Emergency self-destruction functionality for LUKS implented
As I've said, I was going to implement a new feature for LUKS in order to allow for emergency deletion of all LUKS key material. I've finished the implementation and submitted it to Clemens Fruhwirth for merging it into the next version of LUKS.
The first part of the new feature is to actually store a "nuke" passphrase in a keyslot. However, this passphrase does not encrypt the masterkey used for en-/decrypting the partition, but rather encrypts a magic value (0x0...0). The new action command "luksAddNuke" that was added to cryptsetup does just that:
cryptsetup luksAddNuke <device>It behaves pretty much like a "luksAddKey", only that the actual keyslot data does not contain any cryptographic material.
The second part of the implementation is a modification of the function that unlocks a keyslot and extracts the key material for en-/decryption. This function now contains a check for said magical value and deletes all keyslots if it encounters it.
Here are the downloads:
You cannot post until you login.