Bullet Proof Data Encryption with LUKS and a detached Header


LUKS is a good choice when it comes to encryption. It’s an extension for plain dm-crypt and has a couple of advantages to give extra security and features.

How does a drive look like after being entirely encrypted with LUKS?
The first part of the drive contains the LUKS header (a few MB’s) with 8 keyslots, followed by the data area. The header is not secret, so not encrypted. The rest of the drive will look like random data.

What’s in the header and what does ‘detached’ mean?
The LUKS header stores important information which is  needed to decrypt the LUKS device. That includes metadata, the keyslots and the SALT.
When using a default LUKS device, the header is stored on the same device as the data area. It is possible to detach the header and therefore store it on a different disk.

Why detaching the header?
There are some security advantages that we gain by using a detached header.

  • The encrypted data disk looks like random data. As there is no header, nothing will indicate that this is a LUKS device.
  •  It is absolutely NOT POSSIBLE to decrypt the LUKS device without the header because of the SALT in it. No known technology could decrypt the device without the SALT. That’s a very strong cryptographically NOT POSSIBLE. It would take something far beyond quantum computing.

What is a SALT?
The SALT is a random key with 256 bits, stored in the LUKS header (not kept secret). It will be used together with the passphrase when decrypting a LUKS device. The SALT will be appended to the passphrase.

Setting up a LUKS device with a detached header

We assume that we have 2 devices. We are working as root and the procedure will erase existing data on those drives. We want the data area to be on sda and the header on sdb (small SD card for example).

Creating the LUKS device

cryptsetup luksFormat /dev/sda --header /dev/sdb --align-payload=0

Opening the device

cryptsetup luksOpen /dev/sda --header /dev/sdb Luks

Creating a file system within the LUKS device

mkfs.ext2 /dev/mapper/Luks

Mounting the device

mount /dev/mapper/Luks /mnt/

Un-mounting and closing the LUKS device

umount /mnt
cryptsetup luksClose /dev/mapper/Luks


More information about LUKS can be found here.


2 thoughts on “Bullet Proof Data Encryption with LUKS and a detached Header”

  1. Thanks for this info. Please add the following lines for doing that with encrypted container files:

    # cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 -y --header container.h --align-payload=0 container
    # losetup /dev/loop0 container
    # cryptsetup luksOpen /dev/loop0 --header container.h cont
    # mkfs -text4 /dev/mapper/cont
    # mount /dev/mapper/cont /mnt

    and to unmount the container:

    # umount /mnt
    # cryptsetup luksClose cont

    ignore the error message (device /dev/loop0 isn’t a valid LUKS-device. )

    losetup -d /dev/loop0

    Enjoy 🙂

    1. Thank you Jochen. I will leave it here in the comment section. Anybody interested will find it there.

Comments are closed.