Can I use the same single LUKS detached header for multiple drives?
What do I should keep in mind doing so? Is this also possible if the drives are fundamentally different (different size, manufacture etc.) ?
Reason: I want to use multiple drives in a single system with LUKS but from security standpoint there is no benefit in using different headers. But maybe there are technical reasons not do so?
Yes, you can absolutely copy a LUKS header from one disk to another. To be exact you can copy it from a block devise to another block device, this means you can safely copy the LUKS header from a partition (a block device) to a block device representing the whole disk. You can simply do:
dd if=/path/to/block/deviceA of=/path/to/block/deviceB bs=2M count=1 There is one technical limitation though, if you are using something like udev to identify block devices by UUID and to assign them to specific device files than udev may get confused since all drives will have the same UUID. This is because the LUKS header contains a UUID.
Note that this is not the same as mounting filesystems in /etc/fstab. mount will be looking at the UUIDs of the filesystems which are on top od LUKS (as long as the drive is decrypted).
The fact that the LUKS header can be used on any block device also means that the size of the device does not matter for the header. If you are using the header on a single partition then the partition table knows the size of the block device, if you are using it on an entire disk then the kernel knows its size.
From a security standpoint copying LUKS headers is a bad idea. The LUKS header contain an encryption key with which the data is encrypted, i.e. the data is encrypted with the key inside the header not with a key generated from the password. The LUKS header then stores this encryption key several times encrypted under a key generated from a password.
If the disk can be decrypted with 3 different passwords the key is stored three times: each time encrypted under a key generated from one password.
As an example let's assume tha you have 2 disks and each can be decrypted with 2 passwords, and you copied the LUKS header from one disk to another. Now, if one of the passwords is compromised the encryption key is compromised. If an attacker managed to get his hands on diskA and got the key by using the compromised password, then you need to destroy the data on diskB since the attacker can decrypt it.
In the same situation (one password is compromised), had you not copied the LUKS header the recovery would be much easier. If diskA is in possession of an attacker and he has the encryption key for diskA he still cannot decrypt the data on diskB. He can, of course, use the compromised password to get the encryption key of diskB from diskB, but, if you are faster than the attacker, you can disable the compromised password from diskB (this happens by overwriting the encryption key stored under the compromised password).
Therefore there are benefits from using different headers. One of the header's purposes is to allow different passwords to be used and to make the data encrypted on each block device to be encrypted under a different key, albeit the password used to decrypt the drives is the same.
segments but it appears that this is more about defining how the device itself looks rather than the data on it. One limitation i see is that all block devices for the same header must hence have the same block size (as that information - the block size - is included in the segments metadata) dm-integrity. See unix.stackexchange.com/questions/762089/…, where I asked the same question.