cryptsetup-luksHeaderRestore - Man Page

restore a binary backup of the LUKS header and keyslot area

Synopsis

cryptsetup luksHeaderRestore --header-backup-file <file> [<options>] <device>

Description

Restores a binary backup of the LUKS header and keyslot area from the specified file.

Using '-' as a filename reads the header backup from a file named '-'.

All keyslots will be replaced; only the passphrases from the backup will work afterward.

This command requires that the volume key size and data offset of the LUKS header and backup match. Alternatively, the backup will also be written if the device has no LUKS header.

<options> can be [--header, --header-backup-file, --disable-locks].

Options

--batch-mode, -q

Suppresses all confirmation questions. Use with care!

If the --verify-passphrase option is not specified, this option also switches off the passphrase verification.

--debug or --debug-json

Run in debug mode with full diagnostic logs. Debug output lines are always prefixed by #.

If --debug-json is used, additional LUKS2 JSON data structures are printed.

--disable-locks

Disable lock protection for metadata on disk. This option is valid only for LUKS2 and is ignored for other formats.

WARNING: Do not use this option unless you run cryptsetup in a restricted environment where locking is impossible to perform (where /run directory cannot be used).

--header <device or file storing the LUKS header>

Use a detached (separated) metadata device or file where the LUKS header is stored. This option allows one to store the ciphertext and LUKS header on different devices.

For commands that change the LUKS header (e.g., luksAddKey), specify the device or file with the LUKS header directly as the LUKS device.

--header-backup-file file