How to erase all LUKS key slots

Learn how to erase every defined LUKS key slot on a specific device.

Display LUKS header information.

$ sudo cryptsetup luksDump /dev/sdb1 
LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      eb 33 45 89 95 2b 67 dd 65 6d 17 d3 ed 7d 05 c4 84 58 5f fc 
MK salt:        b7 0b c3 96 0e ab 70 1b f0 28 9f 39 63 a4 37 95 
                16 e0 61 e6 98 ab fc c1 18 db 1a 36 bc 00 bd 13 
MK iterations:  151879
UUID:           ac32a865-2716-43e3-8db9-798d4279a3a3

Key Slot 0: ENABLED
        Iterations:             2430070
        Salt:                   10 a5 7d 29 c8 7f 21 d8 15 ca 42 08 01 a5 79 0c 
                                d4 d7 5b 87 c3 14 cc 33 75 ec ec ba 71 26 8c 67 
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Erase LUKS key-slots.

$ sudo cryptsetup luksErase /dev/sdb1
WARNING!
========
This operation will erase all keyslots on device /dev/sdb1.
Device will become unusable after this operation.

Are you sure? (Type uppercase yes): YES

Display cleared LUKS header information.

$ sudo cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      eb 33 45 89 95 2b 67 dd 65 6d 17 d3 ed 7d 05 c4 84 58 5f fc
MK salt:        b7 0b c3 96 0e ab 70 1b f0 28 9f 39 63 a4 37 95
                16 e0 61 e6 98 ab fc c1 18 db 1a 36 bc 00 bd 13
MK iterations:  151879
UUID:           ac32a865-2716-43e3-8db9-798d4279a3a3

Key Slot 0: DISABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Additional notes

Use batch-mode to erase LUKS key-slots without confirmation dialog.

$ sudo cryptsetup luksErase -q /dev/sdb1

Remember to remove every LUKS header backup as it can be used to circumvent this operation.

Milosz Galazka's Picture

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.