A corrupted LUKS header—or a bad luksKillSlot—can brick an otherwise healthy encrypted partition. Your file backup does not fix that; you need a copy of the header and key slots from when the volume still unlocked cleanly. cryptsetup luksHeaderBackup writes that metadata to a file; luksHeaderRestore writes it back when the on-disk header is damaged.
Examples use the lab LUKS2 partition /dev/sdc1 from encrypt a disk partition with LUKS. Substitute your LUKS device name in every command.
Tested on: Ubuntu 26.04 LTS (Resolute Raccoon); kernel 7.0.0-27-generic; cryptsetup 2.8.4.
What you need on your system
Before luksHeaderBackup or luksHeaderRestore, identify these on your host:
| You need | How to find it | Example in this guide |
|---|---|---|
| LUKS partition — the block device with the header, not the mapper | lsblk -f; sudo blkid |
/dev/sdc1 |
| LUKS UUID — matches backup and restore targets | sudo cryptsetup luksUUID /dev/sdc1 |
5f452b2f-3b11-4494-890b-d6c3e509c0ef |
| Mapper name — if the volume is open | lsblk; dmsetup ls |
secure_data |
| Backup file path — offline, outside the encrypted volume | you choose | luks-header-5f452b2f.img |
| Working passphrase or key file — for restore and detached-header tests | you hold this secret | (not stored in the article) |
Also confirm:
- Close the mapper before
luksHeaderRestore—restore overwrites on-disk LUKS metadata. ForluksHeaderBackup, closing the mapper is conservative but not usually required; avoid backup while another key-slot operation is running. - Your backup filename includes the LUKS UUID so you do not restore onto the wrong disk later.
- You take a fresh header backup after every successful
luksChangeKey,luksKillSlot, or major disk migration (for example root PV migration onto LUKS).
What the LUKS header contains
On LUKS2, metadata and key slots occupy the start of the partition; the encrypted payload usually begins at byte offset 16777216 (16 MiB).
The header holds:
- Encryption parameters (cipher, key size, LUKS UUID).
- Key slots that wrap the volume key with a passphrase, key file, or token. LUKS1 supports up to 8 key slots; LUKS2 can support up to 32 depending on keyslot area size and key size.
- Not your ext4/xfs files—the payload stays on the partition; the backup is only the metadata region.
A header backup is a byte-for-byte copy of that metadata area. luksHeaderBackup does not read your filesystem blocks.
Quick reference
| Task | Command |
|---|---|
| Back up header | sudo cryptsetup luksHeaderBackup --header-backup-file luks-header.img /dev/sdc1 |
| Inspect backup file | sudo cryptsetup luksDump luks-header.img |
| Restore header | sudo cryptsetup luksHeaderRestore --header-backup-file luks-header.img /dev/sdc1 |
| Open using detached header | sudo cryptsetup open --header luks-header.img /dev/sdc1 mapper_name |
| Confirm LUKS UUID | sudo cryptsetup luksUUID /dev/sdc1 |
Close any mapper on the partition before restore (sudo cryptsetup close mapper_name). Restore overwrites on-disk metadata—confirm partition name and backup UUID first.
Back up the header
Identify your LUKS partition with lsblk before you run luksHeaderBackup on the partition, not /dev/mapper/*:
lsblk -o NAME,SIZE,TYPE,FSTYPE,MOUNTPOINT /dev/sdcNAME SIZE TYPE FSTYPE MOUNTPOINT
sdc 5G disk
└─sdc1 5G part crypto_LUKSFor a normal backup, you can back up the LUKS header while the volume is open. If you want a quiet maintenance-state backup, unmount and close it first—the same close sequence as in mount LUKS at boot:
sudo umount /mnt/secure-data 2>/dev/null
sudo cryptsetup close secure_data 2>/dev/nullRun the backup (use your partition path and a filename that includes the UUID):
sudo cryptsetup luksHeaderBackup --header-backup-file luks-header-5f452b2f.img /dev/sdc1
sudo chmod 600 luks-header-5f452b2f.imgDo not leave the only copy of this file inside /mnt/secure-data or any filesystem stored inside the same LUKS volume.
Privileged steps below assume sudo command on a root-capable shell.
Check the file size:
ls -l luks-header-5f452b2f.img
stat -c '%s bytes' luks-header-5f452b2f.imgOn many default LUKS2 volumes, the backup is 16777216 bytes (16 MiB). Do not rely on that size for every system—custom LUKS2 metadata, keyslot size, or detached-header layouts can differ:
-r-------- 1 root root 16777216 Jul 5 19:10 luks-header-5f452b2f.img
16777216 bytesfile recognizes the format:
file luks-header-5f452b2f.imgluks-header-5f452b2f.img: LUKS encrypted file, ver 2, header size 16384, ... UUID: 5f452b2f-3b11-4494-890b-d6c3e509c0ef, ...Inspect the backup without touching the disk:
sudo cryptsetup luksDump luks-header-5f452b2f.imgLUKS header information
Version: 2
UUID: 5f452b2f-3b11-4494-890b-d6c3e509c0ef
...
Data segments:
0: crypt
offset: 16777216 [bytes]Confirm the on-disk UUID matches:
sudo cryptsetup luksUUID /dev/sdc15f452b2f-3b11-4494-890b-d6c3e509c0efStore the backup off the encrypted disk—another machine, offline media, or an encrypted archive.
When to take a header backup
Take a header backup:
- Immediately after
luksFormaton a new volume. - Before
luksChangeKey,luksAddKey, orluksKillSlot. - Before risky operations (resize LUKS, partition moves, or
pvmoveduring root encryption migration). - After any successful key-slot change—so the spare metadata matches what is on disk today.
For day-to-day cryptsetup syntax, keep the cryptsetup command cheat sheet open while you work.
Passphrase changes and header backup
luksChangeKey re-wraps the same volume key in a key slot. It does not re-encrypt your files. The lab below uses a throwaway loop partition (/dev/loop29p1); the behavior is the same on your LUKS device.
The printf examples are for a disposable lab device only. On a real disk, enter passphrases interactively so they are not visible in shell history, terminal scrollback, process arguments, or copied notes.
Back up first, then rotate:
sudo cryptsetup luksHeaderBackup --header-backup-file header-before-change.img /dev/loop29p1
printf '%s\n%s\n%s\n' 'old-pass' 'new-pass' 'new-pass' | sudo cryptsetup luksChangeKey /dev/loop29p1Test which passphrase the live device accepts:
printf '%s\n' 'old-pass' | sudo cryptsetup open --test-passphrase /dev/loop29p1No key available with this passphrase.printf '%s\n' 'new-pass' | sudo cryptsetup open --test-passphrase /dev/loop29p1The second command exits silently when the new passphrase works.
What this means for your backup:
- A header backup taken before rotation still reflects old key slots—you can open with that file and the old passphrase using a detached header (next section).
- If a rotation goes wrong,
luksHeaderRestorefrom the pre-change backup returns metadata to the saved state—only if a passphrase valid for that backup still exists. - Take a fresh header backup after every successful change.
For volume-key re-encryption (not just passphrase re-wrap), read change LUKS passphrases and reencrypt and back up the header again before you start.
Restore a damaged header
When luksDump fails on the partition but the encrypted payload is intact, restore from your backup file.
The lab corrupts the first megabyte of a throwaway loop LUKS partition, then restores:
sudo cryptsetup luksHeaderBackup --header-backup-file header-pre.img /dev/loop29p1
sudo dd if=/dev/zero of=/dev/loop29p1 bs=1M count=1 conv=notrunc status=none
sudo cryptsetup luksDump /dev/loop29p1Device /dev/loop29p1 is not a valid LUKS device.sudo cryptsetup luksHeaderRestore --header-backup-file header-pre.img /dev/loop29p1
printf '%s\n' 'your-passphrase' | sudo cryptsetup open --test-passphrase /dev/loop29p1The test-passphrase step exits silently when restore succeeded.
On your production partition, confirm the backup belongs to that device, close any mapper, then restore (example /dev/sdc1):
sudo cryptsetup luksDump luks-header-5f452b2f.img | grep UUID
sudo cryptsetup luksUUID /dev/sdc1 2>/dev/null || trueIf the on-disk header is damaged, luksUUID /dev/sdc1 may fail. Rely on your filename, inventory notes, and backup records before restoring.
sudo cryptsetup close secure_data 2>/dev/null
sudo cryptsetup luksHeaderRestore --header-backup-file luks-header-5f452b2f.img /dev/sdc1luksHeaderRestore overwrites on-disk LUKS metadata. Before you confirm:
- Partition path matches the backup UUID (
luksDumpon the backup file). - Backup predates any
luksChangeKeyyou intend to keep—or you accept rolling back to older key slots.
Use batch mode only in scripts after manual verification:
sudo cryptsetup -q luksHeaderRestore --header-backup-file luks-header-5f452b2f.img /dev/sdc1After restore, unlock with a passphrase valid for the restored header, then run sudo fsck -f /dev/mapper/name if the filesystem was not cleanly unmounted.
luksHeaderRestore onto a different disk or partition unless you are certain the backup belongs to that volume. A mismatched restore can destroy the only key-slot data that matches your ciphertext.
