[dm-crypt] nuke password to delete luks header

Arno Wagner arno at wagner.name
Thu Jan 16 22:55:05 CET 2014

On Thu, Jan 16, 2014 at 22:36:19 CET, Matthias Schniedermeyer wrote:
> On 16.01.2014 15:11, Iggy wrote:
> > 
> > 
> > PS:  An interesting, but only marginally helpful, byproduct of such a
> > feature is that on the off-chance that an adversary were attempting to
> > brute-force the password on their only copy of a volume (this is the
> > unlikely bit), and the nuke password had less entropy than the
> > decryption passphrase, then there is a chance the adversary themselves
> > would remove access to the data, without intervention from the target of
> > the attack, by accidentally brute-forcing the nuke password.
> You wouldn't brute force using the actual system, much too slow.

The other thing is that the first thing drilled into any IT
forensics worker is to never work on the originals. So only
a terminally incompetent attacker would do this.

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

More information about the dm-crypt mailing list