1 = cryptsetup-luksDump(8)
3 :manmanual: Maintenance Commands
4 :mansource: cryptsetup {release-version}
5 :man-linkstyle: pass:[blue R < >]
11 cryptsetup-luksDump - dump the header information of a LUKS device
15 *cryptsetup _luksDump_ [<options>] <device>*
19 Dump the header information of a LUKS device.
21 If the --dump-volume-key option is used, the LUKS device volume key is
22 dumped instead of the keyslot info. Together with the --volume-key-file
23 option, volume key is dumped to a file instead of standard output.
24 Beware that the volume key cannot be changed without reencryption and
25 can be used to decrypt the data stored in the LUKS container without a
26 passphrase and even without the LUKS header. This means that if the
27 volume key is compromised, the whole device has to be erased or
28 reencrypted to prevent further access. Use this option carefully.
30 To dump the volume key, a passphrase has to be supplied, either
31 interactively or via --key-file.
33 To dump unbound key (LUKS2 format only), --unbound parameter, specific
34 --key-slot id and proper passphrase has to be supplied, either
35 interactively or via --key-file. Optional --volume-key-file parameter
36 enables unbound keyslot dump to a file.
38 To dump LUKS2 JSON metadata (without basic header information like UUID)
39 use --dump-json-metadata option.
41 *<options>* can be [--dump-volume-key, --dump-json-metadata, --key-file,
42 --keyfile-offset, --keyfile-size, --header, --disable-locks,
43 --volume-key-file, --type, --unbound, --key-slot, --timeout].
45 *WARNING:* If --dump-volume-key is used with --key-file and the argument
46 to --key-file is '-', no validation question will be asked and no
49 include::man/common_options.adoc[]
50 include::man/common_footer.adoc[]