[dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

Milan Broz gmazyland at gmail.com
Wed Apr 6 08:37:08 CEST 2016

On 04/06/2016 07:59 AM, David Christensen wrote:
> On 04/05/2016 10:38 PM, Milan Broz wrote:
>> On 04/06/2016 06:25 AM, David Christensen wrote:
>> LUKS device cannot be used with random volume key, so I guess you use
>> just plain device without header. (So obviously header backup fails because
>> there is no header.)

Just one correction of my own words - LUKS key has random volume key, just it is
generated once and stored in keyslots. It cannot be easily just regenerated on every boot
(or you have to run luksFormat - and this makes no sense, plain device fits better here).
> Thank you for the information.
>> You can verify it by checking entry in /etc/crypttab - no luks keyword:
>>> # grep sda2 /etc/fstab
>>> /dev/mapper/sda2_crypt                    none                    swap
>> or running "cryptsetup status sda2_crypt" over unlocked device
>> (type is LUKS1 for LUKS devices)
> # cryptsetup status sda2_crypt
> /dev/mapper/sda2_crypt is active and is in use.
>    type:    PLAIN
>    cipher:  aes-xts-plain64
>    keysize: 256 bits
>    device:  /dev/sda2
>    offset:  0 sectors
>    size:    976896 sectors
>    mode:    read/write
> So, what I'm seeing is expected and correct, because a random-key 
> encrypted swap uses dm-crypt on the raw partition, there is no LUKS 
> container, and therefore no LUKS header to back up (?).

Yes, that's correct - you can also see that data offset as 0 sectors,
so the whole device is used.

In fact, there is no need to run any backup - the whole swap device
should get new random key and is reformatted (mkswap) on every boot.
(It cannot be used for hibernation.)


More information about the dm-crypt mailing list