Backup LUKS header

Thu, Oct 10, 2019 17:15 CEST

Tags: Security, Backup, Encryption, LUKS

LUKS partitions cannot be recovered once the header is lost.

Create a directory only accessible by root with a ramfs

mkdir /root/<tmp>
mount ramfs /root/<tmp> -t ramfs

To create a backup image

cryptsetup luksHeaderBackup /dev/<device> --header-backup-file /root/<tmp>/<file>.img

To encrypt the image with gpg

gpg2 --recipient <User ID> --encrypt /root/<tmp>/<file>.img

Then move the encrypted file around. Finally, unmount ramfs directory

umount /root/<tmp>

See also https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Backup_and_restore