On 06/03/2010 06:16 PM, Panagiotis Malakoudis wrote: > Hello Milan and thank you for your answer. > > I thought that the information shown in luksDump is enough to use those > keys for decoding. I thought the extra 128KB per keyslot are for > checksum verification, so if they are modified then checksum fails and > key is not selected. However, since I know this is the correct key, is > there any way to force the usage of it even if checksum fails? The key, you are entering to cryptsetup, is just "passphrase" to unlock keyslot. Simplified - after decryption and iterated hashing of the keyslot area you get the master (volume) key which is used in disk encryption. (that volume key is generated during luksFormat, it is not derived from passphrase in LUKS) Data contained in luksDump is just master key fingerprint + keyslot attributes, used to verify the correct key fingerprint. Btw format is now flawed - see antiforensic split function. It is designed that even if hw internally relocates part of keyslot area (so you cannot wipe it), it is not possible reconstruct master key with some old passphrase knowledge and these relocated sectors content. And also see luksHeaderBackup and restore command. Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
