How to backup and restore LUKS header on Linux

Previously I explained how to encrypt Linux partitions or disk with the LUKS (Linux Unified Key Setup)/dm-crypt. In this quick blog post, I will explain how to backup and restore LUKS header for emergency purposes. Backup is useful for recovering from misconfigurations, corrupted headers or forgotten passphrase or unknown password.

ADVERTISEMENTS

Why backup and restore LUKS header on Linux?

LUKS is a standard method on Linux based system for protecting data and disk, especially on mobile devices such as Linux laptop. However, LUKS also create additional challenges, such as:

  1. LUKS misconfiguration of both /etc/fstab or /etc/crypttab file will prevent booting your Linux based laptop. These files provide hints for decryption while booting the system. The file /etc/crypttab contains descriptive information about encrypted filesystems, which is only read by LUKS programs. The Linux system administrator has to create and maintain this file appropriately.
  2. Verify that /etc/fstab and /etc/crypttab is correct and entries matched as per your setup using the cat command:
    cat /etc/fstab /etc/crypttab
  3. A forgotten password or passphrase may cause the LUKS decryption failure at boot time. Currently, there is no way to recover LUKS passphrase. Sometimes sysadmin or user changes their LUKS password to an unknown value. Please note that LUKS currently allows a total of eight passphrase or key slots for encrypted disks. Linux sysadmin can use those keys or passphrases if created to reset the forgotten password. However, if a backup of the LUKS header exists, we can restore the header from backup and use a previously working passphrase/password.

Dealing with LUKS encrypted disks or volumes

Let see how to create LUKS header backup and restore it in case the need arises later. To list encrypted disks or volumes, enter:
$ sudo dmsetup ls --target crypt

[sudo] password for vivek: 
md1_crypt	(253, 0)

Run the lsblk command:
$ lsblk
$ lsblk /dev/md1


So /dev/md1 is Linux software RAID1 device and encrypted as md1_crypt. Further, LVM is used to create root and swap partitions. In other words, my root and swap are fully encrypted and protected with RAID1. Next, list your /etc/fstab and /etc/etc/crypttab too and make sure they are correctly mapped:
$ cat /etc/fstab
$ cat /etc/etc/crypttab

Your setup might be simple without RAID1 or LVM. Hence, you need to find out the exact information.

To recover data from encrypted file/volumes backup the following files

  • /etc/fstab file
  • /etc/crypttab file
  • LUKS header

Step 1 – Duping up LUKS header

Run the command to find out information about the encrypted disks or volume
$ sudo cryptsetup luksDump /dev/DEVICE
$ sudo cryptsetup luksDump /dev/sdb2
$ sudo cryptsetup luksDump /dev/md1

LUKS header information
Version:       	2
Epoch:         	3
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	b5f93bb5-ba76-41fe-a996-ab5b69947f61
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)
 
Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]
 
Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i
	Time cost:  4
	Memory:     673681
	Threads:    4
	Salt:       1e 68 17 ca 2c c5 b5 fa 2b 8b 59 6a 73 ca 1c 20 
	            f7 99 06 63 4e fa 49 3d 12 71 ac 6a bb 41 ec 58 
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 145635
	Salt:       95 2c 81 91 8c 1e ad 69 4d 51 18 13 4c 36 c0 25 
	            c5 5c 9d 16 c3 0f 3f 79 fa 84 ad 4b 65 49 17 ec 
	Digest:     79 8a 05 d0 31 ba 7a ec fe f2 b1 da 3f d8 17 e1 
	            eb f8 2c b1 a7 7e ed 26 59 9e 7a 02 b3 95 0c 03

Step 2 – Backing up LUKS header

Make a backup of your LUKS header for future use:
$ sudo cryptsetup luksHeaderBackup /dev/DEVICE \
--header-backup-file /path/to/backupfile
$ sudo cryptsetup luksHeaderBackup /dev/sdb2 \
--header-backup-file /nas/vivek/laptop.dell.m6700.luks.bin
$ sudo cryptsetup luksHeaderBackup /dev/md1 \
--header-backup-file /root/laptop.thinkpad.luks.bin

Show information about backup file named /root/laptop.thinkpad.luks.bin, run the following file command/stat command/cryptsetup command:
$ sudo file /root/laptop.thinkpad.luks.bin
$ sudo stat /root/laptop.thinkpad.luks.bin
$ sudo cryptsetup luksDump /root/laptop.thinkpad.luks.bin

WARNING – Make sure you store laptop.thinkpad.luks.bin file securely offline. I use NAS server and USB stick. Make sure you store your backup file named /root/laptop.thinkpad.luks.bin file securely offline. I use my home NAS server and USB stick. This file must remain off the device; otherwise, you may not be able to restore it.

Step 3 – Restoring LUKS header when needed

Now let us say something terrible happened. All you have to do is boot your system/laptop from a boot disk and restore the old LUKS header from the laptop.thinkpad.luks.bin backup file as follows:
# cryptsetup luksHeaderRestore /dev/DEVICE --header-backup-file /path/to/backup_header_file
## Assuming that you mounted /nas/ using NFS ##
# cryptsetup luksHeaderRestore /dev/md1 --header-backup-file /nas/vivek/laptop.thinkpad.luks.bin

WARNING!
========
Device /dev/md1 already contains LUKS2 header. Replacing header will destroy existing keyslots.

Are you sure? (Type uppercase yes): YES

Step 4 – Test it

Run the following command to open the encrypted disk and mount it (you need to provide old password):
# cryptsetup luksOpen /dev/DEVICE name
# cryptsetup luksOpen /dev/md1 test
# mkdir /test
# mount /dev/mapper/test_root /test
# df -H
# mount

Reboot the Linux system:
# reboot

Conclusion

You learned about various files and procedures to backup and restored LUKS headers if there was any misconfiguration or unknown, forgotten password on Linux based system. Each setup is unique and different. I hope this guide provides you enough material to successfully backup and restore a secured filesystem when needed. See the cryptsetup project for more documentation.

This entry is 2 of 2 in the The Linux Unified Key Setup (LUKS) is a disk encryption Tutorial series. Keep reading the rest of the series:
  1. Linux Hard Disk Encryption With LUKS
  2. Backup and restore LUKS header on Linux
🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • IN_OUT Oct 27, 2020 @ 14:35

    Thanks i was looking how to create LUKS header backup and restore it in case of emergency on my Dell Laptop.

  • Mannara Oct 30, 2020 @ 7:46

    Hiy,

    i forgot my password (i know i am so stupid for not making backups) and can’t log in to my Ubuntu-based Dell XPS 13 developer laptop. Dell support said they couldn’t help with that. Is there any way I can rescue my Ubuntu disk to get back my file? I have PHP and MySQL project files, and I need those badly. Please help.

    • 🐧 Vivek Gite Oct 30, 2020 @ 7:52

      I am afraid that there is no way to recover data if you forgot your passphrase. That is the whole point of encryption to avoid data theft if you lose your disk or laptop stolen by someone. All you can do is start over, and your data is gone forever. I would strongly suggest that you make daily backups. Ubuntu has inbuilt app called DejaDup https://wiki.gnome.org/Apps/DejaDup/Details

      HTH

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.