[dm-crypt] Size of LUKS header and how to overwrite

Sven Eschenberg sven at whgl.uni-frankfurt.de
Wed Feb 10 21:07:59 CET 2016


Yes, it will overwrite the header and potential free space after the 
header up to the first sector of encrypted data.

Does this seem so weird?

Regards

-Sven


Am 10.02.2016 um 21:02 schrieb Michael Kjörling:
> On 10 Feb 2016 20:21 +0100, from arno at wagner.name (Arno Wagner):
>> On Wed, Feb 10, 2016 at 20:13:15 CET, Subscriptions wrote:
>>> dd if=/dev/urandom of=/dev/sda1 bs=512 count=8
>>
>> That will have killed the header, not the key-slots. As the
>> header contains an unguessable salt, this is already pretty
>> secure.
>>
>> To also kill the keyslots, run something like
>>
>>     dd if=/dev/urandom of=/dev/sda1 bs=512 count=4096
>>
>> if you have "Payload offset:       4096". Or run
>
> Out of curiosity; are you saying that for a given, known, _specific_
> LUKS container, the first "payload offset" × 512 bytes is what we need
> to overwrite if we want to securely erase the entire LUKS header on
> that container without collateral damage? (Leaving the encrypted data
> untouched.)
>
> Let's ignore here the issue of "overwriting" _anything at all_ on SSDs
> and SSHDs.
>


More information about the dm-crypt mailing list