Backup your LUKS header and LVM config
If you use disk encryption in Linux, there's a good chance you're using LUKS, a standard implementation of it.
LUKS
The first few bytes of your encrypted partition contain a LUKS header, which contains things like the cipher, cipher mode, passphrase iteration count, and salt. Mine (standard CentOS 6) looks somewhat like this: LUKS header information for /dev/sda2 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha1 Payload offset: 4096 MK bits: 512 MK digest: 59 67 99 11 f7 1d d2 3d 66 90 60 15 08 27 8a 8d 2c 1b 4b 46 MK salt: c6 ff 58 17 9a f3 68 b8 c1 3c 81 af df ce 5e 65 3f 64 c9 70 fe 90 df df 25 ce 16 b9 f6 46 45 b8 MK iterations: 46875 UUID: 8f3dfab2-013e-4968-848a-79bd5a528824 Key Slot 0: ENABLED Iterations: 181140 Salt: 9d c6 a8 af 33 a6 d3 dd 1d 9c 53 bf 7a 4c 32 39 88 d0 93 da 88 5a 7b 51 0d 36 7e f0 08 7c 34 69 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLEDThese are all required (along with your passphrase/key device) to be able to decrypt your device. However, unlike the EXT superblock, there aren't any alternative copies of this header.
If it becomes corrupted in any way (a single bad block on your harddrive), knowing your passphrase won't help, and all the computing power in the world won't be able to recover your data.
Hence, it's probably a good idea to back it up.
As root:
cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file=/boot/luks-header
I put mine on /boot, as this is an unencrypted partition, and the file is small (2 MiB).
There's no great security loss in this - anyone with physical access (or root access) to your device can simply dump the header anyway. If you're really worried though, save it somewhere safe, or print it out, and store it somewhere.
LVM
While you're in the backing-up frame of mind, backup /etc/lvm. If your PVs, VGs, or LVs get messed up, you have a chance of being able to recover from this. I also back this up to /boot.cp /etc/lvm /boot/lvm-backup -Rafv This too is a small amount of data.
I suffer, so you won't have to.
Comment