Skip to main content
Unix & Linux

Return to Answer

added 69 characters in body; added 47 characters in body
Source Link
frostschutz
frostschutz
  • 52.2k
  • 7
  • 129
  • 179

Detached headers is a special use case. Since few people use it, support for it may also be lacking in some places. So I don't recommend using them. I also don't recommend using a drive without a partition table. This setup has too many pitfalls.

If header=UUID=x does not work, try header=/dev/disk/by-uuid/x.

For header=/some/path/file:UUID=x, the path is relative to the specified filesystem. So, if you mount UUID=x /mnt/somewhere, then it looks for /mnt/somewhere/some/path/file.

Instead ofRegarding luksErase consider deleting the keys instead (through removekeyor alternatively deleting all keys through luksRemoveKey or killslotluksKillSlot). A LUKS header without any remaining keyslots can not be opened anymore (you have to use your detached header for that). But it still provides the UUID so you can identify the encrypted device. Of course, if

If your detached header is also on a partition and has the same UUID, you'll still have problems..it will conflict. you'llYou'll have to change itone of them with luksUUID, in order to be able to identify both header, and encrypted device, by UUID. In case of LUKS2, you can also set a label.

Alternatively if you use GPT partitions, you can use PARTUUID or PARTLABEL to identify it.

Detached headers is a special use case. Since few people use it, support for it may also be lacking in some places. So I don't recommend using them. I also don't recommend using a drive without a partition table. This setup has too many pitfalls.

If header=UUID=x does not work, try header=/dev/disk/by-uuid/x.

For header=/some/path/file:UUID=x, the path is relative to the specified filesystem. So, if you mount UUID=x /mnt/somewhere, then it looks for /mnt/somewhere/some/path/file.

Instead of luksErase consider deleting the keys instead (through removekey or killslot). A LUKS header without any remaining keyslots can not be opened anymore (you have to use your detached header for that). But it still provides the UUID so you can identify the encrypted device. Of course, if your detached header is also on a partition and has the same UUID, you'll still have problems... you'll have to change it with luksUUID.

Alternatively if you use GPT partitions, you can use PARTUUID or PARTLABEL to identify it.

Detached headers is a special use case. Since few people use it, support for it may also be lacking in some places. So I don't recommend using them. I also don't recommend using a drive without a partition table. This setup has too many pitfalls.

If header=UUID=x does not work, try header=/dev/disk/by-uuid/x.

For header=/some/path/file:UUID=x, the path is relative to the specified filesystem. So, if you mount UUID=x /mnt/somewhere, then it looks for /mnt/somewhere/some/path/file.

Regarding luksErase (or alternatively deleting all keys through luksRemoveKey or luksKillSlot). A LUKS header without any remaining keyslots can not be opened anymore (you have to use your detached header for that). But it still provides the UUID so you can identify the encrypted device.

If your detached header is also on a partition and has the same UUID, it will conflict. You'll have to change one of them with luksUUID, in order to be able to identify both header, and encrypted device, by UUID. In case of LUKS2, you can also set a label.

Alternatively if you use GPT partitions, you can use PARTUUID or PARTLABEL to identify it.

Source Link
frostschutz
frostschutz
  • 52.2k
  • 7
  • 129
  • 179

Detached headers is a special use case. Since few people use it, support for it may also be lacking in some places. So I don't recommend using them. I also don't recommend using a drive without a partition table. This setup has too many pitfalls.

If header=UUID=x does not work, try header=/dev/disk/by-uuid/x.

For header=/some/path/file:UUID=x, the path is relative to the specified filesystem. So, if you mount UUID=x /mnt/somewhere, then it looks for /mnt/somewhere/some/path/file.

Instead of luksErase consider deleting the keys instead (through removekey or killslot). A LUKS header without any remaining keyslots can not be opened anymore (you have to use your detached header for that). But it still provides the UUID so you can identify the encrypted device. Of course, if your detached header is also on a partition and has the same UUID, you'll still have problems... you'll have to change it with luksUUID.

Alternatively if you use GPT partitions, you can use PARTUUID or PARTLABEL to identify it.