[dm-crypt] is backing up the master key enough for data recovery if header is destroyed?

Milan Broz gmazyland at gmail.com
Thu Jun 21 17:28:07 CEST 2012


On 06/21/2012 04:58 PM, Lara Michaels wrote:
> From reading the FAQ, my understanding is that in the event the
> header getting destroyed I need ONE of the following for data
> recovery to be feasible:
> 
> - header backup + one passphrase - the master key
> 
> By "master key" I am referring to the 256 bits printed out in
> hexadecimal by "cryptsetup luksDump --dump-master-key [device]".
> 
> Is it correct that these 256 bits are by themselves sufficient to
> unlock the volume? Or would I still need the salt to be intact in the
> header? (My understanding from reading the FAQ is that the salt is
> not required if I have the master key.)

Yes. You need to know cipher name, mode and IV as well, but these
are easily to be brute-forced if lost.

Salt is not needed if you know volume (master) key directly.

Milan


More information about the dm-crypt mailing list