Upgrading and backing up your LUKS header

All mainstream Linux distributions now ship with full-disk encryption available and for portable devices like laptops or smartphones it's certainly a must. This article is a few quick recipes for upgrading your LUKS header for improved performance and security (if your device has been installed a while ago) and for backing up your LUKS header to ensure access in case of hardware failure.

You can't change LUKS header from a live system - you need to boot a live USB to be able to access the encrypted partition. First, create a bootable USB stick using a regular Ubuntu installer image.

  • Just get the latest installer ISO available
  • You need the full installer, the mini network installer won't work
  • You may need to disable Secure Boot in BIOS temporarily to boot from USB

After booting run lsblk as root and you'll see a number of partitions on your built-in hard drive, usually sda or mmc… on newer laptops with eMMC. In default Ubuntu setup the encrypted one will be the largest and it usually will be sda3.

LUKS header backup

LUKS header backup will allow you to access the encrypted contents if you forget the passphrase or lose your hardware authenticator:

cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file backup.dat

This one can be done from within the actual booted operating system and is strongly recommended after passphrase changes etc. Keep the backup.dat safe, possibly on an off-site and protected by second layer of encryption.

If you're on a ramdisk, you want to get the backup file to another computer now, for example using wormhole.

Upgrading LUKS header

Check what version of LUKS header you have:

cryptsetup luksDump /dev/sda3

If it's Version: 2 just sit back and relax, you're already on the new one. If it's Version: 1 then you want to upgrade. Now the actual conversion — you need to confirm, and then it's quick and easy:

cryptsetup convert /dev/sda3 --type luks2

Just make sure you've got Version: 2 afterwards:

cryptsetup luksDump /dev/sda3

If upgraded, it's worth rehashing your full-disk encryption passphrase using a stronger hash:

cryptsetup luksChangeKey /dev/sda3 --pbkdf argon2id

Again, check what we got - you should see PBKDF: argon2id:

cryptsetup luksDump /dev/sda3

Just double check if everything is fine (it will not mount anything):

cryptsetup open /dev/sda3 /mnt --test-passphrase

If yes, get rid of the local copy of the header backup:

shred backup.dat

Now you can reboot.

I'm on Mastodon and Twitter, feel free to comment!