backup is mandatory, see Section "6. Backup and Data Recovery" on
options for doing encrypted backup.
+ CLONING/IMAGING: If you clone or image a LUKS container, you make a
+ copy of the LUKS header and the master key will stay the same!
+ That means that if you distribute an image to several machines, the
+ same master key will be used on all of them, regardless of whether
+ you change the passphrases. Do NOT do this! If you do, a root-user
+ on any of the machines can decrypt all other copies, breaking
+ security. See also Item 6.15.
+
DISTRIBUTION INSTALLERS: Some distribution installers offer to
create LUKS containers in a way that can be mistaken as activation
of an existing container. Creating a new LUKS container on top of
borders).
+ * 6.15 Can I clone a LUKS container?
+
+ You can, but it breaks security, because the cloned container has
+ the same header and hence the same master key. You cannot change
+ the master key on a LUKS container, even if you change the
+ passphrase(s), the master key stays the same. That means whoever
+ has access to one of the clones can decrypt them all, completely
+ bypassing the passphrases.
+
+ The right way to do this is to first luksFormat the target
+ container, then to clone the contents of the source container, with
+ both containers mapped, i.e. decrypted. You can clone the decrypted
+ contents of a LUKS container in binary mode, although you may run
+ into secondary issuses with GUIDs in filesystems, partition tables,
+ RAID-components and the like. These are just the normal problems
+ binary cloning causes.
+
+
7. Interoperability with other Disk Encryption Tools
projects / platform / upstream / cryptsetup.git / commitdiff