In this hands-on lab, we will create a secondary passphrase for a LUKS-encrypted volume, which can be used to recover the volume’s encrypted data if the primary passphrase ever becomes corrupted. Then we’ll create a backup of the entire LUKS header, which can be used to recover the encrypted data if the entire LUKS header ever becomes corrupted.
*This course is not approved or sponsored by Red Hat.*
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Create a Secondary LUKS Passphrase
- We first need to identify what volume group the
patient_lv
volume is part of. When a LUKS-encrypted volume is created, its original name includes the volume group name. Run the following command, and look for the device name in the output:cryptsetup -v status patient_lv
- Next, check the LUKS header for the next available key slot (it should be key slot 1).
cryptsetup luksDump /dev/mapper/luks_vg-patient_lv
- Add the new secondary passphrase using the following command:
cryptsetup luksAddKey --key-slot 1 /dev/mapper/luks_vg-patient_lv
- Enter the primary passphrase (
Pinehead1!
) at the prompt. - Next, enter the secondary passphrase (
BackupsRGood!
) at the prompt. - Confirm the new secondary passphrase by entering
BackupsRGood!
at the passphrase confirmation prompt. - Run the following command, and verify that there is now a value in key slot 1:
cryptsetup luksDump /dev/mapper/luks_vg-patient_lv
- We first need to identify what volume group the
- Create a Backup of the LUKS Header
- Run the following command:
cryptsetup luksHeaderBackup /dev/mapper/luks_vg-patient_lv --header-backup-file /root/luks_vg-patient_lv-LUKS-header.backup
- Run the following command: