Clarifying the terminology
As of Ubuntu 16.10, the default disk encryption method used when selecting “Encrypt the new Ubuntu installation for security” during installation seems to be dm-crypt with LUKS. Here:
- dm-crypt is “the standard device-mapper encryption functionality provided by the Linux kernel” (ArchWiki).
- LUKS (Linux Unified Key Setup) is “an additional convenience layer which stores all of the needed setup information for dm-crypt on the disk itself and abstracts partition and key management in an attempt to improve ease of use and cryptographic security” (ArchWiki).
- cryptsetup is the actual utility that you run as a user.
The flow of choices (if Ubuntu hadn’t chosen everything for you) goes like this (ArchWiki):
- Decide to use block device encryption (rather than, say, stacked filesystem encryption).
- Decide to use dm-crypt (rather than, say, loop-AES or TrueCrypt).
- Decide to use LUKS (rather than, say, plain dm-crypt mode).
Note that I’m pretty sure LUKS is a specification so it’s possible to use LUKS without using dm-crypt, i.e. you can reverse the order of (2) and (3) by deciding to use LUKS, and only then deciding on dm-crypt (rather than some other implementation of LUKS – I’m not aware of any others).
Backing up the LUKS header
Check that the device is a LUKS device:
$ sudo cryptsetup isLuks -v /dev/sda5 Command successful.
Then back up the header:
sudo cryptsetup luksHeaderBackup /dev/sda5 \ --header-backup-file luks-header.bin.crypt
See also the cryptsetup FAQ §6 Backup and Data Recovery
- What’s the difference between LUKS, cryptsetup, and dm-crypt? on /r/linuxquestions