Linux – Separate Header for dm-crypt+luks Without Storing on Encrypted Device

dm-cryptlinuxluksvirtual drive

I would like to encrypt my external hard drive with dm-crypt+luks, but I am not satisfied with all the information, that the LUKS header is providing in plaintext.

So I would like to keep the LUKS header and the encrypted data separated from each other:

  1. Store the LUKS-Partition (CRYPT) without the header on the external drive.
  2. When ever I want to access the encrypted data, merge header and CRYPT and mount the luks partition normally.

I already know how I could manually achieve this:

  1. Backup LUKS header with dd.
  2. Overwrite LUKS header on external drive.
  3. Whenever the LUKS partition should be mounted, write it back and mount normally.
  4. Unmount and overwrite header again, when finished.

That is not very optimal, because the Sectors of the luks header would be overwritten every time the drive is mounted and I would fear, that those sectors will become bad for sure.

Another approach would be, that the header file and the encrypted luks partition are merged into one virtual linux device, that can be mounted normally.

With "merging into one virtual device" I mean, that the header is not actually written back to the luks partition, but the system is perceiving it that way.
The header still remains on my usb-stick.

My only problem is, that I do not know how to create such a virtual device.

Any help would be appreciated.

Best Answer

You can simply use LUKS in detached-header mode:

cryptsetup luksFormat /dev/sda4 --header ~/lukshdr --align-payload 0 --cipher twofish
cryptsetup open /dev/sda4 --header ~/lukshdr mycrypt
cryptsetup luksSuspend mycrypt --header ~/lukshdr
cryptsetup luksResume mycrypt --header ~/lukshdr

You can put the header file wherever you want, including a block device.

~/lukshdr must be at least 1049600 bytes in size for luksFormat to work:

dd if=/dev/zero bs=1049600 count=1 > ~/lukshdr

If you run lsblk -b, you will see that the size of the mapped device precisely equals the size of the LUKS device; there's no room where any header or metadata might hide.

$ lsblk -b
NAME          MAJ:MIN RM        SIZE RO TYPE  MOUNTPOINT
sda             8:0    0 80026361856  0 disk  
├─sda1          8:1    0   254803968  0 part  /boot
├─sda2          8:2    0  5999951872  0 part  [SWAP]
├─sda3          8:3    0 19999490048  0 part  /
└─sda4          8:4    0 53771067392  0 part  
  └─mycrypt   254:0    0 53771067392  0 crypt /tmp/mnt

In fact, as long as the underlying ciphers remain unbroken, the LUKS device will look just like random data to anybody who doesn't have the header file.

Related Question