[dm-crypt] is backing up the master key enough for data recovery if header is destroyed?

[dm-crypt] is backing up the master key enough for data recovery if header is destroyed?

[Lara Michaels]

[-- Attachment #1: Type: text/plain, Size: 591 bytes --]

From reading the FAQ, my understanding is that in the event the header getting destroyed I need ONE of the following for data recovery to be feasible:


- header backup + one passphrase
- the master key

By "master key" I am referring to the 256 bits printed out in hexadecimal by "cryptsetup luksDump --dump-master-key [device]".

Is it correct that these 256 bits are by themselves sufficient to unlock the volume? Or would I still need the salt to be intact in the header? (My understanding from reading the FAQ is that the salt is not required if I have the master key.)

thank you 

~l

[-- Attachment #2: Type: text/html, Size: 875 bytes --]

Re: [dm-crypt] is backing up the master key enough for data recovery if header is destroyed?

[Milan Broz]

On 06/21/2012 04:58 PM, Lara Michaels wrote:
> From reading the FAQ, my understanding is that in the event the
> header getting destroyed I need ONE of the following for data
> recovery to be feasible:
> 
> - header backup + one passphrase - the master key
> 
> By "master key" I am referring to the 256 bits printed out in
> hexadecimal by "cryptsetup luksDump --dump-master-key [device]".
> 
> Is it correct that these 256 bits are by themselves sufficient to
> unlock the volume? Or would I still need the salt to be intact in the
> header? (My understanding from reading the FAQ is that the salt is
> not required if I have the master key.)

Yes. You need to know cipher name, mode and IV as well, but these
are easily to be brute-forced if lost.

Salt is not needed if you know volume (master) key directly.

Milan