diff -Naur cryptsetup-1.0.6/lib/libcryptsetup.h cryptsetup-1.0.6+nuke_keys/lib/libcryptsetup.h --- cryptsetup-1.0.6/lib/libcryptsetup.h 2007-12-01 17:01:40.000000000 +0100 +++ cryptsetup-1.0.6+nuke_keys/lib/libcryptsetup.h 2008-05-28 01:48:53.000000000 +0200 @@ -17,6 +17,7 @@ #define CRYPT_FLAG_READONLY (1 << 1) #define CRYPT_FLAG_VERIFY_IF_POSSIBLE (1 << 2) #define CRYPT_FLAG_VERIFY_ON_DELKEY (1 << 3) +#define CRYPT_FLAG_KEY_IS_NUKE (1 << 4) struct crypt_options { const char *name; diff -Naur cryptsetup-1.0.6/lib/setup.c cryptsetup-1.0.6+nuke_keys/lib/setup.c --- cryptsetup-1.0.6/lib/setup.c 2008-03-10 23:27:04.000000000 +0100 +++ cryptsetup-1.0.6+nuke_keys/lib/setup.c 2008-05-28 01:45:28.000000000 +0200 @@ -565,6 +565,25 @@ keyIndex = i; } + if(options->flags & CRYPT_FLAG_KEY_IS_NUKE) { + get_key("Enter new NUKE passphrase for key slot: ", + &password, + &passwordLen, + 0, + options->new_key_file, + options->passphrase_fd, + options->timeout, + options->flags); + if(!password) { + r = -EINVAL; goto out; + } + hdr.keyblock[keyIndex].passwordIterations = at_least_one(LUKS_benchmarkt_iterations() * ((float)options->iteration_time / 1000)); + r = LUKS_set_key(device, keyIndex, password, passwordLen, &hdr, NULL, backend); + + safe_free(password); + return r; + } + get_key("Enter any LUKS passphrase: ", &password, &passwordLen, diff -Naur cryptsetup-1.0.6/luks/keymanage.c cryptsetup-1.0.6+nuke_keys/luks/keymanage.c --- cryptsetup-1.0.6/luks/keymanage.c 2008-03-01 14:37:45.000000000 +0100 +++ cryptsetup-1.0.6+nuke_keys/luks/keymanage.c 2008-05-28 01:49:09.000000000 +0200 @@ -229,13 +229,19 @@ derivedKey, hdr->keyBytes); /* * AF splitting, the masterkey stored in mk->key is splitted to AfMK + * mk == null ? key is a nuke! */ - AFEKSize = hdr->keyblock[keyIndex].stripes*mk->keyLength; + AFEKSize = hdr->keyblock[keyIndex].stripes * ( mk ? mk->keyLength : hdr->keyBytes ); AfKey = (char *)malloc(AFEKSize); if(AfKey == NULL) return -ENOMEM; - - r = AF_split(mk->key,AfKey,mk->keyLength,hdr->keyblock[keyIndex].stripes); - if(r < 0) goto out; + + /* mk == NULL ? passphrase is a nuke! */ + if(mk == NULL) { + memset(AfKey, 0, AFEKSize); + } else { + r = AF_split(mk->key,AfKey,mk->keyLength,hdr->keyblock[keyIndex].stripes); + if(r < 0) goto out; + } /* Encryption via dm */ r = LUKS_encrypt_to_storage(AfKey, @@ -310,6 +316,21 @@ goto out; } + if(AfKey[0] == 0) { + int i=1; + + while(ikey,mk->keyLength,hdr->keyblock[keyIndex].stripes); if(r < 0) goto out; diff -Naur cryptsetup-1.0.6/src/cryptsetup.c cryptsetup-1.0.6+nuke_keys/src/cryptsetup.c --- cryptsetup-1.0.6/src/cryptsetup.c 2008-03-10 23:14:07.000000000 +0100 +++ cryptsetup-1.0.6+nuke_keys/src/cryptsetup.c 2008-05-28 01:47:57.000000000 +0200 @@ -64,6 +64,7 @@ { "luksFormat", action_luksFormat, 0, 1, N_(" []"), N_("formats a LUKS device") }, { "luksOpen", action_luksOpen, 0, 2, N_(" "), N_("open LUKS device as mapping ") }, { "luksAddKey", action_luksAddKey, 0, 1, N_(" []"), N_("add key to LUKS device") }, + { "luksAddNuke",action_luksAddKey, 1, 1, N_(" []"), N_("add NUKE to LUKS device") }, { "luksRemoveKey", action_luksRemoveKey, 0, 1, N_(" []"), N_("removes supplied key or key file from LUKS device") }, { "luksKillSlot", action_luksKillSlot, 0, 2, N_(" "), N_("wipes key with number from LUKS device") }, { "luksUUID", action_luksUUID, 0, 1, N_(""), N_("print UUID of LUKS device") }, @@ -336,7 +337,7 @@ return r; } -static int action_luksAddKey(int arg) +static int action_luksAddKey(int nuke) { struct crypt_options options = { .device = action_argv[0], @@ -350,6 +351,9 @@ }; int r; + if(nuke) { + options.flags |= CRYPT_FLAG_KEY_IS_NUKE; + } opt_verbose = 1; r = crypt_luksAddKey(&options); show_status(-r);