Disk encryption on Linux

Clarifying the terminology

As of Ubuntu 16.10, the default disk encryption method used when selecting “Encrypt the new Ubuntu installation for security” during installation seems to be dm-crypt with LUKS. Here:

The flow of choices (if Ubuntu hadn’t chosen everything for you) goes like this (ArchWiki):

  1. Decide to use block device encryption (rather than, say, stacked filesystem encryption).
  2. Decide to use dm-crypt (rather than, say, loop-AES or TrueCrypt).
  3. Decide to use LUKS (rather than, say, plain dm-crypt mode).

Note that I’m pretty sure LUKS is a specification so it’s possible to use LUKS without using dm-crypt, i.e. you can reverse the order of (2) and (3) by deciding to use LUKS, and only then deciding on dm-crypt (rather than some other implementation of LUKS – I’m not aware of any others).

Backing up the LUKS header

Check that the device is a LUKS device:

$ sudo cryptsetup isLuks -v /dev/sda5
Command successful.

Then back up the header:

sudo cryptsetup luksHeaderBackup /dev/sda5 \
    --header-backup-file luks-header.bin.crypt

See also the cryptsetup FAQ §6 Backup and Data Recovery