[dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

Michael Kjörling michael at kjorling.se
Wed Mar 29 16:08:42 CEST 2017

On 29 Mar 2017 14:42 +0100, from waqark3389temp at gmail.com (Waqar Khan):
> My first question is, if something like header corruption/ passphrase
> forgotten, would I be able to restore from my USB on to the LUKS
> partition and continue using /home as it was? What if I have unmounted
> it or rebooted the machine.

Using the header backup requires knowledge of a passphrase that was
current at the time when the header backup was taken.

> Lastly, a few people have access to this machine (through the same
> passphrase), some work colleagues, how can I protect against one
> disgruntled member leaving the company and changing the passphrase
> (then unmounting the volume for good measure) and not telling anyone?

I would argue that the answer to this is similar to if LUKS wasn't
involved at all. How are you already handling a disgruntled employee
leaving and, as their parting gift, using `at` to schedule something
like `rm -rf /home &>/dev/null` to be run as root, or pulling a few
disks out of the rack and taking the disks with them as they leave?

Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the dm-crypt mailing list