How can I extract the encrypted master key from LUKS header?

Question

I know that a LUKS partition has a plain-text header that stores many informations like master key (MK) digest, MK iterations of PBKDF2, information about the 8 key-slots etc. I also know that in the header there is the af-splitted and encrypted master key.

I'm asking if there is a way to recover that. I know I could simply use:

cryptsetup luksDump --dump-master-key /dev/whatever

However, this only give me the decrypted MK.

---

Only information I have are from header:

key-material-offset: 8 (start sector of key material)

number of stripes: 4000

My goal would be to manually decrypt the master key with the derived key from pbkdf2, do af-merge and then decrypt the whole data bulk with this candidate key.

Answer 1

It looks like this is what you want. It creates a copy of the header, without making any assumptions about the header size.

# cryptsetup luksHeaderBackup /dev/sda5 --header-backup-file /tmp/luks-header

But I'm not sure if I 100% understand your question. Are you asking how to extract the LUKS header including the master key, or just the encrypted master key and nothing else?

Answer 2

Assuming that you can mount the LUKS volume, do this when it is mounted:

 $ dmsetup table --showkey myvolume
 0 200704 crypt aes-xts-plain64 0ef81...9aef7 0 8:18 4096

The long string is the master key.

But this is the same as

$ cryptsetup luksDump --dump-master-key /dev/myrawvolume
MK dump: 0e f8 1. .. .. ..
         .. .. .. .9 ae f7

So I am not sure what your're asking...

I wrote a program ages ago which dumps out a LUKS key, it's written in Ruby and might be handy if you're trying to understand how to perform the necessary steps to extract the key.

Answer 3

This would dump the entire LUKS header, which includes the encrypted key:

dd if=/dev/whatever bs=2M count=1 of=luks-header.img