Commit a7fad363 authored by Heiko Reese's avatar Heiko Reese

Added paragraph about dumping LUKS masterkeys.

parent ba4206c5
......@@ -329,7 +329,7 @@ kill -9 ${PID}
If you can't get an image of the system's storage afterwards for offline
forensics, you need to create a rudimentary timeline now. Otherwise, skim over
the next parts and process to [shutdown part](#power-down-system).
the next parts and process to [dumping LUKS keysp](optionally-retrieve-LUKS-master-keys).
Using `find` on
a filesystem will `stat()` every file and directory on a filesystem thus
......@@ -431,9 +431,38 @@ are no hard rules here, just some general ideas:
TODO: journald, …
### Optionally Retrieve LUKS master keys
### Optionally retrieve LUKS master keys
Find out if there are any LUKS-encrypted devices:
```sh
for dev in $(lsblk -n -o KNAME); do
if cryptsetup isLuks "/dev/${dev}"; then
echo $dev;
cryptsetup luksDump /dev/sdc2 > cryptsetup_luksDump_$dev.txt
fi;
done
```
There are two options if the system has encrypted disks and the current owner
does not want to share the secret key. Both options requires someone who knows
the encryption keys to enter them once for each device.
Option one: add another keys using
```sh
cryptsetup luksAddKey /dev/…
```
While this changes the LUKS-header on-disk, it does not affect the containing filesystem.
Option two: dump the encryption masterkey. Handle with care!
```sh
for dev in $(lsblk -n -o KNAME); do
if cryptsetup isLuks "/dev/${dev}"; then
echo $dev;
cryptsetup --dump-master-key luksDump "/dev/${dev}" | tee cryptsetup_luksDump_$dev.masterkey
fi;
done
```
## Power down system
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment