Skip to main content

Creating a Secondary LUKS Passphrase and LUKS Header Backup

Hands-On Lab

 

Photo of Bob Salmans

Bob Salmans

Training Architect

Length

00:30:00

Difficulty

Intermediate

In this hands-on lab, we will create a secondary passphrase for a LUKS-encrypted volume, which can be used to recover the volume's encrypted data if the primary passphrase ever becomes corrupted. Then we'll create a backup of the entire LUKS header, which can be used to recover the encrypted data if the entire LUKS header ever becomes corrupted.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Creating a Secondary LUKS Passphrase and LUKS Header Backup

Introduction

In this hands-on lab, we will create a secondary passphrase for a LUKS-encrypted volume, which can be used to recover the volume's encrypted data if the primary passphrase ever becomes corrupted. Then we'll create a backup of the entire LUKS header, which can be used to recover the encrypted data if the entire LUKS header ever becomes corrupted.

Connecting to the Lab

  1. Open your terminal application, and run the following command (remember to replace <PUBLIC_IP> with the public IP you were provided on the lab instructions page):
    ssh cloud_user@<PUBLIC_IP>
  2. Type yes at the prompt.
  3. Enter your cloud_user password at the prompt.
  4. Become the root user.
    sudo su

Create a Secondary LUKS Passphrase

  1. Determine where the patient_lv volume is located.
    cryptsetup -v status patient_lv
  2. Determine the next available key slot.
    cryptsetup luksDump /dev/mapper/luks_vg-patient_lv
  3. Add a new secondary passphrase.
    cryptsetup luksAddKey --key-slot 1 /dev/mapper/luks_vg-patient_lv
  4. Enter Pinehead1! at the existing passphrase prompt.
  5. Enter BackupsRGood! at the new passphrase prompt.
  6. Enter BackupsRGood! at the password confirmation prompt.
  7. Verify that the new key was created.
    cryptsetup luksDump /dev/mapper/luks_vg-patient_lv

Create a Backup of the LUKS Header

  1. Run the following command:
    cryptsetup luksHeaderBackup /dev/mapper/luks_vg-patient_lv --header-backup-file /root/luks_vg-patient_lv-LUKS-header.backup
  2. List the contents of the /root directory to verify that the header backup was created.
    ls /root/

Conclusion

Congratulations, you've successfully completed this hands-on lab!