[dm-crypt] LUKS self-destruct key
list2010 at lunch.za.net
Mon Mar 31 14:19:29 CEST 2014
On Mon, 31 Mar 2014 11:52:34 +0200
Jonas Meurer <jonas at freesources.org> wrote:
> Am 2014-03-31 07:17, schrieb Andrew:
> > Greetings dm-crypt folks,
> > Is it feasable to add a self-destruct password to cryptsetup for
> > LUKS, such that when this password is entered, the decryption code
> > silently and deliberately overwrites all or part of the master key?
> Hello Andrew,
> As others already pointed out, the topic has been discussed on the
> list recently. The discussion was quite controversal. And while it is
> true, that the majority of expressed opinions was against implementing
> the requested nuke feature, there've been quite some statements that
> opposed to this majority. In my eyes, quite some valid realworld
> examples have been mentioned.
> You can read the full discussion thread here:
I read the thread -- interesting reading (Gmane seems a little off for me at the moment though.)
A few points that were not raised directly by anyone are:
* Some of the worst attackers *do* lack technical skills. While various interest groups do have technical experts, less skilled persons may try their hand first, and succeed in destroying the evidence. Terrorism has lately tended towards a cell structure. A particular cell may not have access to adequate technical resources, while not lacking "skills" like kidnapping, robbery and torture of those they target.
* An attacker may guess the wipe/kill/nuke/erase password without any intervention by the user (at last - a use for post-it notes!) Users' passwords may well be inadequate, despite all advice to the contrary. Having an even-more-inadequate nuke/self-destruct/erase password may frustrate an attacker.
* If it is possible for the key to be destroyed without the user's intervention, then it becomes plausible that there is nothing to be gained by asking for a password. (e.g. LEO removes device from user, and upon return, the user's provided key does not work, because LEO has tested some password; user complains that LEO has destroyed the data.)
* A self-destruct feature is not unique, and exists in other modern devices: e.g. the iPhone's self-destruct on failed lock
* Users have a free choice whether to create a self-destruct/nuke/erase key or not. Choice is important.
* Law enforcement may demand all passwords. It would be an omission to fail to provide them with passwords for the good and the bad key slots ;) (rather cheeky, but it's a choice)
> Please also note that Kali Linux already implemented the nuke feature
> into their distribution:
I like! I'll look out for the patch for my favourite distribution.
> Kind Regards,
More information about the dm-crypt