Re: Problem after detaching the header

[Milan Broz <gmazyland@gmail.com>]

On 6/29/23 21:17, Darek Hisc wrote:
> Hi
> 
> I am trying to move my current included header from sda2 to a separate raw (no file system) partition of device sdb1, but after removing the original header the system does not start and stops at the initramfs console.
> 
> OS: LMDE 5 (Linux Mint Debian Edition = de facto Debian 11)
> Standard LVM installation on LUKS2
> 
> I did the following steps:
> 1. cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file /header.img
> 2. dd if=/header.img of=/dev/sdb1
> 3. option luks,discard,tries=3,header=/dev/sdb1 > /etc/crypttab
> 4. update-initramfs -u -k all
> 5. cryptsetup luksErase /dev/sda2

Just a comment here:

- luksErase will destroy keyslots (key material), but still keeps LUKS
header on the device, including UUID (so you can reference the device through UUID
even if it cannot be unlocked without detached header)

- after you dd the LUKS header, UUID is of course no longer recognized, but,
as you used another device for LUKS header, the new one will have former UUID
Check that UUID is not referenced in config. (Also you can change it with
luksUUID command)

But as Arno said, this is really question for your distro (note that cryptab
file can be managed by systemd, but there are also non-systemd versions).
Also without console log it is not clear what exactly fails.

Milan

> 
> Up to this point, everything works fine and the system boots up properly
> When, according to the instructions in the https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md I do:
> 6. cryptsetup luksDump /dev/sdb1 > Data segments: offfset: 16777216 bytes
> 7. dd bs=512 count=32768 if=/dev/zero of=/dev/sda2
> the system no longer starts.
> 
> Have I screwed something up or am I missing a step?
> Please help!
> 
> Darek
> 
> 
>