On Sat, Nov 08, 2008 at 06:10:27PM +1300, Roscoe wrote: > > 2048 bytes looks like it would be enough if he used a 128 bit key, but > > if he used a 256 bit key you might not get all of the last keyslot > > (judging by observed payload offsets of 2056 bytes). > > Woops....Offsets are measured in sectors not bytes! Ups. So he would have to look into what is actually in the keyslots. The key-material is stored on disk directly after the header and before the bulk data. Ok, revised: Look at offset 104 in the header. It lists where the bulk data starts (in sectors). Backup everything before. If that is not available, a guess is needed: We have 8 keyslots. Then we have a anti-forensic diffusion of 4000. Without looking at the sources, I would expect each of these tripes to go into a new set of sectors. That would be 4000 Sectors (2MB) per keyslot, if each keyslot fits into one sector (4096 bits), alhogether the first 16MB for one sector keys, 32MB for two sector keys, etc... Hmm. Maybe back up the first 1 GB of the partition, just to be sure? Or create a known-to-be good new LUKS header and look in there? On the other hand, when messing with the header (nto the keys) and restoring after that, restoring the first few kBs would be enough. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
