Detached LUKS-header on Debian-based GNU/Linux

There is scattered information on how to set up a detached header for a LUKS-encrypted disk on Stack Exchange.  And by searching the web using Google, I found limited information.  Some of the best information I found is linked to at the bottom of the question.  Some of it was helpful, even to a newbie like me.  But some seemed incomplete and I was therefore motivated to write this.  Please see if you can help with the question below, to make it complete and working. I assume the reader has used lsblk to find that the drive of header that should be detached is sdb, and stored on some other drive sda. ---------- *Method 1: Making a header into a partition* 1) Find out the size of the header, and make a partition the correct size.  The following command will give you a lot of information.  Take note of the number next to offset under Data segments:

$ cryptsetup luksDump /dev/sdb
    ...
    Data segments:
      0: crypt
    	offset: 16777216 [bytes]
    	length: (whole device)
    	cipher: aes-xts-plain64
    	sector: 512 [bytes]
    ...

Execute fdisk (install it if you do not have it) with $ fdisk /dev/sda. Give it the command n and press Enter.  Make a primary partition with the default partition number; say it is *X*.  Choose and take note of the value of the default first sector (say it is the number *M*).  It will prompt you for the last sector; let's call it *K*.  To find a suitable number *K* to enter (and assuming that the size of a sector is 512 bytes), calculate *K* = *M* + *offset*/512; where *offset* is the number you found above using the luksDump command of cryptsetup.  It will make a partition that is exactly the size of the luks-header. Finally, write the changes with w. Now export the luks-header to ~/some/file/path/header.img and write it to the partition that you made:

   $ cryptsetup luksHeaderBackup /dev/sdb --header-backup-file ~/some/file/path/header.img
   $ dd if=~/some/file/path/header.img of=/dev/sdaX count=offset/512 bs=512 status=progress
   

where *X* and *K* are the numbers that were chosen with fdisk above.  Now the header is stored on sdaX, and for fun, if you open (and if necessary install) the gparted program, you will see that gparted thinks sdaX is a tiny LUKS-encrypted partition!  You will see with lsblk -f that the UUID of /dev/sdaX is the same as that of /dev/sdb. So you have to generate a new UUID (search Google for a 'uuid generator'). Suppose the newly generated UUID is *newuuid*; then change it by

$ cryptsetup luksUUID --uuid newuuid /dev/sdaX

2) Now we have to enter this information into /etc/crypttab.  Open the file with your text editor, and find the line that refers to sdb.  In the fourth column add the option header=/dev/sdaX. **See the answer of frostschutz for how to do this much better by setting header=/dev/disk/by-uuid/UUID.  Be sure to make this modification and upvote their answer.** Then write $ update-initramfs -u -k all.  If there were no errors, then I think you are good. ---------- *Method 2 : Letting the header be a file on a file system* The documentation and other sources say that it should be possible to just copy the header to a file system on sda and refer to it from there. Say we say that the file system of the partition sda1 has

UUID=###########-############-####-########

And relative to sda1, the header is in /some/path/header.img.  Then crypttab(5) says that in the fourth column of /etc/crypttab I should write

header=/some/path/header.img:UUID=###########-############-####-########

But if I do that, update-initramfs complains that the header isn't found. **QUESTION: CAN YOU PLEASE HAVE A LOOK AND QUOTE WHAT TO WRITE.  MY INSTALL OF DEBIAN IS FRESH, AND I CAN'T GET IT TO WORK UNFORTUNATELY.** ---------- In closing; you can erase the information in the existing header with cryptsetup luksErase /dev/sdb. If you ever want to apply cryptsetup to access information about the encrypted partition, you will now have to pass it the --header /dev/sdax-option. I have done my best to make sure everything is correct and detailed. But there could be a bug. Please feel free to edit. Of course, there is no warranty in case you lose your data or break something. Sources/other reading: - cryptsetup, detach header on existing volume (on Super User) - Detached LUKS header (on USB) for an existing full-disk encryption device with Ubuntu - How to use LUKS with a detached header (on LinuxConfig.org) - crypttab(5) on Debian Manpages - crypttab(5) on man7.org