[dm-crypt] How to attach a LUKS header to an encrypted container?

Mikhail Morfikov mmorfikov at gmail.com
Fri Feb 16 15:11:19 CET 2018

On 2018-02-16 02:34, Arno Wagner wrote:
> Hi Mikhail,
> 1. The offset is not protected, You can just edit it.
> FAQ item 6.12 should give you an idea where the 
> repective number is.
> The FAQ is here:
> https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
> 2. Best make a regular container, and then remove the
> header by copying it out and zeroing where it was.
> You can make a new header with the same master-key
> for your existing container when you have shifted the
> data, see FAQ item 6.10. You may have to correct
> the offsets for the IVs though.
> It is much easier to get a second disk and copy everything 
> over to the format you want. And you need backup anyways
> (FAQ Item 6.1), so you can just do a backup and then
> restore into a new LUKS container. (You have backup, right?)
> 3. Essentially yes, but there is some alignment. Best way to 
> be sure is to create a new LUKS container and check the values 
> there. Can be done iin a file, say 100M in size, as LUKS
> on-disk format does not care about device size. 
> See FAQ Item 2.6
> 4. Maybe. Depends on the offset calculation for IVs.
> I think they are relative to the start of the data area, but
> they may be relative to the start of the header. Since LUKS
> generally has a very sane design, I would expect the former,
> but I do not actually know.
> Regards,
> Arno
> On Fri, Feb 16, 2018 at 01:33:29 CET, Mikhail Morfikov wrote:
>> I have a few question concerning the detached headers.
>> 1. Is there a way to change data offset? I'm asking because the detached header
>> has the data offset set to 0 (if I'm reading it right):
>> ...
>> Data segments:
>>   0: crypt
>>         offset: 0 [bytes]
>>         length: (whole device)
>> ...
>> And if I just placed the header in front of the encrypted container, it would
>> give some error: "Reduced data offset is allowed only for detached LUKS header".
>> So this data offset should be changed somehow in order to make the header work.
>> 2. Is there a way to set the data offset during the creation time of the
>> encrypted container? I really thought that when the header is detached, some
>> zeroes (or something else) is written to the header's area. Is such case, it
>> wouldn't be a problem to attach the header to the encrypted container.
>> 3. The header is 4 MiB in size, so the data offset should be 4 MiB, right?
>> 4. I have 2 GiB of free space at the beginning of the drive (just in case of
>> creating a /boot/ partition for this disk), so there's no problem with enlarging
>> the main partition. Would it work if I resized the partition (+4 MiB for the
>> header), and then create a normal LUKS header with the key extracted from the
>> detached header?
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
Yes, I think it will be better to copy everything to some other disk and then
recreate the container with a new header attached to it. And yes, in the future
I will always create a container with it's header and then detach the header if
needed because it's a way easier to handle such containers.

Anyways, I'm gonna make a test container and see how reattaching the heder works
in practice because I don't really want to loose the data on my disk, and I want
to know what happens when such header is reattached. :)

More information about the dm-crypt mailing list