[dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

Waqar Khan waqark3389temp at gmail.com
Thu Mar 30 12:18:24 CEST 2017

Arno, Michael,

Thank you for the information.

As a follow up. I will have a decrypted version of the master key
which I got via luksDump --dump-master-key. I checked the FAQ and cant
find something on how to overwrite a key slot with a good master key.
If I have this master key, what would be the process to replace the
passphrase in keyslot 0 with a new passphrase?

This is my process so far for backup in case of header corruption or
forgetting/changing passphrase:

1: Create a header backup:

Mount my encrypted USB drive
cd /mnt/encryptedUSB
cryptosetup luksHeaderBackup --header-backup-file
{hostname_partition_header}.bin /dev/xvdb1

2: Create a backup of the key:
cryptsetup luksDump --dump-master-key /dev/xvdb1 > {hostname_partition_dump}.txt
dmsetup table --target crypt --showkey /dev/mapper/encrypted >
(this is going onto an hardware encrypted USB. I might replace this
with Arno's suggestion and stick this into a safe)

3: Create a Keepass file and store the passphrase at the time
{hostname_partition_header}.bin was taken.

Any suggestions, holes in this plan?

Thanks again.

On Wed, Mar 29, 2017 at 7:32 PM, Arno Wagner <arno at wagner.name> wrote:
> On Wed, Mar 29, 2017 at 15:42:03 CEST, Waqar Khan wrote:
>> Hi,
>> I have read through the FAQ and its got a lot of useful information
>> from the backup section.
> Thanks!
> [...]
>> Lastly, a few people have access to this machine (through the same
>> passphrase), some work colleagues, how can I protect against one
>> disgruntled member leaving the company and changing the passphrase
>> (then unmounting the volume for good measure) and not telling anyone?
> Simple: Have a header backup with a known passphrase and make sure
> that potentially disgruntled employee cannot kill that backup.
> Then you can just restore that header backup and use the known
> good passphrase in there. I would recommend using a passphrase
> for this that is used nowhere else and is the only passphrase
> in that header.
> Alternatively, you could write down or print the master key on
> paper and put that in a sealed envelope and that in a safe
> or bank lockbox. You should probably encrypt the master-key with
> PGP/GnuPG before and will still get something that still easily
> fits on paper and can be typed in with reasonable effort, but
> is less exposed than an unprotected master key and can be stored
> in a place where it is just not easily destroyed,
> Of course, you can also put a header-backup on paper, but that
> takes something like 50 pages or so if you just store the first
> keyslot.
> Regards,
> Arno
> --
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

More information about the dm-crypt mailing list