[dm-crypt] SSDs & flash... and secure keyslot erase
arno at wagner.name
Fri Aug 24 17:54:05 CEST 2012
On Fri, Aug 24, 2012 at 05:23:05PM +0200, Thomas B?chler wrote:
> Am 24.08.2012 17:06, schrieb Milan Broz:
> > But there is no perfect solution.
> Interesting write-up. If you are really paranoid, it seems you must back
> up all data, perform ATA security erase and put the data back on the
> disk (and then perform ATA security erase on the backup).
That may not be enough, see Section 3.2 of
Unfortunately, no manufacturer names given.
My current take is that the only reliable thing is to have LUKS
key-slots individually larger than the spare area and then overwrite
all free space with random data after a key-slot change. That way
the SSD would be unable to hold an old key-slot. For a 240G
SSD that may mean key-slots > 16GB each. Also, you cannot be
sure how much Flash capacity an SSD actually has without
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
More information about the dm-crypt