[dm-crypt] Size of LUKS header and how to overwrite

Michael Kjörling michael at kjorling.se
Wed Feb 10 21:02:56 CET 2016


On 10 Feb 2016 20:21 +0100, from arno at wagner.name (Arno Wagner):
> On Wed, Feb 10, 2016 at 20:13:15 CET, Subscriptions wrote:
>> dd if=/dev/urandom of=/dev/sda1 bs=512 count=8
> 
> That will have killed the header, not the key-slots. As the
> header contains an unguessable salt, this is already pretty 
> secure.
> 
> To also kill the keyslots, run something like
> 
>    dd if=/dev/urandom of=/dev/sda1 bs=512 count=4096 
> 
> if you have "Payload offset:       4096". Or run 

Out of curiosity; are you saying that for a given, known, _specific_
LUKS container, the first "payload offset" × 512 bytes is what we need
to overwrite if we want to securely erase the entire LUKS header on
that container without collateral damage? (Leaving the encrypted data
untouched.)

Let's ignore here the issue of "overwriting" _anything at all_ on SSDs
and SSHDs.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the dm-crypt mailing list