[dm-crypt] luks header

[dm-crypt] luks header

[yakamo]

can you recommend an effective way to remove the luks header?
i have tried cryptsetup luksFormat /dev/xxx --header ~/headerfile align-payload=0 but this still writes a header to the encrypted drive, is meant to happen?

Thank for taking time to read this

-- 
yakamo <yakamo@drahony.com>
http://drahony.com

Re: [dm-crypt] luks header

[Matthias Schniedermeyer]

On 06.01.2015 19:23, yakamo wrote:
> can you recommend an effective way to remove the luks header?
> i have tried cryptsetup luksFormat /dev/xxx --header ~/headerfile align-payload=0 but this still writes a header to the encrypted drive, is meant to happen?

From the man-page of a new enough version of cryptsetup:
- snip -
       erase <device>
       luksErase <device>

              Erase all keyslots and make the LUKS container permanently inaccessible.  You do not need to provide any password for this operation.

              WARNING: This operation is irreversible.
- snip -
Altough the warning is only 99% true, restoring a Header-Backup makes 
the device accessible again, but you would need to have made a Backup 
beforehand.

or just
dd if=/dev/zero of=/dev/<device> bs=1M count=100
Which erases the first 100MB of said device, the LUKS-Header is only a 
fraction of that, so this command also damages the data/filesystem 
inside the container!

For total erasure of the device/patition kjust leave out "count=100" and



-- 

Matthias