From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from awesome.dsw2k3.info (unknown [IPv6:2a01:198:661:1f::3]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Wed, 7 Jan 2015 12:31:42 +0100 (CET) Date: Wed, 7 Jan 2015 12:31:38 +0100 From: Matthias Schniedermeyer Message-ID: <20150107113138.GA7265@citd.de> References: <20150106192300.2f61d3770e06705a9a52afc1@drahony.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150106192300.2f61d3770e06705a9a52afc1@drahony.com> Subject: Re: [dm-crypt] luks header List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: yakamo Cc: dm-crypt@saout.de On 06.01.2015 19:23, yakamo wrote: > can you recommend an effective way to remove the luks header? > i have tried cryptsetup luksFormat /dev/xxx --header ~/headerfile align-payload=0 but this still writes a header to the encrypted drive, is meant to happen? >From the man-page of a new enough version of cryptsetup: - snip - erase luksErase Erase all keyslots and make the LUKS container permanently inaccessible. You do not need to provide any password for this operation. WARNING: This operation is irreversible. - snip - Altough the warning is only 99% true, restoring a Header-Backup makes the device accessible again, but you would need to have made a Backup beforehand. or just dd if=/dev/zero of=/dev/ bs=1M count=100 Which erases the first 100MB of said device, the LUKS-Header is only a fraction of that, so this command also damages the data/filesystem inside the container! For total erasure of the device/patition kjust leave out "count=100" and -- Matthias