How to properly backup luks header for encrypted installation?

I found some instructions here about luks header backup using cryptsetup luksHeaderBackup --header-backup-file <file> <device> but I am not sure whether I will need it to do it from a live environment? If I can do it from the live environment, then I can make keep it in a vercrypt volume.

Another thing was mentioned in that article was,

First, disks die. The rate for well-treated (!) disk is about 5% per year, which is high enough to worry about. There is some indication that this may be even worse for some SSDs. This applies both to LUKS and plain dm-crypt partitions.
Second, for LUKS, if anything damages the LUKS header or the key-stripe area then decrypting the LUKS device can become impossible.

I backed up header, but what is key-stripe area, and how can I back up that? My goal is to avoid downtime of the system.

I also see suggestion about key-slot backup but how can I backup key-slots without backing up the entire dm-crypt?

I’m sorry, this doesn’t address your questions, but speaks more to your concerns and goal.

Have you considered a redundant RAID setup for your drive? Simplest form, RAID1, two drives are real-time mirrors. If one drive fails catastrophically, your data is safe on the other. Not a “backup” strictly speaking, but redundancy in the event of failure.

2 Likes

Sorry for the confusion.

I am taking regular backups using 3 2 1. I don’t want to install OS repeatedly because of LUKS header related issue. Not only that, I faced that problem but didn’t know what to do.