On 04/29/2018 03:26 AM, tripleedgedsword wrote: > I've been looking at the command luksRemoveKey recently. I was > wondering if a "cryptsetup luksRemoveKey" command securely deletes > the part of the storage device on which the key was stored. All commands that removes keys/keyslots internally calls crypt_keyslot_destroy() function that wipes removed keyslot area on disk. For rotational drives it overwrites the area several times, for non-rotational drives (SSDs) it wipes the area with zeroes once. (What exactly particular firmware does depends on drive though.) One day we will probably call "secure discard" command for that area, but for now this command is not widely supported and moreover, it is often buggy... Anyway, TL;DR: yes, luksRemoveKey wipes the storage device area with the keyslot. Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
