179343712SPeter Avalos 279343712SPeter Avalos#------------------------------------------------------------------------------ 3*3b9cdfa3SAntonio Huete Jimenez# $File: luks,v 1.5 2022/09/07 11:23:44 christos Exp $ 479343712SPeter Avalos# luks: file(1) magic for Linux Unified Key Setup 5*3b9cdfa3SAntonio Huete Jimenez# URL: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup 6*3b9cdfa3SAntonio Huete Jimenez# http://fileformats.archiveteam.org/wiki/LUKS 779343712SPeter Avalos# From: Anthon van der Neut <anthon@mnt.org> 8*3b9cdfa3SAntonio Huete Jimenez# Update: Joerg Jenderek 9*3b9cdfa3SAntonio Huete Jimenez# Note: verfied by command like `cryptsetup luksDump /dev/sda3` 1079343712SPeter Avalos 1179343712SPeter Avalos0 string LUKS\xba\xbe LUKS encrypted file, 12*3b9cdfa3SAntonio Huete Jimenez# https://reposcope.com/mimetype/application/x-raw-disk-image 13*3b9cdfa3SAntonio Huete Jimenez!:mime application/x-raw-disk-image 14*3b9cdfa3SAntonio Huete Jimenez#!:mime application/x-luks-volume 15*3b9cdfa3SAntonio Huete Jimenez# img is the generic extension; no suffix for partitions; luksVolumeHeaderBackUp via zuluCrypt 16*3b9cdfa3SAntonio Huete Jimenez!:ext /luks/img/luksVolumeHeaderBackUp 17*3b9cdfa3SAntonio Huete Jimenez# version like: 1 2 1879343712SPeter Avalos>6 beshort x ver %d 19*3b9cdfa3SAntonio Huete Jimenez# test for version 1 variant 20*3b9cdfa3SAntonio Huete Jimenez>6 beshort 1 21*3b9cdfa3SAntonio Huete Jimenez>>0 use luks-v1 22*3b9cdfa3SAntonio Huete Jimenez# test for version 2 variant 23*3b9cdfa3SAntonio Huete Jimenez>6 beshort >1 24*3b9cdfa3SAntonio Huete Jimenez>>0 use luks-v2 25*3b9cdfa3SAntonio Huete Jimenez# Reference: https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf 26*3b9cdfa3SAntonio Huete Jimenez# http://mark0.net/download/triddefs_xml.7z/defs/l/luks.trid.xml 27*3b9cdfa3SAntonio Huete Jimenez# display information about LUKS version 1 28*3b9cdfa3SAntonio Huete Jimenez0 name luks-v1 29*3b9cdfa3SAntonio Huete Jimenez# cipher-name like: aes twofish 3079343712SPeter Avalos>8 string x [%s, 31*3b9cdfa3SAntonio Huete Jimenez# cipher-mode like: xts-plain64 cbc-essiv 3279343712SPeter Avalos>40 string x %s, 33*3b9cdfa3SAntonio Huete Jimenez# hash specification like: sha256 sha1 ripemd160 3479343712SPeter Avalos>72 string x %s] 3579343712SPeter Avalos>168 string x UUID: %s 36*3b9cdfa3SAntonio Huete Jimenez# NEW PART! 37*3b9cdfa3SAntonio Huete Jimenez# payload-offset; start offset of the bulk data 38*3b9cdfa3SAntonio Huete Jimenez>104 ubelong x \b, at %#x data 39*3b9cdfa3SAntonio Huete Jimenez# key-bytes; number of key bytes; key-bytes*8=MK-bits 40*3b9cdfa3SAntonio Huete Jimenez>108 ubelong x \b, %u key bytes 41*3b9cdfa3SAntonio Huete Jimenez# mk-digest[20]; master key checksum from PBKDF2 42*3b9cdfa3SAntonio Huete Jimenez>112 ubequad x \b, MK digest %#16.16llx 43*3b9cdfa3SAntonio Huete Jimenez>>120 ubequad x \b%16.16llx 44*3b9cdfa3SAntonio Huete Jimenez>>128 ubelong x \b%8.8x 45*3b9cdfa3SAntonio Huete Jimenez# mk-digest-salt[32]; salt parameter for master key PBKDF2 46*3b9cdfa3SAntonio Huete Jimenez>132 ubequad x \b, MK salt %#16.16llx 47*3b9cdfa3SAntonio Huete Jimenez>>140 ubequad x \b%16.16llx 48*3b9cdfa3SAntonio Huete Jimenez>>148 ubequad x \b%16.16llx 49*3b9cdfa3SAntonio Huete Jimenez>>156 ubequad x \b%16.16llx 50*3b9cdfa3SAntonio Huete Jimenez# mk-digest-iter; iterations parameter for master key PBKDF2 51*3b9cdfa3SAntonio Huete Jimenez>164 ubelong x \b, %u MK iterations 52*3b9cdfa3SAntonio Huete Jimenez# key slot 1 53*3b9cdfa3SAntonio Huete Jimenez>208 ubelong =0x00AC71F3 \b; slot #0 54*3b9cdfa3SAntonio Huete Jimenez>>208 use luks-slot 55*3b9cdfa3SAntonio Huete Jimenez# key slot 2 56*3b9cdfa3SAntonio Huete Jimenez>256 ubelong =0x00AC71F3 \b; slot #1 57*3b9cdfa3SAntonio Huete Jimenez>>256 use luks-slot 58*3b9cdfa3SAntonio Huete Jimenez# key slot 3 59*3b9cdfa3SAntonio Huete Jimenez>304 ubelong =0x00AC71F3 \b; slot #2 60*3b9cdfa3SAntonio Huete Jimenez>>304 use luks-slot 61*3b9cdfa3SAntonio Huete Jimenez# key slot 4 62*3b9cdfa3SAntonio Huete Jimenez>352 ubelong =0x00AC71F3 \b; slot #3 63*3b9cdfa3SAntonio Huete Jimenez>>352 use luks-slot 64*3b9cdfa3SAntonio Huete Jimenez# key slot 5 65*3b9cdfa3SAntonio Huete Jimenez>400 ubelong =0x00AC71F3 \b; slot #4 66*3b9cdfa3SAntonio Huete Jimenez>>400 use luks-slot 67*3b9cdfa3SAntonio Huete Jimenez# key slot 6 68*3b9cdfa3SAntonio Huete Jimenez>448 ubelong =0x00AC71F3 \b; slot #5 69*3b9cdfa3SAntonio Huete Jimenez>>448 use luks-slot 70*3b9cdfa3SAntonio Huete Jimenez# key slot 7 71*3b9cdfa3SAntonio Huete Jimenez>496 ubelong =0x00AC71F3 \b; slot #6 72*3b9cdfa3SAntonio Huete Jimenez>>496 use luks-slot 73*3b9cdfa3SAntonio Huete Jimenez# key slot 8 74*3b9cdfa3SAntonio Huete Jimenez>544 ubelong =0x00AC71F3 \b; slot #7 75*3b9cdfa3SAntonio Huete Jimenez>>544 use luks-slot 76*3b9cdfa3SAntonio Huete Jimenez# Reference: https://gitlab.com/cryptsetup/LUKS2-docs/-/raw/master/luks2_doc_wip.pdf 77*3b9cdfa3SAntonio Huete Jimenez# http://mark0.net/download/triddefs_xml.7z/defs/l/luks2.trid.xml 78*3b9cdfa3SAntonio Huete Jimenez# display information about LUKS version 2 79*3b9cdfa3SAntonio Huete Jimenez0 name luks-v2 80*3b9cdfa3SAntonio Huete Jimenez# hdr_size; size including JSON area called Metadata area by cryptsetup with value like: 16384 81*3b9cdfa3SAntonio Huete Jimenez>8 ubequad x \b, header size %llu 82*3b9cdfa3SAntonio Huete Jimenez# possible check for MAGIC_2ND after header 83*3b9cdfa3SAntonio Huete Jimenez#>(8.Q) string SKUL\xba\xbe \b, 2nd_HEADER_OK 84*3b9cdfa3SAntonio Huete Jimenez# seqid; sequence ID, increased on update; called Epoch by cryptsetup with value like: 3 4 8 10 85*3b9cdfa3SAntonio Huete Jimenez>16 ubequad x \b, ID %llu 86*3b9cdfa3SAntonio Huete Jimenez# label[48]; optional ASCII label or empty; called Label by cryptsetup with value like: "LUKS2_EXT4_ROOT" 87*3b9cdfa3SAntonio Huete Jimenez>24 string >\0 \b, label %s 88*3b9cdfa3SAntonio Huete Jimenez# csum_alg[32]; checksum algorithm like: sha256 sha1 sha512 wirlpool ripemd160 89*3b9cdfa3SAntonio Huete Jimenez>72 string x \b, algo %s 90*3b9cdfa3SAntonio Huete Jimenez# salt[64]; salt , unique for every header 91*3b9cdfa3SAntonio Huete Jimenez>104 ubequad x \b, salt %#llx... 92*3b9cdfa3SAntonio Huete Jimenez# uuid[40]; UID of device as string like: 242256c6-396e-4a35-af5f-5b70cb7af9a7 93*3b9cdfa3SAntonio Huete Jimenez>168 string x \b, UUID: %-.40s 94*3b9cdfa3SAntonio Huete Jimenez# subsystem[48]; optional owner subsystem label or empty 95*3b9cdfa3SAntonio Huete Jimenez>208 string >\0 \b, sub label %-.48s 96*3b9cdfa3SAntonio Huete Jimenez# hdr_offset; offset from device start [ bytes ] like: 0 97*3b9cdfa3SAntonio Huete Jimenez>256 ubequad !0 \b, offset %llx 98*3b9cdfa3SAntonio Huete Jimenez# char _padding [184]; must be zeroed 99*3b9cdfa3SAntonio Huete Jimenez#>264 ubequad x \b, padding %#16.16llx 100*3b9cdfa3SAntonio Huete Jimenez#>440 ubequad x \b...%16.16llx 101*3b9cdfa3SAntonio Huete Jimenez# csum[64]; header checksum 102*3b9cdfa3SAntonio Huete Jimenez>448 ubequad x \b, crc %#llx... 103*3b9cdfa3SAntonio Huete Jimenez# char _padding4096 [7*512]; Padding , must be zeroed 104*3b9cdfa3SAntonio Huete Jimenez#>512 ubequad x \b, more padding %#16.16llx 105*3b9cdfa3SAntonio Huete Jimenez#>4088 ubequad x \b...%16.16llx 106*3b9cdfa3SAntonio Huete Jimenez# JSON text data terminated by the zero character; unused remainder empty and filled with zeroes like: 107*3b9cdfa3SAntonio Huete Jimenez# {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse" 108*3b9cdfa3SAntonio Huete Jimenez>0x1000 string x \b, at 0x1000 %s 109*3b9cdfa3SAntonio Huete Jimenez#>0x1000 indirect x 110*3b9cdfa3SAntonio Huete Jimenez# display information (like active) about LUKS1 slot 111*3b9cdfa3SAntonio Huete Jimenez0 name luks-slot 112*3b9cdfa3SAntonio Huete Jimenez# state of keyslot; 0x00AC71F3~active 0x0000DEAD~inactive 113*3b9cdfa3SAntonio Huete Jimenez#>0 ubelong x \b, status %#8.8x 114*3b9cdfa3SAntonio Huete Jimenez>0 ubelong =0x00AC71F3 active 115*3b9cdfa3SAntonio Huete Jimenez>0 ubelong =0x0000DEAD inactive 116*3b9cdfa3SAntonio Huete Jimenez# iteration parameter for PBKDF2 117*3b9cdfa3SAntonio Huete Jimenez#>4 ubelong x \b, %u iterations 118*3b9cdfa3SAntonio Huete Jimenez# salt parameter for PBKDF2 119*3b9cdfa3SAntonio Huete Jimenez#>8 ubequad x \b, salt %#16.16llx 120*3b9cdfa3SAntonio Huete Jimenez#>>16 ubequad x \b%16.16llx 121*3b9cdfa3SAntonio Huete Jimenez#>>24 ubequad x \b%16.16llx 122*3b9cdfa3SAntonio Huete Jimenez#>>32 ubequad x \b%16.16llx 123*3b9cdfa3SAntonio Huete Jimenez# start sector of key material like: 8 0x200 0x3f8 0x5f0 0xdd0 124*3b9cdfa3SAntonio Huete Jimenez>40 ubelong x \b, %#x material offset 125*3b9cdfa3SAntonio Huete Jimenez# number of anti-forensic stripes like: 4000 126*3b9cdfa3SAntonio Huete Jimenez>44 ubelong !4000 \b, %u stripes 127