[dm-crypt] How to attach a LUKS header to an encrypted container?

Arno Wagner arno at wagner.name
Fri Feb 16 02:34:08 CET 2018

Hi Mikhail,

1. The offset is not protected, You can just edit it.
FAQ item 6.12 should give you an idea where the 
repective number is.

The FAQ is here:

2. Best make a regular container, and then remove the
header by copying it out and zeroing where it was.
You can make a new header with the same master-key
for your existing container when you have shifted the
data, see FAQ item 6.10. You may have to correct
the offsets for the IVs though.

It is much easier to get a second disk and copy everything 
over to the format you want. And you need backup anyways
(FAQ Item 6.1), so you can just do a backup and then
restore into a new LUKS container. (You have backup, right?)

3. Essentially yes, but there is some alignment. Best way to 
be sure is to create a new LUKS container and check the values 
there. Can be done iin a file, say 100M in size, as LUKS
on-disk format does not care about device size. 
See FAQ Item 2.6

4. Maybe. Depends on the offset calculation for IVs.
I think they are relative to the start of the data area, but
they may be relative to the start of the header. Since LUKS
generally has a very sane design, I would expect the former,
but I do not actually know.


On Fri, Feb 16, 2018 at 01:33:29 CET, Mikhail Morfikov wrote:
> I have a few question concerning the detached headers.
> 1. Is there a way to change data offset? I'm asking because the detached header
> has the data offset set to 0 (if I'm reading it right):
> ...
> Data segments:
>   0: crypt
>         offset: 0 [bytes]
>         length: (whole device)
> ...
> And if I just placed the header in front of the encrypted container, it would
> give some error: "Reduced data offset is allowed only for detached LUKS header".
> So this data offset should be changed somehow in order to make the header work.
> 2. Is there a way to set the data offset during the creation time of the
> encrypted container? I really thought that when the header is detached, some
> zeroes (or something else) is written to the header's area. Is such case, it
> wouldn't be a problem to attach the header to the encrypted container.
> 3. The header is 4 MiB in size, so the data offset should be 4 MiB, right?
> 4. I have 2 GiB of free space at the beginning of the drive (just in case of
> creating a /boot/ partition for this disk), so there's no problem with enlarging
> the main partition. Would it work if I resized the partition (+4 MiB for the
> header), and then create a normal LUKS header with the key extracted from the
> detached header?
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list