[dm-crypt] Securely erase LUKS header

Milan Broz gmazyland at gmail.com
Sun Mar 10 15:48:55 CET 2013


On 10.3.2013 14:19, hephey at lavabit.com wrote:
> I'm having trouble calculating the amount of data I need to erase in the
> header.
>
> The af-stripes appears to be hardcoded to 4000, according to the
> specification [1].
>
> First I made an encrypted loop-device, using default options:
>
>    cryptsetup luksFormat /dev/loop0
>
> I then made a header backup, using
>
>    cryptsetup luksHeaderBackup --header-backup-file /tmp/header.img /dev/loop0
>
> The size of this backup (/tmp/header.img) is exactly 1.052.672 bytes,
> which fits with the number given in the FAQ (see 5.4) [2]. I'm asumming
> that cryptsetup's calculation is correct.

luksHeaderBackup in older versions saved header including alignment area
(not used area between keyslots and data offset start).
I later changed that to save only real used data, so the backup is smaller.
(Check the latest version, I think you get slightly smaller backup file.)

FYI - the layout is basically (* == alignment area, unused)

|LUKShdr|*|slot1|*|slot2|*| ... |slot8|*|CIPHERTEXT DATA
                                         ^ data payload offset (luksDump)
           ^1      ^2 ...  slots offsets (see luksDump)

Keyslot oofsets are always aligned to multiple of 4096 bytes, data area
alignment depends paramaters, ususally it is aligned to multiple of 1MiB.

So numbers are correct. (From above, the simplest method to erase
it is to use data offset and wipe everyting before that).

> However, if I set the amount of stripes to 4096 in the formula, I get the

Stripe count is always hardcoded to 4000 for LUKS1 format.

You just see bigger backup file because of data alignment mentioned above.

Milan


More information about the dm-crypt mailing list