magic/Magdir/luks


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

#------------------------------------------------------------------------------
# $File: luks,v 1.5 2022/09/07 11:23:44 christos Exp $
# luks:  file(1) magic for Linux Unified Key Setup
# URL:		https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup
#		http://fileformats.archiveteam.org/wiki/LUKS
# From:	Anthon van der Neut <anthon@mnt.org>
# Update:	Joerg Jenderek
# Note:		verfied by command like `cryptsetup luksDump /dev/sda3`

0	string		LUKS\xba\xbe	LUKS encrypted file,
# https://reposcope.com/mimetype/application/x-raw-disk-image
!:mime	application/x-raw-disk-image
#!:mime	application/x-luks-volume
# img is the generic extension; no suffix for partitions; luksVolumeHeaderBackUp via zuluCrypt
!:ext	/luks/img/luksVolumeHeaderBackUp
# version like: 1 2
>6	beshort		x		ver %d
# test for version 1 variant
>6	beshort		1
>>0			use		luks-v1
# test for version 2 variant
>6	beshort		>1
>>0			use		luks-v2
# Reference:	https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf
#		http://mark0.net/download/triddefs_xml.7z/defs/l/luks.trid.xml
# display information about LUKS version 1
0	name		luks-v1
# cipher-name like: aes twofish
>8	string		x		[%s,
# cipher-mode like: xts-plain64 cbc-essiv
>40	string		x		%s,
# hash specification like: sha256 sha1 ripemd160
>72	string		x		%s]
>168	string		x		UUID: %s
# NEW PART!
# payload-offset; start offset of the bulk data
>104	 ubelong	x		\b, at %#x data
# key-bytes; number of key bytes; key-bytes*8=MK-bits
>108	 ubelong	x		\b, %u key bytes
# mk-digest[20]; master key checksum from PBKDF2
>112	ubequad		x		\b, MK digest %#16.16llx
>>120	ubequad		x		\b%16.16llx
>>128	ubelong		x		\b%8.8x
# mk-digest-salt[32]; salt parameter for master key PBKDF2
>132	ubequad		x		\b, MK salt %#16.16llx
>>140	ubequad		x		\b%16.16llx
>>148	ubequad		x		\b%16.16llx
>>156	ubequad		x		\b%16.16llx
# mk-digest-iter; iterations parameter for master key PBKDF2
>164	ubelong		x		\b, %u MK iterations
# key slot 1
>208	ubelong		=0x00AC71F3	\b; slot #0
>>208			use		luks-slot
# key slot 2
>256	ubelong		=0x00AC71F3	\b; slot #1
>>256			use		luks-slot
# key slot 3
>304	ubelong		=0x00AC71F3	\b; slot #2
>>304			use		luks-slot
# key slot 4
>352	ubelong		=0x00AC71F3	\b; slot #3
>>352			use		luks-slot
# key slot 5
>400	ubelong		=0x00AC71F3	\b; slot #4
>>400			use		luks-slot
# key slot 6
>448	ubelong		=0x00AC71F3	\b; slot #5
>>448			use		luks-slot
# key slot 7
>496	ubelong		=0x00AC71F3	\b; slot #6
>>496			use		luks-slot
# key slot 8
>544	ubelong		=0x00AC71F3	\b; slot #7
>>544			use		luks-slot
# Reference:	https://gitlab.com/cryptsetup/LUKS2-docs/-/raw/master/luks2_doc_wip.pdf
#		http://mark0.net/download/triddefs_xml.7z/defs/l/luks2.trid.xml
# display information about LUKS version 2
0	name		luks-v2
# hdr_size; size including JSON area called Metadata area by cryptsetup with value like: 16384
>8	ubequad		x		\b, header size %llu
# possible check for MAGIC_2ND after header 
#>(8.Q) 	 string		SKUL\xba\xbe	\b, 2nd_HEADER_OK
# seqid; sequence ID, increased on update; called Epoch by cryptsetup with value like: 3 4 8 10
>16	ubequad		x		\b, ID %llu
# label[48]; optional ASCII label or empty; called Label by cryptsetup with value like: "LUKS2_EXT4_ROOT"
>24	string		>\0		\b, label %s
# csum_alg[32]; checksum algorithm like: sha256 sha1 sha512 wirlpool ripemd160
>72	string		x		\b, algo %s
# salt[64]; salt , unique for every header
>104	ubequad		x		\b, salt %#llx...
# uuid[40]; UID of device as string like: 242256c6-396e-4a35-af5f-5b70cb7af9a7
>168	string		x		\b, UUID: %-.40s
# subsystem[48]; optional owner subsystem label or empty
>208	string		>\0		\b, sub label %-.48s
# hdr_offset; offset from device start [ bytes ] like: 0
>256	ubequad		!0		\b, offset %llx
# char _padding [184]; must be zeroed
#>264	ubequad		x		\b, padding %#16.16llx
#>440	ubequad		x		\b...%16.16llx
# csum[64]; header checksum
>448	ubequad		x		\b, crc %#llx...
# char _padding4096 [7*512];  Padding , must be zeroed
#>512	ubequad		x		\b, more padding %#16.16llx
#>4088	ubequad		x		\b...%16.16llx
# JSON text data terminated by the zero character; unused remainder empty and filled with zeroes like:
# {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse"
>0x1000	string		x		\b, at 0x1000 %s
#>0x1000	indirect	x
# display information (like active) about LUKS1 slot
0	name		luks-slot
# state of keyslot; 0x00AC71F3~active 0x0000DEAD~inactive
#>0	ubelong		x		\b, status %#8.8x
>0	ubelong		=0x00AC71F3	active
>0	ubelong		=0x0000DEAD	inactive
# iteration parameter for PBKDF2
#>4	ubelong		x		\b, %u iterations
# salt parameter for PBKDF2
#>8	ubequad		x		\b, salt %#16.16llx
#>>16	ubequad		x		\b%16.16llx
#>>24	ubequad		x		\b%16.16llx
#>>32	ubequad		x		\b%16.16llx
# start sector of key material like: 8 0x200 0x3f8 0x5f0 0xdd0
>40	ubelong		x		\b, %#x material offset
# number of anti-forensic stripes like: 4000
>44	ubelong		!4000		\b, %u stripes