summaryrefslogtreecommitdiffstats
path: root/man/cryptsetup-luksHeaderBackup.8.adoc
blob: 1f57f259369502d8bbf211a156786e9a932345f0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
= cryptsetup-luksHeaderBackup(8)
:doctype: manpage
:manmanual: Maintenance Commands
:mansource: cryptsetup {release-version}
:man-linkstyle: pass:[blue R < >]
:COMMON_OPTIONS:
:ACTION_LUKSHEADERBACKUP:

== Name

cryptsetup-luksHeaderBackup - store a binary backup of the LUKS header and keyslot area

== SYNOPSIS

*cryptsetup _luksHeaderBackup_ --header-backup-file <file> [<options>] <device>*

== DESCRIPTION

Stores a binary backup of the LUKS header and keyslot area. +
*NOTE:* Using '-' as filename writes the header backup to a file named
'-'.

*<options>* can be [--header, --header-backup-file, --disable-locks].

*WARNING:* This backup file and a passphrase valid at the time of backup
allows decryption of the LUKS data area, even if the passphrase was
later changed or removed from the LUKS device. Also note that with a
header backup you lose the ability to securely wipe the LUKS device by
just overwriting the header and key-slots. You either need to securely
erase all header backups in addition or overwrite the encrypted data
area as well. The second option is less secure, as some sectors can
survive, e.g., due to defect management.

include::man/common_options.adoc[]
include::man/common_footer.adoc[]