#------------------------------------------------------------------------------ # $File: luks,v 1.5 2022/09/07 11:23:44 christos Exp $ # luks: file(1) magic for Linux Unified Key Setup # URL: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup # http://fileformats.archiveteam.org/wiki/LUKS # From: Anthon van der Neut # Update: Joerg Jenderek # Note: verfied by command like `cryptsetup luksDump /dev/sda3` 0 string LUKS\xba\xbe LUKS encrypted file, # https://reposcope.com/mimetype/application/x-raw-disk-image !:mime application/x-raw-disk-image #!:mime application/x-luks-volume # img is the generic extension; no suffix for partitions; luksVolumeHeaderBackUp via zuluCrypt !:ext /luks/img/luksVolumeHeaderBackUp # version like: 1 2 >6 beshort x ver %d # test for version 1 variant >6 beshort 1 >>0 use luks-v1 # test for version 2 variant >6 beshort >1 >>0 use luks-v2 # Reference: https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf # http://mark0.net/download/triddefs_xml.7z/defs/l/luks.trid.xml # display information about LUKS version 1 0 name luks-v1 # cipher-name like: aes twofish >8 string x [%s, # cipher-mode like: xts-plain64 cbc-essiv >40 string x %s, # hash specification like: sha256 sha1 ripemd160 >72 string x %s] >168 string x UUID: %s # NEW PART! # payload-offset; start offset of the bulk data >104 ubelong x \b, at %#x data # key-bytes; number of key bytes; key-bytes*8=MK-bits >108 ubelong x \b, %u key bytes # mk-digest[20]; master key checksum from PBKDF2 >112 ubequad x \b, MK digest %#16.16llx >>120 ubequad x \b%16.16llx >>128 ubelong x \b%8.8x # mk-digest-salt[32]; salt parameter for master key PBKDF2 >132 ubequad x \b, MK salt %#16.16llx >>140 ubequad x \b%16.16llx >>148 ubequad x \b%16.16llx >>156 ubequad x \b%16.16llx # mk-digest-iter; iterations parameter for master key PBKDF2 >164 ubelong x \b, %u MK iterations # key slot 1 >208 ubelong =0x00AC71F3 \b; slot #0 >>208 use luks-slot # key slot 2 >256 ubelong =0x00AC71F3 \b; slot #1 >>256 use luks-slot # key slot 3 >304 ubelong =0x00AC71F3 \b; slot #2 >>304 use luks-slot # key slot 4 >352 ubelong =0x00AC71F3 \b; slot #3 >>352 use luks-slot # key slot 5 >400 ubelong =0x00AC71F3 \b; slot #4 >>400 use luks-slot # key slot 6 >448 ubelong =0x00AC71F3 \b; slot #5 >>448 use luks-slot # key slot 7 >496 ubelong =0x00AC71F3 \b; slot #6 >>496 use luks-slot # key slot 8 >544 ubelong =0x00AC71F3 \b; slot #7 >>544 use luks-slot # Reference: https://gitlab.com/cryptsetup/LUKS2-docs/-/raw/master/luks2_doc_wip.pdf # http://mark0.net/download/triddefs_xml.7z/defs/l/luks2.trid.xml # display information about LUKS version 2 0 name luks-v2 # hdr_size; size including JSON area called Metadata area by cryptsetup with value like: 16384 >8 ubequad x \b, header size %llu # possible check for MAGIC_2ND after header #>(8.Q) string SKUL\xba\xbe \b, 2nd_HEADER_OK # seqid; sequence ID, increased on update; called Epoch by cryptsetup with value like: 3 4 8 10 >16 ubequad x \b, ID %llu # label[48]; optional ASCII label or empty; called Label by cryptsetup with value like: "LUKS2_EXT4_ROOT" >24 string >\0 \b, label %s # csum_alg[32]; checksum algorithm like: sha256 sha1 sha512 wirlpool ripemd160 >72 string x \b, algo %s # salt[64]; salt , unique for every header >104 ubequad x \b, salt %#llx... # uuid[40]; UID of device as string like: 242256c6-396e-4a35-af5f-5b70cb7af9a7 >168 string x \b, UUID: %-.40s # subsystem[48]; optional owner subsystem label or empty >208 string >\0 \b, sub label %-.48s # hdr_offset; offset from device start [ bytes ] like: 0 >256 ubequad !0 \b, offset %llx # char _padding [184]; must be zeroed #>264 ubequad x \b, padding %#16.16llx #>440 ubequad x \b...%16.16llx # csum[64]; header checksum >448 ubequad x \b, crc %#llx... # char _padding4096 [7*512]; Padding , must be zeroed #>512 ubequad x \b, more padding %#16.16llx #>4088 ubequad x \b...%16.16llx # JSON text data terminated by the zero character; unused remainder empty and filled with zeroes like: # {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse" >0x1000 string x \b, at 0x1000 %s #>0x1000 indirect x # display information (like active) about LUKS1 slot 0 name luks-slot # state of keyslot; 0x00AC71F3~active 0x0000DEAD~inactive #>0 ubelong x \b, status %#8.8x >0 ubelong =0x00AC71F3 active >0 ubelong =0x0000DEAD inactive # iteration parameter for PBKDF2 #>4 ubelong x \b, %u iterations # salt parameter for PBKDF2 #>8 ubequad x \b, salt %#16.16llx #>>16 ubequad x \b%16.16llx #>>24 ubequad x \b%16.16llx #>>32 ubequad x \b%16.16llx # start sector of key material like: 8 0x200 0x3f8 0x5f0 0xdd0 >40 ubelong x \b, %#x material offset # number of anti-forensic stripes like: 4000 >44 ubelong !4000 \b, %u stripes