[dm-crypt] nuke password to delete luks header

Arno Wagner arno at wagner.name
Tue Jan 14 08:11:59 CET 2014

On Tue, Jan 14, 2014 at 06:00:23 CET, .. ink .. wrote:
> > > with cryptsetup,the way to do it would be:
> > > 1. start with a block device like a usb stick
> > > 2. blank it out with random data.
> > > 3. put a regular file system like vfat at the beginning of the device.
> > > 4. put an encrypted plain volume somewhere at the back of the device.
> >
> > And any reasonable disk forensics tool will find that automatically
> > and fast. My keyslot-checker could be adapted to find something like
> > that in maybe one hour.
> >
> >
> are you saying that,if i create a 100MB file with data from "/dev/urandom"
> and then put a vfat file system on it,and then i open a plain mapper at
> 50MB offset and create a second file system on the file through the
> mapper,then your keyslot-checker or any other forensic tool will be able to
> detect the presence of this plain volume?

No, if you crypto-blank it, it will not. But you need to protect
the additional container against overwriting in some way. One
way is to not write the outer container at all. This is obvious,
as it is going to be either old and not written for a long time
or brand-new, i.e. container has been creatded for the border-
crossing. The way TC does it by preventing writes to that
area is likely to leacve traces of the failed writes.

> If true,then i would appreciate any link to any discussion of it because i
> am unaware of it.

See above.

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

More information about the dm-crypt mailing list