Two shell scripts intended to save and restore LUKS critical data (such as header and master key) in safe manner. In details that means that LUKS header and master key are protected by several hash sums, then are packed and encrypted with AES-256 (OFB). Encrypted tarball then gets additional protection using several recovery volumes. This last step is optional and is performed only if utility par2 is found on the host.

luks_save.sh <path_to_LUKS_device> [<basename_for_archive>] [--key-file|-k <path_to_keyfile>]

<path_to_LUKS_device>

Full path to encrypted device containing LUKS header

<basename_for_archive>

String identifying all fileset in the archive. If omitted, hostname will be used. If 'hostname' utility is not found, md5 of current date and time will be used. If 'date' is not found, just md5 of random crap from /dev/urandom will be used.

--key-file=<path_to_keyfile> | -k <path_to_keyfile>

For most operations cryptsetup asks for a key. If you have a keyfile, specify it here. Otherwise enter the password when prompted.

luks_restore.sh <archive_file_name> [YES_I_WANT_TO_AUTOMAGICALLY_RESTORE_MY_LUKS_HEADER <luks_device>]

<archive_file_name>

Name of the encrypted archive with LUKS header backup

YES_I_WANT_TO_AUTOMAGICALLY_RESTORE_MY_LUKS_HEADER

You MUST provide this string as it is to automatically recover your corrupted LUKS header. It's very dangerous operation, so you'll do it at your own risk.

<luks_device>

LUKS device with corrupted header to restore from backup.

Mainly that will do to have coreutils and cryptsetup on board. But there are some important details.

To work properly this script needs an utility xxd to be installed. In case you don't want to use it, feel free to modify the scripts and get rid of any reference of xxd. It will result in slightly longer tarball filenames.

Another utility used by this script is par2: recovery information generator. It's not mandatory to install it, though. But in case of damaged backup archive additional recovery volumes would be just what you'd want.