April 14, 2013TakeLAN Connector- Administration to the next level
Luks keys… and luks encrypted drives:
Warning: Always backup the LUKS header before performing any maintenance on the hard drive!.
How to backup the luks header:
Drive: /dev/sdb [Example]
Name: /tmp/mybackup [Example]
cryptsetup luksHeaderBackup $DRIVE --header-backup-file $NAME
Add a LUKS key:
Deckey: Would be your passphrase key for decrypting your drive [first key when setting up the encrypted drive].
Slot: Luks has 8 possible slots, so you have to tell it where to store the key, ranges from 0 to 7.
echo $DECKEY | cryptsetup luksAddKey --key-slot $SLOT $DRIVE $KEYLOCATION
Remove a LUKS key:
Using specific passphrase:
cryptsetup luksRemoveKey $DRIVE
Using a kill-slot, you can now use any passphrase remaining on the header to kill it:
cryptsetup luksKillSlot $DRIVE $SLOT
In both cases you input the passphrase, there’s no further confirmation. If you want to programmatically remove it:
echo [passphrase] | cryptsetup luksKillSlot|luksRemoveKey $DRIVE
Now you can backup the header, remove the key, add the key…
Restore backup header:
PathToBackup: format /tmp/backupfile
cryptsetup luksHeaderRestore $DRIVE --header-backup-file $PATHTOBACKUP
Drive will be now restored, watch out, if wrong backup file is used, your data may be now scrambled eggs.