[dm-crypt] How to attach a LUKS header to an encrypted container?

Mikhail Morfikov mmorfikov at gmail.com
Thu Feb 15 16:46:34 CET 2018

On 2018-02-15 16:38, Ondrej Kozina wrote:
> Hi,
> On 02/15/2018 03:56 PM, Mikhail Morfikov wrote:
>> So the header was created on the /boot/ partition instead of the sdb1 partition.
>> The /boot/ partition is placed on a micro sd card, but unfortunately my laptop
>> isn't able to boot from the sd card, and now I have to "reattach" the header to
>> the encrypted partition.
> If there's real data on /dev/sdb1 it won't be easy. The LUKS header is supposed
> to be placed in the head part of your device. The restore process would
> overwrite your ciphertext data (usually filesystem superblock plus some data).
> In fact, that's what the message was trying to warn you about.
>> The question is how to do it properly, of course if it's doable at all? Will the
>> "luksHeaderRestore" command be useful in this case, or do I have to do some
>> magic to attach the header to the encrypted container?
> You would have to shift the filesystem/data and make a free space in the head
> area of /dev/sdb1 for the LUKS header. It's possible but in my opinion it's not
> worth the risk. So, If you have a spare drive I'd perhaps copy all data to a new
> drive and later luksFormat the /dev/sdb1 again with luks header placed in the
> head of /dev/sdb1. But sure it depends what's the size of your data and so on.
>> I checked what will happen when I issue the "luksHeaderRestore" command giving
>> it the header file, but it gives me the following warning, and I don't know
>> whether I should say "YES" to that question.
>> ========
>> Device /dev/sdb1 does not contain LUKS2 header. Replacing header can destroy
>> data on that device.
> The warning is correct. Don't answer yes if you have real data on /dev/sdb1.
> Regards
> Ondrej

Thanks for the answer. I see what I can do about it.

More information about the dm-crypt mailing list