> On 10/29/23 22:01, Roberto Ragusa wrote: > > The point here is not about getting the passphrase, it is about > getting the real decryption key. > Storing the decryption key in a safe place is a lot better than > relying on things that can break in many ways (luks header overwritten, > broken TPM, new machine, ...). > The real decryption key makes the difference between having data > or losing them; making all recovery strategies impossible is not > a good idea.
Nothing is preventing you from backing up the LUKS header (cryptsetup luksHeaderBackup), it's just that it is encrypted and includes whatever keyslots you have, and if they're all removed (or you don't remember the pass phrase for them), it isn't really going to help you decrypt an unlocked volume without a passphrase or any of those other methods. What you're asking is the ability to extract the decryption key of the unlocked LUKS volume without knowing any of the methods used to decrypt it. That would be a huge security hole. -- Jonathan _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
