archive mirror
 help / color / mirror / Atom feed
From: Milan Broz <>
To: Felix Rubio <>,
Subject: Re: How to protect header and on.... paper?
Date: Sat, 3 Jun 2023 10:29:18 +0200	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>


On 6/3/23 09:29, Felix Rubio wrote:
> I have setup a my FDE using LUKS, and tying the decryption key to my
> TPM+recovery key. Now I am wondering: I know I can get a backup of the
> LUKS header on a file, store it somewhere and done... but what happens
> if the USB is corrupted by the time I need it? what if I put it on an
> optical disk and has been scratched? This kept me thinking: is there any
> possibility/process to have the required information for the header
> printed on paper, that could be stored on a safe?

You cannot have full text backup of LUKS keyslot metadata, but you can dump
volume encryption key that allows mapping data device without LUKS header.

Actually, paper backup was motivation for --dump-volume-key option, use:
  cryptsetup luksDump --dump-volume-key <device>

(in very old cryptsetup use --dump-master-key instead)

There is no automated script that maps dm-crypt automatically from this
info, but it is quite trivial and should contain all info dm-crypt needs
to decrypt data area.

You can also dump metadata keyslot info with luksDump command, for LUKS2
even in JSON format:
  cryptsetup luksDump --dump-json-metadata <device>

NOTE - this contains only configuration, not the binary area content
of keyslots (but it can be useful anyway).


  reply	other threads:[~2023-06-03  8:29 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-03  7:29 How to protect header and on.... paper? Felix Rubio
2023-06-03  8:29 ` Milan Broz [this message]
2023-06-03 10:31   ` Felix Rubio

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).