From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4]) by mail.saout.de (Postfix) with ESMTP for ; Thu, 10 Apr 2014 17:15:18 +0200 (CEST) Received: from gatewagner.dyndns.org (77-57-44-24.dclient.hispeed.ch [77.57.44.24]) by v6.tansi.org (Postfix) with ESMTPA id 18AD120DC1E4 for ; Thu, 10 Apr 2014 17:15:17 +0200 (CEST) Date: Thu, 10 Apr 2014 17:15:16 +0200 From: Arno Wagner Message-ID: <20140410151516.GA6662@tansi.org> References: <20140318023351.GA20894@tansi.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140318023351.GA20894@tansi.org> Subject: Re: [dm-crypt] Filling a disk with random data - question List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Just added this to the Wiki-Version of the FAQ as Item 2.19, if anybody wants to have a look and comment. Arno On Tue, Mar 18, 2014 at 03:33:51 CET, Arno Wagner wrote: > On Mon, Mar 17, 2014 at 19:55:05 CET, Cpp wrote: > > Hello, > > > > I noticed a lot of online articles recommend to overwrite your hard > > disk with random data before creating an encryption volume on it. > > Normally this is done by: > > > > # dd if=/dev/urandom of=/dev/sda bs=4096 > > This is slooooooooooow.... ;-) > > > This will of course take a while, and there is also the badblocks > > alternative. However recently I've seen another approach that uses an > > encrypted (non-luks) container that is later filled with blank data. > > It's said that this approach is much faster than the urandom method > > above. > > I came up with that when I had to securely wipe 50 disks > a few years ago. Other people may have had a similar idea. > > > I haven't used this yet, so I hope I got the command line > > right: > > > > # cryptsetup -c aes-xts-plain64 -h sha512 -s 512 -d /dev/urandom open > > /dev/sda --type plain cryptroot > > Make ist easier on you, the defaults are really quite enough: > > # cryptsetup create -d /dev/urandom /dev/sda cryptroot > > > # dd if=/dev/zero of=/dev/mapper/cryptroot bs=4096 > > And you can get a progress meter like this: > > # dd_rescue -w /dev/zero /dev/mapper/cryptroot > > or like this > > # cat /dev/zero | wcs > /dev/mapper/cryptroot > > (uses my sream-meter "wcs" from: http://www.tansi.org/tools/index.html) > > > My question is are there any serious drawbacks of using this method in > > place of the urandom one? > > None. > > Arno > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 > ---- > A good decision is based on knowledge and not on numbers. - Plato > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato