[dm-crypt] Protection against data failure

Milan Broz mbroz at redhat.com
Wed Aug 10 10:43:34 CEST 2011


On 08/10/2011 10:14 AM, Sun_Blood wrote:

> Lucky I see that cryptsesetup has the luksHeaderBackup function. (LVM
> also have a similar function).
> My question here is if I accidental overwrite the first 5% of the disk
> could I with this option restore and access the 95% rest of the system
> data?

Just short answer: both (luksHeaderBackup for LUKS and vgcfgbackup for LVM)
create backup of _metadata_ not the data.

With these backups you are able to recover LVM over LUKS mappings.
Take is as backup of /etc with configuration of your system - it is good
idea to regularly backup system config.

But it says nothing about data on volumes itself. So it is obviously not replacement
for normal data backup, just prerequisite.

> And I final question. The output from luksHeaderBackup how sensitive
> is that information? Is it like handing somebody my password if I
> store it on a local unencrypted disk?

It is written in man page. To decrypt drive you need LUKS header (or backup
of it - even old with old keyslots) AND passhprase to some keyslot in it.

LUKS header backup is basically just image of start of the disk - you
can create similar backup using dd.

See http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#6._Backup_and_Data_Recovery

Milan


More information about the dm-crypt mailing list