mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-12 11:20:10 +01:00
c2bce3e93e
All previous version of cryptsetup wiped only first 4k for LUKS1 and both JSON areas for LUKS2 (first 32k) and the allocated keyslot area (as it contained the generated key). Remaining areas (unused keyslots, padding, and alignment) were not wiped and could contain some previous data. Since this commit, the whole area up to the data offset is zeroed, and subsequently, all keyslots areas are wiped with random data. Only exceptions are - padding/alignment areas for detached header if the data offset is set to 0 - bogus LUKS1 keyslot areas (upstream code never created such keyslots but someone could use that). This operation could slow down luksFormat on some devices, but it guarantees that after this operation LUKS header does not contain any foreign data.