[dm-crypt] nuke password to delete luks header
gmazyland at gmail.com
Mon Jan 27 21:30:08 CET 2014
On 01/27/2014 10:04 AM, Jonas Meurer wrote:
>> For 2, (aka self destroy passphrase) - I tried to read the discussion
>> and I am really not convinced yet we want it.
> Do you intend to protect the erase feature by asking for a password? In
> case it will be hard to build a nuke wrapper around 'cryptsetup erase'.
> Especially if the nuke password should not reveal access to encrypted
> and merely allow to erase LUKS header.
No, only usual YES/no question should (will) be there
(which can be switched off with batch -q option as in other commands).
The luksKillSlot is doing exactly the same, just for one keyslot.
Actually, it is just simple code as
for all active keyslots:
>> BTW original patch is INCOMPLETE and DANGEROUS.
>> (For example, did anyone think about cryptsetup-reencrypt? Guess what
>> happen if user try to *reencrypt* device with this destroy passphrase?
>> Try it... or better not ;-) And there are more missing code which just
>> do not convince me that it was properly thought-out work.
> Isn't that a good argument for implementing it properly upstream? ;)
I think this argument was mentioned by me :) But I think we have found better
way how to implement it without this feature.
Avoiding upstream to become bloatware is also important ;-)
> While I see your argument, reencryption takes a lot more time than using
> nuke feature. Both features serve completely different purposes.
Sure, it was just a complain about features importance...
(And btw there is in git already function to change only header (hash)
without reencrypting the whole device. This will be a workaround
to solve bad gcrypt whirlpool case. Once gcrypt 1.6.1 is out...)
> And if you merely want to destroy access to the data, overwriting it is
> better than reencrypting, isn't it?
Yes, and removing key with "erase" command should do the same quickly as well.
More information about the dm-crypt