FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-09-2012, 03:03 AM
yudi v
 
Default help with LUKS header backup

I am trying to back up the LUKS header and LUKS FAQ recommend using
the cryptsetup luksHeaderBackup command.
Cryptsetup man page has the following format

"luksHeaderBackup <device> --header-backup-file <file>"

the following example is taken from the LUKS FAQ.

cryptsetup luksHeaderBackup --header-backup-file h /dev/mapper/c1

i just want to confirm if I am reading this example right.

cryptsetup luksHeaderBackup --header-backup-file * * > I understand
the options but the following operands are a bit confusing.

h > is the backup file name/location in the example
/dev/mapper/c1 > I am guessing c1 here means the hard disk partition
with luks. Right?

I only have one partition that uses LUKS, sda4. It's a GPT disk and
the partitions are as follows

sda1 = ESP
sda2 = EF02
sda3 = /boot
sda4 = luks = rest of the disk.

On my system, there is just /dev/mapper/sda4, I am guessing this is
the devise I need to back up or is it the whole hard drive just like
backing up a MBR.

I am guessing the command I need to use on my system is:

cryptsetup luksHeaderBackup /dev/mapper/sda4 --header-backup-file
/media/USB_stick


Is this interpretation right?

--
Kind regards,
Yudi


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CACo--mv78xERd3q_JTyLkfUxLW3d+gdV01G0oezXwU1khGU_Tw@mail .gmail.com">http://lists.debian.org/CACo--mv78xERd3q_JTyLkfUxLW3d+gdV01G0oezXwU1khGU_Tw@mail .gmail.com
 
Old 01-09-2012, 07:13 AM
"tv.debian@googlemail.com"
 
Default help with LUKS header backup

09/01/2012 05:03, yudi v wrote:

I am trying to back up the LUKS header and LUKS FAQ recommend using
the cryptsetup luksHeaderBackup command.

[cut]


I only have one partition that uses LUKS, sda4. It's a GPT disk and
the partitions are as follows

sda1 = ESP
sda2 = EF02
sda3 = /boot
sda4 = luks = rest of the disk.

On my system, there is just /dev/mapper/sda4, I am guessing this is
the devise I need to back up or is it the whole hard drive just like
backing up a MBR.

I am guessing the command I need to use on my system is:

cryptsetup luksHeaderBackup /dev/mapper/sda4 --header-backup-file
/media/USB_stick


Is this interpretation right?

--
Kind regards,
Yudi




Yes, I am using this regularly. Backing up the headers to encrypted
media (two preferably) is good practice, even if one can foresee a bit
off a circle here ;-) . Header backups are easier to break than original
LUKS container.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4F0AA1A8.3050808@googlemail.com">http://lists.debian.org/4F0AA1A8.3050808@googlemail.com
 
Old 01-10-2012, 09:55 PM
yudi v
 
Default help with LUKS header backup

>
> Yes, I am using this regularly. Backing up the headers to encrypted media
> (two preferably) is good practice, even if one can foresee a bit off a
> circle here ;-) . Header backups are easier to break than original LUKS
> container.
>
>

there is only one LUKS header on a disk, right?
I have LVM on top of LUKS. Therefore only one partition with is LUKS encrypted.
What happens when LUKS is on top of LVM. There will be several
partitions, will there also be several header files. One for each LUKS
partition or is it just one header for all LUKS partitions?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CACo--muhzePpCby_taqx9qunTsV3wQ23vZTX9RFkzqV18c=3rQ@mail .gmail.com">http://lists.debian.org/CACo--muhzePpCby_taqx9qunTsV3wQ23vZTX9RFkzqV18c=3rQ@mail .gmail.com
 
Old 01-11-2012, 09:41 AM
"tv.debian@googlemail.com"
 
Default help with LUKS header backup

10/01/2012 23:55, yudi v wrote:


Yes, I am using this regularly. Backing up the headers to encrypted media
(two preferably) is good practice, even if one can foresee a bit off a
circle here ;-) . Header backups are easier to break than original LUKS
container.




there is only one LUKS header on a disk, right?
I have LVM on top of LUKS. Therefore only one partition with is LUKS encrypted.
What happens when LUKS is on top of LVM. There will be several
partitions, will there also be several header files. One for each LUKS
partition or is it just one header for all LUKS partitions?




One header for one LUKS container, doesn't matter if they are on top of
lvm or raid. There is room for several "slots" for pass-phrases or
pass-keys, but every slot is contained in the same header for one
container. If you revoke a slot, destroy every backup of that container,
and create a new one, and you'll be safe.
Making LUKS the lower level or putting it on top of something else (lvm,
raid) is a matter of choice and partitioning constraints, it works
anyways. For ease of use one luks container at the lower level (whole
disk encryption) is probably the best.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4F0D673E.4050007@googlemail.com">http://lists.debian.org/4F0D673E.4050007@googlemail.com
 

Thread Tools




All times are GMT. The time now is 05:00 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org