How efficient is Luks nuke?
I am wondering about LUKS nuke patch efficiency. In fact, I think I don't really understand it.
From what I know of LUKS, a passphrase is used to encrypt a random key (the master key), which is used to encrypt the data. Both the encrypted master key and the encrypted data are stored on the partition. LUKS nuke equals erasing the encrypted master key.
Let's say my passphrase contains uppercase, lowercase, symbols, number, and is 30 characters long.
Now, is the master key encrypted with the same algorithm as the data? If so, how is it safe to erase the encrypted master key? I just have to try to decrypt the data.
Where am I wrong? Does it take much longer? Are the algorithms different? Do I miss something?
What is the security betterment?
Just to add to CPagan's answer (I'm not allowed to comment)...
Before nuking your key (when a raid is expected or you're about to travel with sensitive data), there is no need to backup the entire drive. Only back up the header of the encrypted volume - it is tiny. For example:
cryptsetup luksHeaderBackup --header-backup-file luksheader.bak /dev/somedevice0
Now encrypt the header file (using openssl or such) and store it separately (online or with someone else).
Luks Nuke your key.
To restore header:
Decrypt (using what ever method you used to encrypt) and then restore with something like:
cryptsetup luksHeaderRestore --header-backup-file luksheader.bak /dev/somedevice