* [dm-crypt] Does luksRemoveKey securely erase old keys?
@ 2018-04-29 1:26 tripleedgedsword
2018-04-29 10:46 ` Milan Broz
2018-04-29 14:32 ` Arno Wagner
0 siblings, 2 replies; 3+ messages in thread
From: tripleedgedsword @ 2018-04-29 1:26 UTC (permalink / raw)
To: dm-crypt
[-- Attachment #1: Type: text/plain, Size: 351 bytes --]
I've been looking at the command luksRemoveKey recently. I was wondering if a "cryptsetup luksRemoveKey" command securely deletes the part of the storage device on which the key was stored.
If not, where do the key slots store their keys, and how would we wipe the unallocated space on the drive to make sure all traces of old keys are truly removed?
[-- Attachment #2: Type: text/html, Size: 394 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dm-crypt] Does luksRemoveKey securely erase old keys?
2018-04-29 1:26 [dm-crypt] Does luksRemoveKey securely erase old keys? tripleedgedsword
@ 2018-04-29 10:46 ` Milan Broz
2018-04-29 14:32 ` Arno Wagner
1 sibling, 0 replies; 3+ messages in thread
From: Milan Broz @ 2018-04-29 10:46 UTC (permalink / raw)
To: tripleedgedsword, dm-crypt
On 04/29/2018 03:26 AM, tripleedgedsword wrote:
> I've been looking at the command luksRemoveKey recently. I was
> wondering if a "cryptsetup luksRemoveKey" command securely deletes
> the part of the storage device on which the key was stored.
All commands that removes keys/keyslots internally calls
crypt_keyslot_destroy() function that wipes removed keyslot area on disk.
For rotational drives it overwrites the area several times, for non-rotational
drives (SSDs) it wipes the area with zeroes once.
(What exactly particular firmware does depends on drive though.)
One day we will probably call "secure discard" command for that area, but for now
this command is not widely supported and moreover, it is often buggy...
Anyway, TL;DR: yes, luksRemoveKey wipes the storage device area with the keyslot.
Milan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dm-crypt] Does luksRemoveKey securely erase old keys?
2018-04-29 1:26 [dm-crypt] Does luksRemoveKey securely erase old keys? tripleedgedsword
2018-04-29 10:46 ` Milan Broz
@ 2018-04-29 14:32 ` Arno Wagner
1 sibling, 0 replies; 3+ messages in thread
From: Arno Wagner @ 2018-04-29 14:32 UTC (permalink / raw)
To: dm-crypt
Due to the anti-forensic properties of the key-stripes, any
normal delete is already better than a "secure" one. So, no,
it does not.
I recomment reading the on-disk specification instead and
realizing what you want to do is entirely unneccessary.
Also refer to FAQ Item 5.4 if you are trying to do this on SSD.
Regards,
Arno
On Sun, Apr 29, 2018 at 03:26:46 CEST, tripleedgedsword wrote:
> I've been looking at the command luksRemoveKey recently. I was
> wondering if a "cryptsetup luksRemoveKey" command securely deletes the
> part of the storage device on which the key was stored.
>
> If not, where do the key slots store their keys, and how would we wipe
> the unallocated space on the drive to make sure all traces of old keys
> are truly removed?
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-04-29 14:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-29 1:26 [dm-crypt] Does luksRemoveKey securely erase old keys? tripleedgedsword
2018-04-29 10:46 ` Milan Broz
2018-04-29 14:32 ` Arno Wagner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.