[dm-crypt] How to attach a LUKS header to an encrypted container?

Mikhail Morfikov mmorfikov at gmail.com
Fri Feb 16 01:33:29 CET 2018

On 2018-02-15 16:46, Mikhail Morfikov wrote:
> On 2018-02-15 16:38, Ondrej Kozina wrote:
>> Hi,
>> On 02/15/2018 03:56 PM, Mikhail Morfikov wrote:
>>> So the header was created on the /boot/ partition instead of the sdb1 partition.
>>> The /boot/ partition is placed on a micro sd card, but unfortunately my laptop
>>> isn't able to boot from the sd card, and now I have to "reattach" the header to
>>> the encrypted partition.
>> If there's real data on /dev/sdb1 it won't be easy. The LUKS header is supposed
>> to be placed in the head part of your device. The restore process would
>> overwrite your ciphertext data (usually filesystem superblock plus some data).
>> In fact, that's what the message was trying to warn you about.
>>> The question is how to do it properly, of course if it's doable at all? Will the
>>> "luksHeaderRestore" command be useful in this case, or do I have to do some
>>> magic to attach the header to the encrypted container?
>> You would have to shift the filesystem/data and make a free space in the head
>> area of /dev/sdb1 for the LUKS header. It's possible but in my opinion it's not
>> worth the risk. So, If you have a spare drive I'd perhaps copy all data to a new
>> drive and later luksFormat the /dev/sdb1 again with luks header placed in the
>> head of /dev/sdb1. But sure it depends what's the size of your data and so on.
>>> I checked what will happen when I issue the "luksHeaderRestore" command giving
>>> it the header file, but it gives me the following warning, and I don't know
>>> whether I should say "YES" to that question.
>>> ========
>>> Device /dev/sdb1 does not contain LUKS2 header. Replacing header can destroy
>>> data on that device.
>> The warning is correct. Don't answer yes if you have real data on /dev/sdb1.
>> Regards
>> Ondrej
> Thanks for the answer. I see what I can do about it.
I have a few question concerning the detached headers.

1. Is there a way to change data offset? I'm asking because the detached header
has the data offset set to 0 (if I'm reading it right):

Data segments:
  0: crypt
        offset: 0 [bytes]
        length: (whole device)

And if I just placed the header in front of the encrypted container, it would
give some error: "Reduced data offset is allowed only for detached LUKS header".
So this data offset should be changed somehow in order to make the header work.

2. Is there a way to set the data offset during the creation time of the
encrypted container? I really thought that when the header is detached, some
zeroes (or something else) is written to the header's area. Is such case, it
wouldn't be a problem to attach the header to the encrypted container.

3. The header is 4 MiB in size, so the data offset should be 4 MiB, right?

4. I have 2 GiB of free space at the beginning of the drive (just in case of
creating a /boot/ partition for this disk), so there's no problem with enlarging
the main partition. Would it work if I resized the partition (+4 MiB for the
header), and then create a normal LUKS header with the key extracted from the
detached header?

More information about the dm-crypt mailing list