LUKS header gets corrupted 2.1 create a file containing the master key (e.g., master.key) 2.2 convert the key from hex to binary "xxd -r -p master.key master.bin" 2.3 Use the key to setup a new LUKS header "cryptsetup luksAddKey --master-key-file master.bin <device>", will ask for a new wrapping key 2.4 Open the device with the new wrapping key "cryptsetup luksOpen <device> luksrec" 2.5 Data should be accessible at /dev/mapper/luksrec Thank you, --- Felix Rubio "Don't believe what you're told. Double check." On 2023-06-03 10:29, Milan Broz wrote: > Hi, > > On 6/3/23 09:29, Felix Rubio wrote: >> I have setup a my FDE using LUKS, and tying the decryption key to my >> TPM+recovery key. Now I am wondering: I know I can get a backup of the >> LUKS header on a file, store it somewhere and done... but what happens >> if the USB is corrupted by the time I need it? what if I put it on an >> optical disk and has been scratched? This kept me thinking: is there >> any >> possibility/process to have the required information for the header >> printed on paper, that could be stored on a safe? > > You cannot have full text backup of LUKS keyslot metadata, but you can > dump > volume encryption key that allows mapping data device without LUKS > header. > > Actually, paper backup was motivation for --dump-volume-key option, > use: > cryptsetup luksDump --dump-volume-key <device> > > (in very old cryptsetup use --dump-master-key instead) > > There is no automated script that maps dm-crypt automatically from this > info, but it is quite trivial and should contain all info dm-crypt > needs > to decrypt data area. > > > You can also dump metadata keyslot info with luksDump command, for > LUKS2 > even in JSON format: > cryptsetup luksDump --dump-json-metadata <device> > > NOTE - this contains only configuration, not the binary area content > of keyslots (but it can be useful anyway). > > Milan ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-06-03 10:46 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-06-03 7:29 How to protect header and on.... paper? Felix Rubio 2023-06-03 8:29 ` Milan Broz 2023-06-03 10:31 ` Felix Rubio
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).