Blog

Luks keys… and luks encrypted drives:

Warning: Always backup the LUKS header before performing any maintenance on the hard drive!.

How to backup the luks header:
Drive: /dev/sdb [Example]

Name: /tmp/mybackup [Example]

cryptsetup luksHeaderBackup $DRIVE --header-backup-file $NAME

Add a LUKS key:

Deckey: Would be your passphrase key for decrypting your drive [first key when setting up the encrypted drive].

Slot: Luks has 8 possible slots, so you have to tell it where to store the key, ranges from 0 to 7.

Keylocation: Store the key you want to use somewhere, and pass it’s path there. Example /tmp/mykey, this is the safest way.

echo $DECKEY | cryptsetup luksAddKey --key-slot $SLOT $DRIVE $KEYLOCATION

Remove a LUKS key:

Using specific passphrase:

cryptsetup luksRemoveKey $DRIVE

Using a kill-slot, you can now use any passphrase remaining on the header to kill it:

cryptsetup luksKillSlot $DRIVE $SLOT

In both cases you input the passphrase, there’s no further confirmation. If you want to programmatically remove it:

echo [passphrase] | cryptsetup luksKillSlot|luksRemoveKey $DRIVE

Now you can backup the header, remove the key, add the key…

Restore backup header:

PathToBackup: format /tmp/backupfile

cryptsetup luksHeaderRestore $DRIVE --header-backup-file $PATHTOBACKUP

Drive will be now restored, watch out, if wrong backup file is used, your data may be now scrambled eggs.

You may also like

Leave a Reply

Recent Comments