1 files changed, 35 insertions, 0 deletions

diff --git a/man/cryptsetup-luksHeaderBackup.8.adoc b/man/cryptsetup-luksHeaderBackup.8.adoc
new file mode 100644
index 0000000..1f57f25
--- /dev/null
+++ b/man/cryptsetup-luksHeaderBackup.8.adoc
@@ -0,0 +1,35 @@
+= cryptsetup-luksHeaderBackup(8)
+:doctype: manpage
+:manmanual: Maintenance Commands
+:mansource: cryptsetup {release-version}
+:man-linkstyle: pass:[blue R < >]
+:COMMON_OPTIONS:
+:ACTION_LUKSHEADERBACKUP:
+
+== Name
+
+cryptsetup-luksHeaderBackup - store a binary backup of the LUKS header and keyslot area
+
+== SYNOPSIS
+
+*cryptsetup _luksHeaderBackup_ --header-backup-file <file> [<options>] <device>*
+
+== DESCRIPTION
+
+Stores a binary backup of the LUKS header and keyslot area. +
+*NOTE:* Using '-' as filename writes the header backup to a file named
+'-'.
+
+*<options>* can be [--header, --header-backup-file, --disable-locks].
+
+*WARNING:* This backup file and a passphrase valid at the time of backup
+allows decryption of the LUKS data area, even if the passphrase was
+later changed or removed from the LUKS device. Also note that with a
+header backup you lose the ability to securely wipe the LUKS device by
+just overwriting the header and key-slots. You either need to securely
+erase all header backups in addition or overwrite the encrypted data
+area as well. The second option is less secure, as some sectors can
+survive, e.g., due to defect management.
+
+include::man/common_options.adoc[]
+include::man/common_footer.adoc[]