When installing Mint 15 I took the option of using the entire disk and encrypting it. I have been advised to back up the headers using "cryptsetup header-backup-file".
I'm not sure of the correct use of this command.
Can anyone help?
[SOLVED] Backing Up Encrypted System Headers
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
[SOLVED] Backing Up Encrypted System Headers
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 3 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: Backing Up Encrypted System Headers
See item 6.2 in the cryptsetup FAQ: http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#6._Backup_and_Data_Recovery. And the cryptsetup manpage section for that command (read it, this is important!):
I don't have an encrypted Linux Mint install, but I do have a encrypted Arch Linux install. Also using dm-crypt + LUKS. I just made a backup of my LUKS header with following steps.
1. Find out what the device name of your encrypted / partition is. I did so with the command:
This output the following (as an example, on your system it will be different):
You can see sda2 is the device name under which the encrypted / partition is. So the full device name to use would be /dev/sda2.
2. Then I ran the command from the FAQ as:
This created the file "mybackup" with the backup of the LUKS header for the encrypted / partition under /dev/sda2. The command returns almost immediately and gives no feedback unless there was a problem. Of course you need to change to command to reflect your device name. If you have doubts about it, please share the output of the command `lsblk`.
Edit: the backup file will be owned by root. You probably will want to change ownership of it to you and keep the file read-only. Assuming you named it "mybackup" you do that with:
Or if you know your username and groupname, you may type them immediately also without using the $(id -?n) command to get them:
Code: Select all
luksHeaderBackup <device> --header-backup-file <file>
Stores a binary backup of the LUKS header and keyslot area.
Note: Using '-' as filename writes the header backup to a file named '-'.
WARNING: This backup file and a passphrase valid at the time of backup allows decryption of the LUKS data
area, even if the passphrase was later changed or removed from the LUKS device. Also note that with a
header backup you lose the ability to securely wipe the LUKS device by just overwriting the header and key-
slots. You either need to securely erase all header backups in addition or overwrite the encrypted data
area as well. The second option is less secure, as some sectors can survive, e.g. due to defect manage‐
ment.
1. Find out what the device name of your encrypted / partition is. I did so with the command:
Code: Select all
lsblk
Code: Select all
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
├─sda1 8:1 0 100M 0 part /boot
├─sda2 8:2 0 19.9G 0 part
│ └─cda2 254:0 0 19.9G 0 crypt /
└─sda3 8:3 0 1007K 0 part
sr0 11:0 1 1024M 0 rom
2. Then I ran the command from the FAQ as:
Code: Select all
sudo cryptsetup luksHeaderBackup --header-backup-file mybackup /dev/sda2
Edit: the backup file will be owned by root. You probably will want to change ownership of it to you and keep the file read-only. Assuming you named it "mybackup" you do that with:
Code: Select all
sudo chown $(id -un):$(id -gn) mybackup
Code: Select all
sudo chown yourusername:yourgroupname mybackup
Re: Backing Up Encrypted System Headers
Thanks for that xenopeek. It worked a treat.
This is the result of lsblk on my system.
I used sda5 in the headerbackup command and it resulted in a 2Mb file.
I hope this was correct?
I am not too worried about the security exposure as the file resides on a Truecrypt encrypted USB drive offsite.
Many thanks again.
This is the result of lsblk on my system.
Code: Select all
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 1.8T 0 disk
├─sda1 8:1 0 243M 0 part /boot
├─sda2 8:2 0 1K 0 part
└─sda5 8:5 0 1.8T 0 part
└─sda5_crypt (dm-0) 252:0 0 1.8T 0 crypt
├─mint--vg-root (dm-1) 252:1 0 1.8T 0 lvm /
└─mint--vg-swap_1 (dm-2) 252:2 0 8G 0 lvm [SWAP]
sdb 8:16 0 1.8T 0 disk
├─sdb1 8:17 0 100M 0 part
└─sdb2 8:18 0 1.8T 0 part
sr0 11:0 1 1024M 0 rom
I hope this was correct?
I am not too worried about the security exposure as the file resides on a Truecrypt encrypted USB drive offsite.
Many thanks again.
Last edited by xenopeek on Tue Oct 08, 2013 11:48 am, edited 1 time in total.
Reason: Added code tags to preserve terminal output layout.
Reason: Added code tags to preserve terminal output layout.
Re: Backing Up Encrypted System Headers
I got a 1 MB file, so 2 MB sounds like it would be about right On my Arch Linux install I'm not using LVM while Linux Mint is, so perhaps it is a bit bigger because of that.