meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux:backup:luks [2016/08/20 14:30] – created niziaklinux:backup:luks [2025/03/23 15:49] (current) niziak
Line 1: Line 1:
 +====== LUKS backup ======
 +
 +  WARNING: This backup file and a passphrase valid at the time of
 +       backup allows decryption of the LUKS data area, even if the
 +       passphrase was later changed or removed from the LUKS device. Also
 +       note that with a header backup you lose the ability to securely
 +       wipe the LUKS device by just overwriting the header and key-slots.
 +       You either need to securely erase all header backups in addition
 +       or overwrite the encrypted data area as well. The second option is
 +       less secure, as some sectors can survive, e.g., due to defect
 +       management.
 +
 +NOTE: do not store luks header in file on normal unencrypted FS even temporarily.
 +
 <code bash> <code bash>
-cryptsetup luksHeaderBackup /dev/sdb5 --header-backup-file luks_header.bin+cryptsetup luksHeaderBackup /dev/sdb5 --header-backup-file $SAFE_ENCRYPTED_STORAGE/luks_header.bin
 </code> </code>
 +