[dm-crypt] Best practice for storing header backup and protecting against mistakes/misuse.

Michael Kjörling michael at kjorling.se
Thu Mar 30 12:57:32 CEST 2017

On 30 Mar 2017 11:18 +0100, from waqark3389temp at gmail.com (Waqar Khan):
> As a follow up. I will have a decrypted version of the master key
> which I got via luksDump --dump-master-key. I checked the FAQ and cant
> find something on how to overwrite a key slot with a good master key.
> If I have this master key, what would be the process to replace the
> passphrase in keyslot 0 with a new passphrase?

If you have a full header backup, then you can use that to restore the
container header via `cryptsetup luksHeaderRestore`, or you can use a
detached header via `cryptsetup --header`.

If you have only the master key, then you can write a new header
(possibly detached) with that specific master key using `cryptsetup
luksFormat --master-key-file`. I recommend making a fresh header
backup first in that case, in case you make a mistake.

Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the dm-crypt mailing list