[dm-crypt] How to attach a LUKS header to an encrypted container?

Mikhail Morfikov mmorfikov at gmail.com
Thu Feb 15 15:56:17 CET 2018

I created an encrypted volume with the following command:

cryptsetup luksFormat /dev/sdb1 \
--type luks2 \
--cipher aes-xts-plain64 \
--key-size 512 \
--hash sha512 \
--pbkdf argon2i \
--pbkdf-force-iterations 2 \
--pbkdf-memory 1048576 \
--pbkdf-parallel 1 \
--label some_label \
--subsystem "" \
--use-random \
--verify-passphrase \
--verbose \
--header /boot/luks/head.img

So the header was created on the /boot/ partition instead of the sdb1 partition.
The /boot/ partition is placed on a micro sd card, but unfortunately my laptop
isn't able to boot from the sd card, and now I have to "reattach" the header to
the encrypted partition.

The question is how to do it properly, of course if it's doable at all? Will the
"luksHeaderRestore" command be useful in this case, or do I have to do some
magic to attach the header to the encrypted container?

I checked what will happen when I issue the "luksHeaderRestore" command giving
it the header file, but it gives me the following warning, and I don't know
whether I should say "YES" to that question.

Device /dev/sdb1 does not contain LUKS2 header. Replacing header can destroy
data on that device.

Are you sure? (Type uppercase yes):

More information about the dm-crypt mailing list