Detached header (--header)
Some layouts store the LUKS header on separate media. On a standard single-partition setup, you can point cryptsetup at a header backup file instead of the on-disk copy—the backup file supplies metadata and the partition supplies ciphertext. Useful when the on-disk header is damaged but the backup is intact.
Confirm the backup UUID before you open with --header:
sudo cryptsetup luksDump luks-header-5f452b2f.img | grep UUIDUUID: 5f452b2f-3b11-4494-890b-d6c3e509c0efMatch that UUID to your device notes and inventory before opening the partition.
The lab opens a loop partition with the header backup taken before luksChangeKey, using the matching old passphrase:
sudo cryptsetup open --header header-pre.img /dev/loop29p1 rescue_hdrFor read-only rescue—copy data out without writes through the mapper:
sudo cryptsetup open --readonly --header luks-header-5f452b2f.img /dev/sdc1 rescue_hdrUse --readonly when you only need to copy data out and do not want to risk writes through a restored or detached-header recovery session.
Check the stack:
lsblk -o NAME,TYPE,FSTYPE /dev/loop29NAME TYPE FSTYPE
loop29 loop
└─loop29p1 part crypto_LUKS
└─rescue_hdr cryptsudo cryptsetup status rescue_hdr/dev/mapper/rescue_hdr is active.
type: LUKS2
cipher: aes-xts-plain64
device: /dev/loop29p1
offset: 32768 [512-byte units] (16777216 [bytes])The mapper reads the same ciphertext on the partition; only the metadata source changes. On /dev/sdc1, use the same --header flag with your backup file and partition path. Mount /dev/mapper/rescue_hdr if you need files, then close when finished:
sudo cryptsetup close rescue_hdrWhen a header backup cannot help
| Situation | Header backup helps? |
|---|---|
| Corrupted on-disk LUKS metadata | Yes, if backup is current and you know a valid key |
Accidental luksKillSlot on the last key |
Only if backup predates the kill and still has an active slot |
| Forgotten passphrase, no other key slot or key file | No — key slots in the backup are wrapped with the same secrets |
| Ransomware or overwritten ciphertext | No — metadata does not recreate encrypted blocks |
| Volume-key re-encryption with a new volume key | No — an old header from before reencryption does not match the new ciphertext |
If every key slot is lost and no backup key file exists, recovery requires a full data backup from before encryption. cryptsetup-reencrypt and header tools assume you can still unlock at least one slot.
Protect the header backup file
The backup exposes key-slot material for offline guessing. An attacker with luks-header.img can run passphrase trials without touching the original disk.
- Store the file outside the encrypted volume it belongs to.
- Restrict permissions (
chmod 600or tighter; root ownership). - Prefer an encrypted archive or hardware token for long-term storage.
- Do not commit header images to git, ticket attachments, or shared drives without encryption.
- Rotate backups when you change passphrases or retire key slots.
- If you securely retire or wipe a LUKS device, destroy every header backup too—a valid old passphrase plus a kept backup can still unlock the data area.
Losing the header file is less critical than losing the only passphrase, but leaking it weakens the same passphrases that guard your data.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
luksHeaderRestore fails (device busy) |
Mapper or mounted filesystem still using the LUKS device | Unmount /dev/mapper/name, run sudo cryptsetup close mapper_name, retry restore |
luksHeaderBackup creates an empty or missing file |
Wrong output path, permissions, or no space on the destination filesystem | Fix path and permissions; do not write the backup inside the encrypted volume you are protecting |
| Restore succeeds but passphrase still rejected | Backup older than last luksChangeKey, or backup UUID does not match the partition |
Compare sudo cryptsetup luksDump backup.img | grep UUID with sudo blkid /dev/sdc1; restore a matching backup or unlock with a passphrase valid for that header state |
Wrong LUKS device or checksum error on restore |
Truncated backup file or header copied from another disk | Re-copy from a known-good archive; do not retry restore with a damaged file |
| LUKS unlocks after restore but filesystem will not mount | ext4 (or other FS) superblock damage—not fixed by header restore | Run sudo fsck -f /dev/mapper/name; restore from a filesystem-level backup if needed |
References
- cryptsetup FAQ — backup and restore (official)
- Ubuntu man page: cryptsetup(8)
- Linux kernel dm-crypt documentation
Summary
- Map your LUKS partition and UUID; close the mapper before
luksHeaderRestore(not required for normal backup). - Run
cryptsetup luksHeaderBackupto copy LUKS metadata to a file;chmod 600and store it offline. - Use
luksHeaderRestorewhen on-disk metadata is damaged and the backup UUID matches—unlock with a passphrase valid for that backup. - Back up before every
luksChangeKeyor risky disk operation; refresh the backup after successful changes. - A header image never replaces a forgotten passphrase or a full data backup.

