[SOLVED] Backing Up Encrypted System Headers

Questions about applications and software
Forum rules
Before you post please read this

[SOLVED] Backing Up Encrypted System Headers

Postby Valk on Tue Oct 08, 2013 5:56 am

When installing Mint 15 I took the option of using the entire disk and encrypting it. I have been advised to back up the headers using "cryptsetup header-backup-file".
I'm not sure of the correct use of this command.
Can anyone help?
Last edited by Valk on Tue Oct 08, 2013 12:52 pm, edited 2 times in total.
Valk
Level 1
Level 1
 
Posts: 7
Joined: Tue Jul 23, 2013 10:11 am

Linux Mint is funded by ads and donations.
 

Re: Backing Up Encrypted System Headers

Postby xenopeek on Tue Oct 08, 2013 7:58 am

See item 6.2 in the cryptsetup FAQ: http://code.google.com/p/cryptsetup/wik ... a_Recovery. And the cryptsetup manpage section for that command (read it, this is important!):
Code: Select all
       luksHeaderBackup <device> --header-backup-file <file>

              Stores a binary backup of the LUKS header and keyslot area.
              Note: Using '-' as filename writes the header backup to a file named '-'.

              WARNING:  This  backup file and a passphrase valid at the time of backup allows decryption of the LUKS data
              area, even if the passphrase was later changed or removed from the LUKS  device.  Also  note  that  with  a
              header backup you lose the ability to securely wipe the LUKS device by just overwriting the header and key-
              slots. You either need to securely erase all header backups in addition or  overwrite  the  encrypted  data
              area  as  well.   The second option is less secure, as some sectors can survive, e.g. due to defect manage‐
              ment.

I don't have an encrypted Linux Mint install, but I do have a encrypted Arch Linux install. Also using dm-crypt + LUKS. I just made a backup of my LUKS header with following steps.

1. Find out what the device name of your encrypted / partition is. I did so with the command:
Code: Select all
lsblk

This output the following (as an example, on your system it will be different):
Code: Select all
NAME     MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda        8:0    0   20G  0 disk 
├─sda1     8:1    0  100M  0 part  /boot
├─sda2     8:2    0 19.9G  0 part 
│ └─cda2 254:0    0 19.9G  0 crypt /
└─sda3     8:3    0 1007K  0 part 
sr0       11:0    1 1024M  0 rom

You can see sda2 is the device name under which the encrypted / partition is. So the full device name to use would be /dev/sda2.

2. Then I ran the command from the FAQ as:
Code: Select all
sudo cryptsetup luksHeaderBackup --header-backup-file mybackup /dev/sda2

This created the file "mybackup" with the backup of the LUKS header for the encrypted / partition under /dev/sda2. The command returns almost immediately and gives no feedback unless there was a problem. Of course you need to change to command to reflect your device name. If you have doubts about it, please share the output of the command `lsblk`.

Edit: the backup file will be owned by root. You probably will want to change ownership of it to you and keep the file read-only. Assuming you named it "mybackup" you do that with:
Code: Select all
sudo chown $(id -un):$(id -gn) mybackup

Or if you know your username and groupname, you may type them immediately also without using the $(id -?n) command to get them:
Code: Select all
sudo chown yourusername:yourgroupname mybackup
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14722
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Backing Up Encrypted System Headers

Postby Valk on Tue Oct 08, 2013 10:30 am

Thanks for that xenopeek. It worked a treat.
This is the result of lsblk on my system.
Code: Select all
NAME                         MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                            8:0    0   1.8T  0 disk 
├─sda1                         8:1    0   243M  0 part  /boot
├─sda2                         8:2    0     1K  0 part 
└─sda5                         8:5    0   1.8T  0 part 
  └─sda5_crypt (dm-0)        252:0    0   1.8T  0 crypt
    ├─mint--vg-root (dm-1)   252:1    0   1.8T  0 lvm   /
    └─mint--vg-swap_1 (dm-2) 252:2    0     8G  0 lvm   [SWAP]
sdb                            8:16   0   1.8T  0 disk 
├─sdb1                         8:17   0   100M  0 part 
└─sdb2                         8:18   0   1.8T  0 part 
sr0                           11:0    1  1024M  0 rom   

I used sda5 in the headerbackup command and it resulted in a 2Mb file.
I hope this was correct?
I am not too worried about the security exposure as the file resides on a Truecrypt encrypted USB drive offsite.

Many thanks again.
Last edited by xenopeek on Tue Oct 08, 2013 11:48 am, edited 1 time in total.
Reason: Added code tags to preserve terminal output layout.
Valk
Level 1
Level 1
 
Posts: 7
Joined: Tue Jul 23, 2013 10:11 am

Re: Backing Up Encrypted System Headers

Postby xenopeek on Tue Oct 08, 2013 11:50 am

I got a 1 MB file, so 2 MB sounds like it would be about right :) On my Arch Linux install I'm not using LVM while Linux Mint is, so perhaps it is a bit bigger because of that.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14722
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands


Return to Software & Applications

Who is online

Users browsing this forum: mdevour and 13 guests