Disk encryption on Linux

View source | View history

Clarifying the terminology

As of Ubuntu 16.10, the default disk encryption method used when selecting “Encrypt the new Ubuntu installation for security” during installation seems to be dm-crypt with LUKS. Here:

The flow of choices (if Ubuntu hadn’t chosen everything for you) goes like this (ArchWiki):

  1. Decide to use block device encryption (rather than, say, stacked filesystem encryption).
  2. Decide to use dm-crypt (rather than, say, loop-AES or TrueCrypt).
  3. Decide to use LUKS (rather than, say, plain dm-crypt mode).

Note that I’m pretty sure LUKS is a specification so it’s possible to use LUKS without using dm-crypt, i.e. you can reverse the order of (2) and (3) by deciding to use LUKS, and only then deciding on dm-crypt (rather than some other implementation of LUKS – I’m not aware of any others).

Backing up the LUKS header

Check that the device is a LUKS device:

$ sudo cryptsetup isLuks -v /dev/sda5
Command successful.

Then back up the header:

sudo cryptsetup luksHeaderBackup /dev/sda5 \
    --header-backup-file luks-header.bin.crypt

See also the cryptsetup FAQ §6 Backup and Data Recovery