Backup your LUKS header and LVM config

Tags: linux, luks, backup, data, lvm, centos, crypto, storage,

Added: 2015-05-13T21:43:47

Backup your LUKS header and LVM config

If you use disk encryption in Linux, there's a good chance you're using LUKS, a standard implementation of it.


The first few bytes of your encrypted partition contain a LUKS header, which contains things like the cipher, cipher mode, passphrase iteration count, and salt.
Mine (standard CentOS 6) looks somewhat like this:
LUKS header information for /dev/sda2

Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 512
MK digest: 59 67 99 11 f7 1d d2 3d 66 90 60 15 08 27 8a 8d 2c 1b 4b 46
MK salt: c6 ff 58 17 9a f3 68 b8 c1 3c 81 af df ce 5e 65
3f 64 c9 70 fe 90 df df 25 ce 16 b9 f6 46 45 b8
MK iterations: 46875
UUID: 8f3dfab2-013e-4968-848a-79bd5a528824

Key Slot 0: ENABLED
Iterations: 181140
Salt: 9d c6 a8 af 33 a6 d3 dd 1d 9c 53 bf 7a 4c 32 39
88 d0 93 da 88 5a 7b 51 0d 36 7e f0 08 7c 34 69
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

These are all required (along with your passphrase/key device) to be able to decrypt your device. However, unlike the EXT superblock, there aren't any alternative copies of this header.
If it becomes corrupted in any way (a single bad block on your harddrive), knowing your passphrase won't help, and all the computing power in the world won't be able to recover your data.

Hence, it's probably a good idea to back it up.

As root:
cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file=/boot/luks-header

I put mine on /boot, as this is an unencrypted partition, and the file is small (2MiB).
There's no great security loss in this - anyone with physical access (or root access) to your device can simply dump the header anyway. If you're really worried though, save it somewhere safe, or print it out, and store it somewhere.


While you're in the backing-up frame of mind, backup /etc/lvm. If your PVs, VGs, or LVs get messed up, you have a chance of being able to recover from this. I also back this up to /boot.
cp /etc/lvm /boot/lvm-backup -Rafv
This too is a small amount of data.

I suffer, so you won't have to.

posted by Calum on 2015-05-13T22:00 under



Thanks much. This is clean and clear. Most posts like this have a long list of arguments about what if. Frankly I don't care to read what if when I just want to do it. What if is another subject. Or what if I don't care about if's right now. Thanks you one again,


Thanks for the warnings and suggestions!


I like the idea to put the backup on /boot. I'll be adding /etc/fstab and the key files I use for other partitions. Obviously, I'll encrypt the file for safety.


Thank you so much, I was looking for this. Save it on /boot it’s an amazing idea.


good idea, I'm so silly to suffer again...


Please help me. I am really struggling to copy my header to an external drive. I can't move the file because it is locked. How do I extract my header to save elsewhere?


SCP it off somewhere?
Add a comment

Your IP:
Please enter 9072630 here: