[dm-crypt] nuke password to delete luks header

Jim O'Gorman jim at offensive-security.com
Tue Jan 14 06:01:38 CET 2014

On 13 Jan 2014, at 23:30, Arno Wagner wrote:
> I Assume you have seen my posting of what may happen to you
> if you try this stunt? If not, here is a reference:
> http://permalink.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/7090
> The problem is that the customs-person cannot distinguish between
> a "nuked" LUKS header or one with passphrases you do not have or
> one with passphrases you do have but refuse to give out. Sure,
> "nuking" could be done in a way that zeros the keyslots, making
> it obvious. Could sill mean sitting in prison several weeks until
> a forensics expert has the time to verify your claim.
> Not true: In many cases, including UK and US, they are searching
> for "illicit" material, like specific types of pornography and,
> I suspect, unlicensed music and movies. And they will check
> business laptops also.
> While not lying is the right approach, it could still mean a few
> weeks in a cell. If that riek is covered by your contracts and
> your employees are willing to risk it, that may be acceptable.

We have a fair number of people on the team and do a large amount of international travel. To date, none of us have ended up in prison. In one case a device was taken and the only way we could get it back was to provide the password. So we replaced the device.

I understand that you are concerned about the risk of being sent to jail but I am not sure that concern is inline with what we are encountering in the real world. If you look at the ACLU's guidance on the matter, https://www.aclunc.org/blog/privacy-your-laptop-international-borders, the risk of jail is not even mentioned. 

Additionally I would recommend the EFF, https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices, as a great resource on this topic. On that page, they have a number of case scenarios and the likely consequences of not giving up the password. Our scenario that we mention is very similar to the "Case Scenario: Business Concerns" sidebar, where the traveler does not have the password.

Every time we have worked with the EFF, we have found them to be very knowledgable and we have a lot of respect for them. They take these matters seriously and are well informed on the topic. They suggest:

> If a border agent asks you to provide an account password or encryption passphrase or to decrypt data stored on your device, you don’t have to comply. Only a judge can force you to reveal information to the government, and only to the extent that you do not have a valid Fifth Amendment right against self-incrimination.38
> However, if you refuse to provide information or assistance upon request, the border agent may seize your device for further inspection or consider you uncooperative, which the agent may take into consideration when deciding whether to allow you to enter the United States.
> If you are planning to bring encrypted or password-protected information over the border, it’s best to decide ahead of time how you would respond to a border agent’s request for help to inspect data. The best answer for your particular circumstance may be to cooperate or to politely decline to provide information.

Its important to not be alarmist on the actual threat posed. If you can provide me with cases where people are actually sent to prison that would be an interesting read.
Jim O'Gorman
jim at offensive-security.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 710 bytes
Desc: OpenPGP digital signature
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20140114/59242282/attachment.asc>

More information about the dm-crypt mailing list