So I’ve been reading more on cryptsetup man page and found this interesting excerpt:
If the header of a LUKS volume gets damaged, all data is permanently lost unless you have a header-backup. If a key-slot is damaged, it can only be restored from a header-backup or if another active key-slot with known passphrase is undamaged. Damaging the LUKS header is something people manage to do with surprising frequency. This risk is the result of a trade-off between security and safety, as LUKS is designed for fast and secure wiping by just overwriting header and key-slot area.
Which means most people do this disk encryption thing without knowing what they are doing.
What does header contain? You can easily find out with the command “cryptsetup luksDump < image filename or block device >”. It contains ciphers used, hashing algorithm information, UUID and passphrase information.
However, it’s important to know the following risk as well:
- Even if you later change the passphrase of your LUKS encrypted volume, the passphrase contained in the header is valid for lifetime. Which means, any passphrase that was valid at the time of backing up the header is valid even after you later change the passphrase in volume. Take the following example scenario:
- You create an encrypted volume and set passphrase to ‘123‘.
- You backup header and store it separately.
- Your passphrase gets compromised.
- You change the passphrase of your volume to ‘456‘.
- An attacker manages to steal the backed up header file and your encrypted volume.
- Attacker restores header backup to the stolen copy of your volume.
- Attacker uses passphrase ‘123‘ to successfully decrypt the stolen copy of your volume.
Though there’s a risk, when it comes to compromise between Availability and Confidentiality header backup is your rescue. 🙂
So here’s my simple suggestion on how you would backup a LUKS header.
- Create a new LUKS volume, but with a different passphrase to keep your LUKS headers. Header file size is usually 1.1 MB, so a 32 MB image should be enough for most regular users.
- Backup the header of each of your encrypted volumes using the following command. Make sure backup filename does not directly relate to anything that can be used to directly identify the volume. Relationship information should only exist in your head. =)
cryptsetup luksHeaderBackup < encrypted image/ block device filename > --header-backup-file < output filename >
- Now, copy the header backups into the LUKS volume of header backups. (Open, mount, copy, unmount, close procedure). Now, upload this header backup volume to Google Drive or any other preferred cloud storage. Cloud storage is less prone to corruption, so the header backup volume is safe (it’s a matter of keeping your cloud account safe as well).
Do you have anything to add or suggest? Comment below. 🙂