[dm-crypt] Size of LUKS header and how to overwrite

Sven Eschenberg sven at whgl.uni-frankfurt.de
Wed Feb 10 21:07:59 CET 2016

Yes, it will overwrite the header and potential free space after the 
header up to the first sector of encrypted data.

Does this seem so weird?



Am 10.02.2016 um 21:02 schrieb Michael Kjörling:
> On 10 Feb 2016 20:21 +0100, from arno at wagner.name (Arno Wagner):
>> On Wed, Feb 10, 2016 at 20:13:15 CET, Subscriptions wrote:
>>> dd if=/dev/urandom of=/dev/sda1 bs=512 count=8
>> That will have killed the header, not the key-slots. As the
>> header contains an unguessable salt, this is already pretty
>> secure.
>> To also kill the keyslots, run something like
>>     dd if=/dev/urandom of=/dev/sda1 bs=512 count=4096
>> if you have "Payload offset:       4096". Or run
> Out of curiosity; are you saying that for a given, known, _specific_
> LUKS container, the first "payload offset" × 512 bytes is what we need
> to overwrite if we want to securely erase the entire LUKS header on
> that container without collateral damage? (Leaving the encrypted data
> untouched.)
> Let's ignore here the issue of "overwriting" _anything at all_ on SSDs
> and SSHDs.

More information about the dm-crypt mailing list