[dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

Arno Wagner arno at wagner.name
Thu Mar 30 21:33:34 CEST 2017


On Thu, Mar 30, 2017 at 12:57:32 CEST, Michael Kjörling wrote:
> On 30 Mar 2017 11:18 +0100, from waqark3389temp at gmail.com (Waqar Khan):
> > As a follow up. I will have a decrypted version of the master key
> > which I got via luksDump --dump-master-key. I checked the FAQ and cant
> > find something on how to overwrite a key slot with a good master key.
> > If I have this master key, what would be the process to replace the
> > passphrase in keyslot 0 with a new passphrase?
> 
> If you have a full header backup, then you can use that to restore the
> container header via `cryptsetup luksHeaderRestore`, or you can use a
> detached header via `cryptsetup --header`.
> 
> If you have only the master key, then you can write a new header
> (possibly detached) with that specific master key using `cryptsetup
> luksFormat --master-key-file`. I recommend making a fresh header
> backup first in that case, in case you make a mistake.

The procedure to overwrite the master-key is documented
in FAQ item 6.10 as well. And I fully agree, do a backup
before!

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list