I am a developer. I am running Debian and I have LUKS storage for my projects. It is encrypted with AES key 512 bits. I use password to decrypt this storage. However, password is strong and I change it every N months. What I want to do is to create another key (LUKS allows it) for my storage and store it somewhere in my USB drives box (about a hundred of them don't ask me why) as a backup plan if I forget password or would need to let someone open storage without telling the actual password.
My first easiest solution was to create something like this: first partition is vfat using 99% of space. And last partition of 1% size will hold only key file. I'll even be able to write a script somehow like "Plug in recovery key" which would look for FS ID. This wouldn't be suspicious for Windows users, but I tho I could do it better. So now the question is: how to perform it better (better security-wise)? My best thought was to write 512 bits key between partitions or just after one big partition without creating another partition for key, but the problem is that I'm not sure whether this data could be overwritten or not (it is not in use by FSs so it could be used for something else?). And I don't really know how to access it later (I guess 'dd' can read from exact block for exact length). Thank you for any answer.
