[dm-crypt] Size of LUKS header and how to overwrite

Rypervenche sub at ryper.org
Mon Feb 8 23:02:27 CET 2016

Hi all,

I have LUKS on a GPT-partitioned SSD and I have recently been looking
at moving my LUKS header off of the disk and onto a USB drive. I have
my initramfs set up to do so, however I am not sure how much space to
overwrite on my SSD to remove the header from it and replace it with
random data.

So, I am not sure how many bytes to remove from the beginning of my
partition or what to set my --align-payload to. Any help? Below is some
information that may be useful:

# cryptsetup luksDump /dev/sda1
LUKS header information for /dev/sda1

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha512
Payload offset:	4096
MK bits:       	512

I have heard that the LUKS header should be 2MiB, but I have a few
headers from previous LUKS-encrypted drives, and I see that some are
2020 bytes and others are 2048, I can't see what the differences are
between them (as you can see one aes, xts-plain64, sha512 is 2020 and
another is 2048).

# for i in *; do echo $(du -s $i | awk '{print $1}'): $(file $i | grep -oP '(?<=\[).*(?=\])'); done | sort -n
1028: aes, cbc-essiv:sha256, sha1
2020: aes, xts-plain64, sha1
2020: aes, xts-plain64, sha1
2020: aes, xts-plain64, sha512 (my current SSD that I want to do this to)
2048: aes, cbc-essiv:sha256, sha1
2048: aes, cbc-essiv:sha256, sha1
2048: aes, xts-plain64, sha512
2048: aes, xts-plain:sha256, sha1

And lastly, my partition setup:

# gdisk -l /dev/sda
GPT fdisk (gdisk) version 1.0.1

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.
Disk /dev/sda: 500118192 sectors, 238.5 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 2ACE732B-C8D6-4E03-8E46-1D6A5B4D8CB0
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 500118158
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048       500118158   238.5 GiB   8300  Linux filesystem

I would appreciate it it someone could let me know how I can find out
exactly how many bytes I should be removing and what I should be
setting my --align-payload to.

Thank you,


More information about the dm-crypt mailing list