[dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

Waqar Khan waqark3389temp at gmail.com
Wed Mar 29 15:42:03 CEST 2017

I have read through the FAQ and its got a lot of useful information
from the backup section.

I have encrypted /home and used

cryptsetup --dump-master-key luksDump /dev/dm-2


cryptsetup luksHeaderBackup --dump-master-key /dev/dm-2
--header-backup-file header

to make a copy of the header incase I forget my passphrase. I bought a
encrypted USB drive to put the header on.

My first question is, if something like header corruption/ passphrase
forgotten, would I be able to restore from my USB on to the LUKS
partition and continue using /home as it was? What if I have unmounted
it or rebooted the machine.

Second, what else should I be doing in order to protect against
accidents such as above?

Lastly, a few people have access to this machine (through the same
passphrase), some work colleagues, how can I protect against one
disgruntled member leaving the company and changing the passphrase
(then unmounting the volume for good measure) and not telling anyone?


More information about the dm-crypt mailing list