[dm-crypt] Securely erase LUKS header

Arno Wagner arno at wagner.name
Sun Mar 10 20:23:12 CET 2013


On Sun, Mar 10, 2013 at 09:19:32AM -0400, hephey at lavabit.com wrote:
> I'm having trouble calculating the amount of data I need to erase in the
> header.
> 
> The af-stripes appears to be hardcoded to 4000, according to the
> specification [1].
> 
> First I made an encrypted loop-device, using default options:
> 
>   cryptsetup luksFormat /dev/loop0
> 
> I then made a header backup, using
> 
>   cryptsetup luksHeaderBackup --header-backup-file /tmp/header.img /dev/loop0
> 
> The size of this backup (/tmp/header.img) is exactly 1.052.672 bytes,
> which fits with the number given in the FAQ (see 5.4) [2]. I'm asumming
> that cryptsetup's calculation is correct.
> 
> In the FAQ it's also stated that to wipe the header, I need to use to
> formula:
> 
>   header size = (keyslots x stripes x keysize) + offset bytes

In 5.4, I state just to wipe the first 10MB to be safe. 
Do I have the formula above anywthere as explicitely
recommended for wipes? Is so, plese tell me where, so I 
can fix it.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell


More information about the dm-crypt mailing list