[dm-crypt] nuke password to delete luks header

Arno Wagner arno at wagner.name
Tue Jan 14 05:36:02 CET 2014


On Tue, Jan 14, 2014 at 05:04:35 CET, .. ink .. wrote:
> > We feel strongly about not lying in these sort of situations. I agree,
> > that a lie and a truth is very much the same and hard to separate one from
> > the other for a front line individual such as a normal customs agent.
> > However, its better not to complicate the situation. So, we will truthfully
> > say:
> >
> >
> perhaps the best way to pass sensitive data through unsuspecting customs
> agent is to hide an encrypted volume under a normal file system.

Actually, that is the worst option. If found, you will be under
strong suspicion, as you tried to hide things.
 
> with cryptsetup,the way to do it would be:
> 1. start with a block device like a usb stick
> 2. blank it out with random data.
> 3. put a regular file system like vfat at the beginning of the device.
> 4. put an encrypted plain volume somewhere at the back of the device.

And any reasonable disk forensics tool will find that automatically
and fast. My keyslot-checker could be adapted to find something like
that in maybe one hour.

> If someone ask to see whats on the drive,you just open it with udisks or
> any other mounting tool and show them its contents.

Good luck with that.

Sure, of they just want to harass you, may work. But if they do
an actual search (and they may just do that), they will find it.
There will have to be some method in place to deal with true-crypt
hidden containers, but these are very much not foolproof either, 
see past discussions.

> If they take the drive and check it out in their window's machine,they will
> see a regular fat file system and they will be non the wiser.They will have
> to inspect the drive with forensic tool first to see high quality random
> data at the back of the file system and at this point,you can play the
> plausible deniability thing but they wouldnt do this if they didnt already
> suspect you are carrying something they want.

And you think they will not run that forensics tool? Plausible 
deniability does not work in practice.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare


More information about the dm-crypt mailing list