int LUKS_wipe_header_areas(struct luks_phdr *hdr, struct crypt_device *ctx) { int i, r; uint64_t offset, length; size_t wipe_block; /* Wipe complete header, keyslots and padding areas with zeroes. */ offset = 0; length = (uint64_t)hdr->payloadOffset * SECTOR_SIZE; wipe_block = 1024 * 1024; /* On detached header or bogus header, wipe at least the first 4k */ if (length == 0 || length > (LUKS_MAX_KEYSLOT_SIZE * LUKS_NUMKEYS)) { length = 4096; wipe_block = 4096; } log_dbg(ctx, "Wiping LUKS areas (0x%06" PRIx64 " - 0x%06" PRIx64") with zeroes.", offset, length + offset); r = crypt_wipe_device(ctx, crypt_metadata_device(ctx), CRYPT_WIPE_ZERO, offset, length, wipe_block, NULL, NULL); if (r < 0) return r; /* Wipe keyslots areas */ wipe_block = 1024 * 1024; for (i = 0; i < LUKS_NUMKEYS; i++) { r = LUKS_keyslot_area(hdr, i, &offset, &length); if (r < 0) return r; /* Ignore too big LUKS1 keyslots here */ if (length > LUKS_MAX_KEYSLOT_SIZE || offset > (LUKS_MAX_KEYSLOT_SIZE - length)) continue; if (length == 0 || offset < 4096) return -EINVAL; log_dbg(ctx, "Wiping keyslot %i area (0x%06" PRIx64 " - 0x%06" PRIx64") with random data.", i, offset, length + offset); r = crypt_wipe_device(ctx, crypt_metadata_device(ctx), CRYPT_WIPE_RANDOM, offset, length, wipe_block, NULL, NULL); if (r < 0) return r; } return r; }
int LUKS_del_key(unsigned int keyIndex, struct luks_phdr *hdr, struct crypt_device *ctx) { struct device *device = crypt_metadata_device(ctx); unsigned int startOffset, endOffset; int r; r = LUKS_read_phdr(hdr, 1, 0, ctx); if (r) return r; r = LUKS_keyslot_set(hdr, keyIndex, 0); if (r) { log_err(ctx, _("Key slot %d is invalid, please select keyslot between 0 and %d."), keyIndex, LUKS_NUMKEYS - 1); return r; } /* secure deletion of key material */ startOffset = hdr->keyblock[keyIndex].keyMaterialOffset; endOffset = startOffset + AF_split_sectors(hdr->keyBytes, hdr->keyblock[keyIndex].stripes); r = crypt_wipe_device(ctx, device, CRYPT_WIPE_SPECIAL, startOffset * SECTOR_SIZE, (endOffset - startOffset) * SECTOR_SIZE, (endOffset - startOffset) * SECTOR_SIZE, NULL, NULL); if (r) { if (r == -EACCES) { log_err(ctx, _("Cannot write to device %s, permission denied."), device_path(device)); r = -EINVAL; } else log_err(ctx, _("Cannot wipe device %s."), device_path(device)); return r; } /* Wipe keyslot info */ memset(&hdr->keyblock[keyIndex].passwordSalt, 0, LUKS_SALTSIZE); hdr->keyblock[keyIndex].passwordIterations = 0; r = LUKS_write_phdr(hdr, ctx); return r; }