Keep cryptsetup headers separate from the block device

/en/linux/how-to/ cryptsetuplukssecuritydetached-header
5/November/2022
authorRentaro
Rentaro

Storing cryptsetup headers separately has some advantages, firstly, without them, the block device itself is a set of Entropy, from which it is impossible to determine the type of partition / encryption / device.
Secondly, it is a small file that can be easily backed up without using dd.

Simple cheat sheet


Generate a password.

1

cat /dev/urandom | tr -dc '[[:print:]]' | fold -w 256 | sed 's/ //g' | fold -w128 | head -n 1

Generate header and key

1
2

sync ; dd if=/dev/urandom of=/secret/and/secure/dir/HEADER bs=1M count=4 ; sync
sync ; dd if=/dev/urandom of=/secret/and/secure/dir/key bs=1M count=4 ; sync

Create LUKS using HEADER

1
2

cryptsetup --verbose --cipher "aes-xts-essiv:sha256" --key-size=256 --hash=sha256 --iter-time=3000 --verify-passphrase luksFormat /dev/disk/by-id/ata-HGST_HTS723310A7E990_JR10006JH7FX8A-part1 --header /secret/and/secure/dir/HEADER --align-payload=8192
# enter password

Check and add the key

1
2
3
4
5
6
7
8
9
10

# To open, enter the password
cryptsetup luksOpen /dev/disk/by-id/ata-HGST_HTS723310A7E990_JR10006JH7FX8A-part1 --header /secret/and/secure/dir/HEADER LUKSDEV
cryptsetup luksClose LUKSDEV

# adding a key
cryptsetup luksAddKey /secret/and/secure/dir/HEADER /secret/and/secure/dir/key
# open without password
cryptsetup luksOpen /dev/disk/by-id/ata-HGST_HTS723310A7E990_JR10006JH7FX8A-part1 --header /secret/and/secure/dir/HEADER --key-file /secret/and/secure/dir/key LUKSDEV
mkfs.ext4 -m1 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/LUKSDEV
mount -onoatime,nodiratime /dev/mapper/LUKSDEV /mnt/

Mount at the boot time


nano /etc/crypttab

1

LUKSDEV    /dev/disk/by-id/ata-HGST_HTS723310A7E990_JR10006JH7FX8A-part1    /secret/and/secure/dir/key    luks,discard,header=/secret/and/secure/dir/HEADER:UUID=77738506-35d9-4820-923d-b488085cb311


Where 77738506-35d9-4820-923d-b488085cb311 - uuid of the partition where the /secret/and/secure/dir/ directory with the key and HEADER is located, and which is mounted before LUKSDEV device.
Typically, this is a LUKS disk with rootfs, opened with a password from the keyboard when the system boots.

Original post on SecOps.it Blog Keep cryptsetup headers separate from the block device