[dm-crypt] Boot from fully encrypted disk which looks like unused

dhvvcb at lavabit.com dhvvcb at lavabit.com
Tue May 24 06:33:11 CEST 2011

On Mon, 23/05/2011 at 09:09 +0200, Milan Broz wrote:
> One simple change will be support for detached LUKS header in some
> next version of cryptsetup.
> So you can have header on separate (USB or so) device or in file.
> The unlocked drive then does not contain any visible metadata then.

Reasonable intention.

Arno Wagner

You consider only two extreme situations. First, you may easily refuse
to give the key. Second, government is hunting for you and keen to find
out your secrets. You will not believe, but there are many other
situations. Opponents may not be so intelligent and they do not know
that random-looking parts of a disk can contain information. If they
suspect presence of encryption, the extent how much they will try to
affect you depends on their confidence, and presence of a cryptographic
header would apparently be bad. And so on. I don't claim that deniable
encryption guarantee personal security. However there is a lot of
situations when visible cryptographic header is definitely undesirable.
I think it is obvious and I wouldn't like to argue about that. At last,
there is no legal ground to demand the key if there is no indication of
encryption. Citizens must not explain anything. Otherwise, it is
lawlessness. They should get used to random bits.

All I am interested in this topic is how to modify initramfs so that
kernel would understand option root=/dev/mapper/hhd2 or something like
that. In brief, task is following. Bootloader (grub), kernel (vmlinuz)
and vfs (initramfs) are placed on a usb flash drive. Encrypted root file
system is placed on hdd drive (with no cryptographic header). Kernel
should be able to decrypt root file system. Any hints are welcome.

More information about the dm-crypt mailing list