cryptsetup-luksDump - Linux


cryptsetup-luksDump is a powerful Linux command used to dump the LUKS (Linux Unified Key Setup) metadata and key material from an encrypted device. It extracts the LUKS header, including encryption parameters, passphrase hashes, and key slots, providing valuable information for forensic analysis and recovery operations.


cryptsetup-luksDump [options] <device>


  • -h, –help: Display usage information
  • -v, –verbose: Enable verbose output
  • -f, –force: Force the dump even if the device is locked
  • -o, –output=: Dump metadata to a file instead of stdout
  • –header-only: Dump only the LUKS header
  • –keyslot-num=: Specify the keyslot to dump (default: all)
  • –pw-plain: Print passphrase in plaintext (sensitive)


Extract LUKS metadata from an encrypted device:

cryptsetup-luksDump /dev/sda3

Dump passphrase hash for a specific keyslot:

cryptsetup-luksDump --keyslot-num 2 /dev/sda3

Save LUKS header to a file:

cryptsetup-luksDump -o header.bin /dev/sda3

Common Issues

  • "Device is locked" error: Ensure the device is unlocked using cryptsetup open before dumping.
  • "Invalid or unsupported LUKS device" error: Check if the device is formatted with the LUKS partition scheme and is supported by cryptsetup.
  • Missing or corrupted passphrase: If the passphrase is incorrect or the keyslot is damaged, dumping may fail. Try using the --pw-plain option to verify the passphrase.


cryptsetup-luksDump can be combined with other tools for advanced analysis:

  • grep: Filter metadata for specific values or patterns (e.g., cryptsetup-luksDump /dev/sda3 | grep cipher)
  • xxd: Display raw binary data of the LUKS header (e.g., cryptsetup-luksDump /dev/sda3 | xxd)
  • luks-header-parser: Parse and decode the extracted LUKS header (e.g., luks-header-parser header.bin)

Related Commands

  • cryptsetup: Main utility for managing encrypted devices
  • cryptsetup-luksOpen: Open an encrypted LUKS device
  • cryptsetup-luksFormat: Format a device with LUKS encryption