cryptsetup-nuke-password
cryptsetup-nuke-password configures a special 'nuke password' for LUKS encrypted partitions that erases encryption keys when entered at the unlock prompt. This renders data unreadable if the system is at risk of seizure.
Description
This tool enables the setup of a special 'nuke password' for LUKS encrypted partitions. When entered at the early-boot unlock prompt instead of the regular passphrase, it immediately destroys the encryption keys, making the data permanently unreadable.
The primary use case is providing a stealthy emergency data destruction mechanism. If a user fears their computer is about to be seized, they can enter the nuke password to wipe access to encrypted partitions without drawing attention.
After installation, configuration is done via 'dpkg-reconfigure cryptsetup-nuke-password' to set the nuke password. It integrates seamlessly with standard LUKS boot prompts.
How It Works
The tool modifies LUKS cryptsetup configuration to recognize a designated nuke password. During the early-boot passphrase prompt, entering this password triggers immediate erasure of the LUKS master keys, rendering all encrypted data inaccessible without rebuilding the keyslots. This leverages cryptsetup's key management internals for secure key zeroing.
Installation
sudo apt install cryptsetup-nuke-passwordExamples
dpkg-reconfigure cryptsetup-nuke-passwordsudo apt install cryptsetup-nuke-passwordapt show cryptsetup-nuke-passworddpkg -l | grep cryptsetup-nuke-passwordsudo dpkg-reconfigure cryptsetup-nuke-password[nuke-password at LUKS prompt]