How to securely backup LUKS Header Key?

Is there a possibility of leaking any sensitive data or unlocking the disk if I back up the LUKS header key on a flash drive? The flash drive and the laptop is physically available to others.

I suggest to not do it. The lesser issue is that it contains the metadata (number of keys, how it is encrypted, algorithms, …).

If you use secure configurations, this is on itself not that relevant in most cases, but they have the encrypted key and can thus try to break it. This means, an attacker can already try to find out your password(s) before they get your computer (if successful, they have the key and can immediately unlock your computer whenever it is available - radically spoken). The data is sufficient to verify the correct key once it is found. So they can use the header to do brute force or dictionary attacks.

If you use a secure password, this should be no problem. However, you spare the attacker a step. Actually, you even spare them two: trying to get a password just by typing it on the keyboard and then waiting each time several seconds is not efficient unless the attacker knows already some of your passwords and just has to try a few. If the attacker has not a strong hint, they would normally get the encrypted key (header) and then copy it on a machine and then try to break it with a more massive attack that can test multiple passwords per second in an automated manner (outside of the kernel’s own LUKS). Don’t make it easier for them than necessary :wink:

In any case, this is not a best practice.

To avoid confusion: your password (or mulptiple passwords) are used to encrypt the key, and the key is used to encrypt the disk. If you have two passwords that unlock the disk, the header will contain the key twice: once encrypted with the first password and once encrypted with the second password.

1 Like

Thank you for the explanation. I am new to Linux to use it as a primary OS on a production machine. It was suggested on a few blogs or articles that I should back up the header, otherwise I might lose data if it gets corrupted. Backing up to a flash drive followed by storing it in a secure place was suggested. So, I wanted to know what might go wrong if a bad actor gets the drive and laptop because obscurity is not a security by any means.

Absolutely :wink:

Absolutely, too: if the header gets lost, the key is lost, and thus the data. In the end, it is a compromise. But I still suggest to not use a device that is available to others, too. So the flash device should have a comparable security level as the computer to which it relates.

However, you can also do backups on other devices that are also encrypted and thus have an independent header. Backups should be done anyway. If you have a proper backup strategy, you should not need to care about LUKS headers. I tend to assume that the LUKS header is seldomly the origin of a data loss. Other origins are more likely.

I think I am going to do that. LUKS headers backups inside LUKS or Veracrypt volume. Thank you so much, I really needed that information from an expert user. By the way, I found this community very helpful and friendly.

Happy to help :wink: Feel free to mark a post as solution to help others who might experience comparable questions over time :wink: