[dm-crypt] nuke password to delete luks header

Jim O'Gorman jim at offensive-security.com
Tue Jan 14 03:52:37 CET 2014

On 13 Jan 2014, at 21:41, .. ink .. wrote:
>> This situation is very common for us in situations where systems may be
>> inspected by parties that may not be friendly to us. Border crossings are a
>> common example of this.
> whats the recommended answer to give in such situation where an encrypted
> volume is clearly visible since its LUKS but you are unable to open it when
> asked by authorities since you nuked all key slots?If you cant open the
> volume and If you are not believed,then any answer you will give most
> likely will not be believable and hence "the password was XXX but it now
> doesnt work because i nuked it" is just as believable as "i dont remember
> the password" or "i dont know the password,i am just carrying the laptop
> for a friend".

Personally, I think the "right" answer is going to be different for everyone and we can only speak to what we do.

We feel strongly about not lying in these sort of situations. I agree, that a lie and a truth is very much the same and hard to separate one from the other for a front line individual such as a normal customs agent. However, its better not to complicate the situation. So, we will truthfully say:

"As a matter of company policy, no employees travel with sensitive data stored in a manner that is accessible in transit. As such, I have no way of accessing any of the data on this system."

Realistically, in the vast majority of the cases this is perfectly adequate as all they are really looking to do is ensure the device is a real working laptop and not a bomb of some sort. In cases where you may be suspected of transferring contraband they will often have other supporting evidence. As all the work we do is sensitive, but legitimate, this is not an issue that we lose any sleep over. 
Jim O'Gorman
jim at offensive-security.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 710 bytes
Desc: OpenPGP digital signature
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20140113/9abaccad/attachment.asc>

More information about the dm-crypt mailing list