From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 75bQX43qnEmL for <dm-crypt@saout.de>;
 Sun, 10 Mar 2013 15:49:44 +0100 (CET)
Received: from mail-bk0-x231.google.com (mail-bk0-x231.google.com
 [IPv6:2a00:1450:4008:c01::231])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.saout.de (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Sun, 10 Mar 2013 15:49:44 +0100 (CET)
Received: by mail-bk0-f49.google.com with SMTP id w11so1350664bku.36
 for <dm-crypt@saout.de>; Sun, 10 Mar 2013 07:49:43 -0700 (PDT)
Message-ID: <513C9D57.6070903@gmail.com>
Date: Sun, 10 Mar 2013 15:48:55 +0100
From: Milan Broz <gmazyland@gmail.com>
MIME-Version: 1.0
References: <40727.130.226.154.66.1362921572.squirrel@lavabit.com>
In-Reply-To: <40727.130.226.154.66.1362921572.squirrel@lavabit.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] Securely erase LUKS header
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: hephey@lavabit.com
Cc: dm-crypt@saout.de

On 10.3.2013 14:19, hephey@lavabit.com wrote:
> I'm having trouble calculating the amount of data I need to erase in the
> header.
>
> The af-stripes appears to be hardcoded to 4000, according to the
> specification [1].
>
> First I made an encrypted loop-device, using default options:
>
>    cryptsetup luksFormat /dev/loop0
>
> I then made a header backup, using
>
>    cryptsetup luksHeaderBackup --header-backup-file /tmp/header.img /dev/loop0
>
> The size of this backup (/tmp/header.img) is exactly 1.052.672 bytes,
> which fits with the number given in the FAQ (see 5.4) [2]. I'm asumming
> that cryptsetup's calculation is correct.

luksHeaderBackup in older versions saved header including alignment area
(not used area between keyslots and data offset start).
I later changed that to save only real used data, so the backup is smaller.
(Check the latest version, I think you get slightly smaller backup file.)

FYI - the layout is basically (* == alignment area, unused)

|LUKShdr|*|slot1|*|slot2|*| ... |slot8|*|CIPHERTEXT DATA
                                         ^ data payload offset (luksDump)
           ^1      ^2 ...  slots offsets (see luksDump)

Keyslot oofsets are always aligned to multiple of 4096 bytes, data area
alignment depends paramaters, ususally it is aligned to multiple of 1MiB.

So numbers are correct. (From above, the simplest method to erase
it is to use data offset and wipe everyting before that).

> However, if I set the amount of stripes to 4096 in the formula, I get the

Stripe count is always hardcoded to 4000 for LUKS1 format.

You just see bigger backup file because of data alignment mentioned above.

Milan