Re: Discussion about backup passwords for LUKS encrypted filesystems before revising wiki
Note: Initially sent to David off list, he asked me to reply to the list.
David,
Thanks for your response!
I'm replying privately intentionally for various reasons -- I may summarize
some of this on list at some point.
On Tuesday, December 22, 2020 07:20:39 PM David Christensen wrote:
> Thank you for offering to improve Debian documentation. :-)
You're welcome, but I wasn't making a general offer to improve documentation,
just to fix something that I thought was misleading.
And, I have a little trouble understanding what you are suggesting. Keep
reading.
Aside: Maybe I should explain why I was reading (some of) that wiki page: I
need to setup a few encrypted partitions for backup of some encrypted data
(currently backed up in only one place, on the same computer). So I have an
interest in (better) learning how to set up LUKS partitions (without regard to
LVM). But, I've also been curious about LVM (without much intention of using
it) -- when I started skimming the LVM wiki page and found the stuff on LUKS I
decided that would be worth reading in view of my first interest (LUKS).
Further / farther aside: The secondary interest in LVM was sparked by some
clues in the ongoing thread(s) on debian-user that pointed to (or lead me to)
some gotchas that, if I were to start using LVM I'd want to be very aware of
(for instance, that adding a partition to an LVM wipes out any data on that
partition.
> I agree that the content of "LVM" Debian Wiki page "Encrypted LVM"
> section could use some improvement.
>
>
> AIUI backing up aLinux Unified Key Setup (LUKS) header will save a copy
> of the metadata for a LUKS volume, which includes secure hashes of the
> passphrases (and/or keys) used to access the contents (such as a Linux
> Volume Manager (LVM) volume).
As I was reading parts of that wiki page again (again in the LUKS section) I
started to realize that (to me) the more important thing (rather than creating
backup passwords) is creating a backup of the LUKS header. I guess that is
what you are suggesting. (Again, I might, or might not revise the wiki to say
that, if that is your point. If that is not your point, I need some
amplification.)
> So, while "Backup passwords" -> "Step" ->
> 2.1 and "Restore password" -> 1.1 may describe useful system
> administration procedures, these subsections have conceptual and
> technical issues.
Well, except for the one discussed previous to this sentence, I don't know
what they are -- I might be interested in learning what they are, but not sure
I'm interested in rewriting the document to reflect them more correctly.
> The subjects of multiple passphrases and/or keys for encrypted items
> (volumes, filesystems, directories, files, etc.) and disaster
> preparedness/ recovery of encrypted volumes and/or containers are
> related, but different. Regarding the first subject and LUKS, I would
> expect the first to appear on a wiki page for "LUKS" (which does not
> appear to exist).
Yeah, I guess I can see that perhaps some of the discussion of LUKS on this
page could / should be moved to a page specifically on LUKS, or as you mention
below, to a wiki page on BackupAndRecovery. Again, I'm probably not ready to
do that (although to a certain extent I do enjoy writing and spend too much
time doing (or trying) to do it.
> The latter subject for LUKS could be a useful
> addition to the "BackupAndRecovery" wiki page:
>
> https://wiki.debian.org/BackupAndRecovery
>
>
> David
Reply to: