Luks keys… and luks encrypted drives:

Warning: Always backup the LUKS header before performing any maintenance on the hard drive!.

How to backup the luks header:
Drive: /dev/sdb [Example]

Name: /tmp/mybackup [Example]

cryptsetup luksHeaderBackup $DRIVE --header-backup-file $NAME

Add a LUKS key:

Deckey: Would be your passphrase key for decrypting your drive [first key when setting up the encrypted drive].

Slot: Luks has 8 possible slots, so you have to tell it where to store the key, ranges from 0 to 7.

Keylocation: Store the key you want to use somewhere, and pass it’s path there. Example /tmp/mykey, this is the safest way.

echo $DECKEY | cryptsetup luksAddKey --key-slot $SLOT $DRIVE $KEYLOCATION

Remove a LUKS key:

Using specific passphrase:

cryptsetup luksRemoveKey $DRIVE

Using a kill-slot, you can now use any passphrase remaining on the header to kill it:

cryptsetup luksKillSlot $DRIVE $SLOT

In both cases, you input the passphrase; there’s no further confirmation. If you want to remove it programmatically:

echo [passphrase] | cryptsetup luksKillSlot|luksRemoveKey $DRIVE

Now you can backup the header, remove the key, add the key…

Restore backup header:

PathToBackup: format /tmp/backupfile

cryptsetup luksHeaderRestore $DRIVE --header-backup-file $PATHTOBACKUP

Drive will be now restored; watch out, if the wrong backup file is used, your data may be now scrambled eggs.


Sr. Software Engineer with over 10 years of experience. Hobbist photographer and mechanic. Tinkering soul in an endeavor to better understand this world. Love traveling, drinking coffee, and investments.

You may also like

Removing Linux User

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: