Description of problem: Luksmeta is not able to properly clear slots. Also nuke and init do not work as they should. Version-Release number of selected component (if applicable): Name : luksmeta Version : 9 Release : 2.fc29 Arch : x86_64 How reproducible: With the following command. Example is a LUKS encrypted USB SSD on /dev/sdb with LUKS v1 partition /dev/sdb1 Steps to Reproduce: PART 1/2 1. # luksmeta show -d /dev/sdb1 0 active empty 1 active empty 2 active empty 3 active empty 4 active cb6e8904-81ff-XXXX-a84a-XXXXXXXXXXXX 5 inactive cb6e8904-81ff-XXXX-a84a-XXXXXXXXXXXX 6 inactive empty 7 inactive empty 2. # luksmeta nuke -d /dev/sdb1 You are about to erase all data in the LUKSMeta storage area. A backup is advised before erasure is performed. Do you wish to nuke /dev/sdb1? [yn] y 3. # luksmeta init -d /dev/sdb1 You are about to initialize a LUKS device for metadata storage. Attempting to initialize it may result in data loss if data was already written into the LUKS header gap in a different format. A backup is advised before initialization is performed. Do you wish to initialize /dev/sdb1? [yn] y 4. # luksmeta show -d /dev/sdb1 0 active empty <<-- Slots are still active 1 active empty <<-- and cannot be reused, see part 2 2 active empty 3 active empty 4 active empty 5 inactive empty 6 inactive empty 7 inactive empty PART 2/2: 5. # luksmeta show -d /dev/sdb1 0 active empty 1 active empty 2 active empty 3 active empty 4 active empty 5 inactive empty 6 inactive empty 7 inactive empty 6. # luksmeta wipe -d /dev/sdb1 -s 0 You are about to wipe a slot. This operation is unrecoverable. A backup is advised before proceeding. Do you wish to erase slot 0 on /dev/sdb1? [yn] y 7. # clevis luks bind -d /dev/sdb1 -s 0 tpm2 '{"pcr_ids":"7"}' Enter existing LUKS password: Schlüsselfach 0 ist voll, bitte wählen Sie ein anderes. <<-- (translation: Slot 0 is full, please choose another one.) Error while adding new key to LUKS header! Actual results: luksmeta nuke does not properly overwrite the header gap. luksmeta wipe does not clear the slot luksmeta show shows wrong information (if the output from clevis-luks-bind is right) There is not option to deactivate a slot, maybe this should be done by the wipe command? Expected results: luksmeta nuke should properly erase the LUKS header luksmeta wipe should wipe and deactivate the slot Additional info: cf. Bug number 1672371
luksmeta *never* changes whether or not there is an active LUKS slot. Doing so is a layering violation. The commands are working as designed. Please use cryptsetup to remove LUKS slots. From the documetation: "Although the luksmeta slots are inspired by the LUKS slots, they are functionally independent and share only a casual relationship. Slots merely provide a hint that a given chunk of metadata is associated with a specific LUKSv1 password (in a slot with the same number)."