Scroll to navigation

CRYPTSETUP-LUKSHEADERBACKUP(8) Maintenance Commands CRYPTSETUP-LUKSHEADERBACKUP(8)

NAME

cryptsetup-luksHeaderBackup - store a binary backup of the LUKS header and keyslot area

SYNOPSIS

cryptsetup luksHeaderBackup --header-backup-file <file> [<options>] <device>

DESCRIPTION

Stores a binary backup of the LUKS header and keyslot area.

Using '-' as a filename writes the header backup to a file named '-'.

The backup file and a passphrase valid at the time of backup allow decryption of the LUKS data area, even if the passphrase was later changed or removed from the LUKS device. Note that with a header backup, you lose the ability to wipe the LUKS device securely by just overwriting the header and keyslots. You must either securely erase all header backups or overwrite the encrypted data area.

<options> can be [--header, --header-backup-file, --disable-locks].

OPTIONS

--batch-mode, -q

Suppresses all confirmation questions. Use with care!

If the --verify-passphrase option is not specified, this option also switches off the passphrase verification.

--debug or --debug-json

Run in debug mode with full diagnostic logs. Debug output lines are always prefixed by #.

If --debug-json is used, additional LUKS2 JSON data structures are printed.

--disable-locks

Disable lock protection for metadata on disk. This option is valid only for LUKS2 and is ignored for other formats.

WARNING: Do not use this option unless you run cryptsetup in a restricted environment where locking is impossible to perform (where /run directory cannot be used).

--header <device or file storing the LUKS header>

Use a detached (separated) metadata device or file where the LUKS header is stored. This option allows one to store the ciphertext and LUKS header on different devices.

For commands that change the LUKS header (e.g., luksAddKey), specify the device or file with the LUKS header directly as the LUKS device.

--header-backup-file file

Specify a file with the header backup file.

--help, -?

Show help text and default parameters.

--usage

Show short option help.

--version, -V

Show the program version.

REPORTING BUGS

Report bugs at cryptsetup mailing list <cryptsetup@lists.linux.dev> or in Issues project section <https://gitlab.com/cryptsetup/cryptsetup/-/issues/new>.

Please attach the output of the failed command with --debug option added.

SEE ALSO

Cryptsetup FAQ <https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions>

cryptsetup(8), integritysetup(8) and veritysetup(8)

CRYPTSETUP

Part of cryptsetup project <https://gitlab.com/cryptsetup/cryptsetup/>.

2025-08-19 cryptsetup 2.8.1