calum.org:~#

Backup your LUKS header and LVM config

Tags: linux, luks, backup, data, lvm, centos, crypto, storage,

Added: 2015-05-13T21:43:47

Backup your LUKS header and LVM config

If you use disk encryption in Linux, there's a good chance you're using LUKS, a standard implementation of it.

LUKS


The first few bytes of your encrypted partition contain a LUKS header, which contains things like the cipher, cipher mode, passphrase iteration count, and salt.
Mine (standard CentOS 6) looks somewhat like this:
LUKS header information for /dev/sda2

Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 512
MK digest: 59 67 99 11 f7 1d d2 3d 66 90 60 15 08 27 8a 8d 2c 1b 4b 46
MK salt: c6 ff 58 17 9a f3 68 b8 c1 3c 81 af df ce 5e 65
3f 64 c9 70 fe 90 df df 25 ce 16 b9 f6 46 45 b8
MK iterations: 46875
UUID: 8f3dfab2-013e-4968-848a-79bd5a528824

Key Slot 0: ENABLED
Iterations: 181140
Salt: 9d c6 a8 af 33 a6 d3 dd 1d 9c 53 bf 7a 4c 32 39
88 d0 93 da 88 5a 7b 51 0d 36 7e f0 08 7c 34 69
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

These are all required (along with your passphrase/key device) to be able to decrypt your device. However, unlike the EXT superblock, there aren't any alternative copies of this header.
If it becomes corrupted in any way (a single bad block on your harddrive), knowing your passphrase won't help, and all the computing power in the world won't be able to recover your data.

Hence, it's probably a good idea to back it up.

As root:
cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file=/boot/luks-header

I put mine on /boot, as this is an unencrypted partition, and the file is small (2MiB).
There's no great security loss in this - anyone with physical access (or root access) to your device can simply dump the header anyway. If you're really worried though, save it somewhere safe, or print it out, and store it somewhere.

LVM


While you're in the backing-up frame of mind, backup /etc/lvm. If your PVs, VGs, or LVs get messed up, you have a chance of being able to recover from this. I also back this up to /boot.
cp /etc/lvm /boot/lvm-backup -Rafv
This too is a small amount of data.

I suffer, so you won't have to.

posted by Calum on 2015-05-13T22:00 under

Comments

Comment

Posted at: 2016-09-05 10:49:51.841179 UTC
Thanks much. This is clean and clear. Most posts like this have a long list of arguments about what if. Frankly I don't care to read what if when I just want to do it. What if is another subject. Or what if I don't care about if's right now. Thanks you one again,

Comment

Posted at: 2017-03-24 12:27:49.975231 UTC
Thanks for the warnings and suggestions!

Comment

Posted at: 2017-07-09 19:49:02.089304 UTC
I like the idea to put the backup on /boot. I'll be adding /etc/fstab and the key files I use for other partitions. Obviously, I'll encrypt the file for safety.

Comment

Posted at: 2017-12-01 04:22:51.191344 UTC
Thank you so much, I was looking for this. Save it on /boot it’s an amazing idea.

Comment

Posted at: 2019-04-06 13:48:36.165958 UTC
good idea, I'm so silly to suffer again...

Comment

Posted at: 2020-04-01 05:00:31.070426 UTC
Please help me. I am really struggling to copy my header to an external drive. I can't move the file because it is locked. How do I extract my header to save elsewhere?

Comment

Posted at: 2020-05-02 07:19:29.269775 UTC
SCP it off somewhere?
Add a comment

Your IP:
Please enter 9072630 here: