[dm-crypt] nuke password to delete luks header
arno at wagner.name
Tue Jan 7 01:01:12 CET 2014
On Mon, Jan 06, 2014 at 22:01:56 CET, R3s1stanc3 wrote:
> today I read this post by the developers of Kali Linux:
> I think, this is a really great feature and should be officially added
> to the cryptsetup source.
> So I wrote Milan and he told me, that there would be no additional
> security, because an "attacker will simple first backup header and then
> use this (or will use key from memory if device is mounted)."
And he is right. There are border-cases though: If you, for example,
cross the border of some unnamed but well-known states and they ask
you to unlock your LUKS container (a low/no-suspicion situation; on
medium and above suspicion they will already mirror your disk first),
entering your nuke password will make you unable to do so.
Now, have you won or lost?
You have lost. First, they will arrest you because you fail to unlock
your computer. If you are unlucky, they will find the nuke-patch or
its effects and suspect you of having nuked the container (and maybe
find out that you indeed did). Then they will not only hold you for
deportation, but maybe a few years imprisonment first for "destroying
evidence". Or maybe a long time without trial for being a "terrorist
If you do this on an SSD, all data may still be there anyways.
If they look at this stuff on medium or higher suspicion and
find the nuke-password option, then you may be screwed in a
similar fashion, just because of this.
So, no, this does not add security, but it can get you into
really bad trouble, including a significant time in prison.
(Yes, it should not, but authoritarian regimes do not have laws
based on ethics or benefit to its citizens. They have sbverted the
idea of "the law" to make it an effective instrument of oppression,
i.e., a weapon against ordinary people. This tendency can now be
observed in the western world in several places.)
My advice for the use-case "border crossing" is to not have
encrypted data or suspicious data of any kind in the first
place. If you have encrypted data, immediately and without
question, allow them access to it.
If you need confidental data in such a situation, download it
later over the net, PGP/GnuPG is still out of the TLA's ability
to break is the passphrase is good.
> He also told me to move the discussion to the mailinglist and if we
> would find some valuable use case, they would think about it.
> So now I'm here
> In my opinion, a valuable use case would be the following case:
> If you got the possibility to access your computer for a few seconds,
> before an attacker does, you simply could enter your nuke password and
> delete the luks header. This would be much faster, than entering your
> real password, booting your system and deleting the header, using the
> system's tools
> Are there any other ideas of valuable use cases?
That is not an use case. That is merely a description of a technical
situation. A use-case needs a credible real-world situation of some
detail, see my border-crossing example. It is just way to easy to come
up with higly abstracted technical situations that do not have any
real-world equivalent or are missing important real-world aspects,
such as effects from using the technical feature.
And, yes, this has been discussed time and again, without ever finding
a situation where it helps and quite a few where it harms. I will add
an FAQ entry for this, I think. But please, feel free to try for
any real-world use-cases. If there are any credible ones, I will add
them to the FAQ entry as well.
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno at wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult. --Tony Hoare
More information about the dm-crypt