[dm-crypt] SSDs & flash... and secure keyslot erase

Arno Wagner arno at wagner.name
Fri Aug 24 17:54:05 CEST 2012

On Fri, Aug 24, 2012 at 05:23:05PM +0200, Thomas B?chler wrote:
> Am 24.08.2012 17:06, schrieb Milan Broz:
> > But there is no perfect solution.
> Interesting write-up. If you are really paranoid, it seems you must back
> up all data, perform ATA security erase and put the data back on the
> disk (and then perform ATA security erase on the backup).

That may not be enough, see Section 3.2 of 


Unfortunately, no manufacturer names given.

My current take is that the only reliable thing is to have LUKS
key-slots individually larger than the spare area and then overwrite
all free space with random data after a key-slot change. That way
the SSD would be unable to hold an old key-slot. For a 240G
SSD that may mean key-slots > 16GB each. Also, you cannot be
sure how much Flash capacity an SSD actually has without 
opening it. 

Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 

More information about the dm-crypt mailing list