[dm-crypt] How to attach a LUKS header to an encrypted container?

Ondrej Kozina okozina at redhat.com
Thu Feb 15 16:38:14 CET 2018


On 02/15/2018 03:56 PM, Mikhail Morfikov wrote:
> So the header was created on the /boot/ partition instead of the sdb1 partition.
> The /boot/ partition is placed on a micro sd card, but unfortunately my laptop
> isn't able to boot from the sd card, and now I have to "reattach" the header to
> the encrypted partition.
If there's real data on /dev/sdb1 it won't be easy. The LUKS header is 
supposed to be placed in the head part of your device. The restore 
process would overwrite your ciphertext data (usually filesystem 
superblock plus some data). In fact, that's what the message was trying 
to warn you about.

> The question is how to do it properly, of course if it's doable at all? Will the
> "luksHeaderRestore" command be useful in this case, or do I have to do some
> magic to attach the header to the encrypted container?

You would have to shift the filesystem/data and make a free space in the 
head area of /dev/sdb1 for the LUKS header. It's possible but in my 
opinion it's not worth the risk. So, If you have a spare drive I'd 
perhaps copy all data to a new drive and later luksFormat the /dev/sdb1 
again with luks header placed in the head of /dev/sdb1. But sure it 
depends what's the size of your data and so on.

> I checked what will happen when I issue the "luksHeaderRestore" command giving
> it the header file, but it gives me the following warning, and I don't know
> whether I should say "YES" to that question.
> ========
> Device /dev/sdb1 does not contain LUKS2 header. Replacing header can destroy
> data on that device.

The warning is correct. Don't answer yes if you have real data on /dev/sdb1.


More information about the dm-crypt mailing list