FAQ does not work for recovery of master key of LUKS2-formatted container
There is a FAQ 6.10 "How do I recover the master key from a mapped LUKS container?". It amounts to
dmsetup table --target crypt --showkey /dev/mapper/c5
The FAQ shows a long hexadecimal string in the output of that command, which is actually supposed to be the master key.
It indeed works for old containers (LUKS1), but on new ones, it says:
root: 0 712998912 crypt aes-xts-plain64 :64:logon:cryptsetup:<some-uuid> 0 8:2 32768
i.e. contains a reference to a kernel keyring instead of the key. As the documentation says, it
can't be read from userspace afterward
This limitation (i.e. the fact that master key recovery does not and cannot work on LUKS containers using the kernel keyring) should be documented in the first few lines of the FAQ.