132
134
The 'check' option in crypttab allows to configure checks to be run against
133
135
the target device after cryptsetup has been invoked.
134
The default check 'vol_id' can check for any known filesystem type, as it uses
135
vol_id from udev. you can check for a particular filesystem by giving for
136
The default check 'blkid' can check for any known filesystem type, as it uses
137
blkid from util-linux. you can check for a particular filesystem by giving for
136
138
example 'checkargs=ext2' or 'checkargs=swap' as an option in /etc/crypttab.
138
140
The 'precheck' option is for configuring checks to be run against the source
199
201
That's it. Now that the encrypted root device is unlocked, the remote system
200
202
should continue with the boot process.
204
/usr/share/doc/cryptsetup/README.remote.gz is a documentation with more
205
details on the setup of an initramfs with suppurt to remotely unlock the
209
8. Backup the LUKS header
210
-------------------------
212
The LUKS header is located at the beginning of every LUKS encrypted device.
213
It stores information such as used cipher, hash, etc. But most importantly,
214
the header contains eight keyslots, which do keep an encrypted version of the
215
LUKS masterkey. the data on an encrypted LUKS partition is encrypted with this
216
masterkey. thus, there's no way to restore the data once the masterkey is
217
lost. For that reason, one might want to backup the LUKS header in order to
218
prevent accidential data loss.
220
On the other hand keeping a backup of the LUKS header isn't recommended for
221
security reasons. The reason is, that LUKS was designed with key revocation in
222
mind. Once the LUKS header is copied to a backup, revoking a (possibly
223
compromised) passphrase or keyfile from the keyslot isn't enough anymore. the
224
revoked passphrase/keyfile can easily be reactived by writing back the header
225
backup to the device.
227
If you still want to store a backup of your LUKS header with these drawbacks
228
in mind, at least do it the following way:
230
Search for the 'Payload offset' in the output of
232
# cryptsetup luksDump <luks-device>
234
Prepare a ramdisk to store the backup temporarely. You should do that in order
235
to prevent any hardware caching functions or filesystem jounals to copy the
236
backup around to places you cannot control. If you want to store the backup
237
permanently, write it to a read-only medium like CD immediately from ramdisk,
238
without your burning program writing an intermediate image to some temp dir.
240
To actually backup the header, use the following command:
242
# dd if=<luks-device> of=<destination-on-ramdisk> count=<payload-offset>
244
That's it. But once again, keep in mind all the security implications when
245
doing LUKS header backups. In general it's better to backup the data from
246
encrypted LUKS devices to another encrypted LUKS device. That way you can
247
manage the keyslots for both original and backup device independently.
206
253
People who contributed to documentation for the Debian cryptsetup package:
210
257
Bastian Kleineidam <calvin@debian.org>
211
258
Michael Gebetsroither <michael.geb@gmx.at>
213
-- Jonas Meurer <mejo@debian.org>, Sun, 27 Jul 2008 17:02:56 +0200
260
-- Jonas Meurer <mejo@debian.org>, Tue, 01 Sep 2009 12:20:51 +0200