You are not logged in.

#1 2016-07-06 21:42:01

famyse
Member
Registered: 2016-07-06
Posts: 4

encrypted /var + plausible deniability + quick&easy mount @ boot time

Hello folks, I'd like to discuss this topic with some of the experts in here.
I've got one premise: please let us not kill the topic with the common "they can always make you confess all your passwords through torture" argument. Thanks.

So, as the title suggests I'd be looking for a convenient way of protecting my data while achieving plausible deniability. I've read the archwiki on the subject. I'd rather not encrypt the whole root system if I can avoid to do so, BUT I'd need to encrypt /var .

dm-crypt offers two options for plausible deniability: plain mode and detached LUKS header, but both are very unconvenient since they require long and difficult to remember cryptopen command typing. I also don't like the idea of storing a LUKS header in an non-encrypted usb drive, since if that is revealed then the whole purpose is defeated.

VeraCrypt (TrueCrypt's successor) on the other hand is very convenient since it can be used to create a hidden encrypted partition inside an outer encrypted volume (which acts as a decoy). When running the veracrypt mount command, it is sufficient to provide two different passwords in order to access either to the hidden partition, either to the decoy partition.

For Windows, it also exists a veracrypt bootloader that can be used to boot a fully encrypted system. In my case, I don't necessarily want to encrypt the whole system, but I want to encrypt /var, then I still need some way to mount the encrypted /var when it is needed at boot time.

To your knowledge, might there be some (convenient / quick) way in Linux to run veracrypt at boot time in order to mount /var before it is needed?

Alternatively, can you think of some other way to achieve the same result with dm-crypt ?

Result should be:  encrypted /var and /home + plausible deniability + quick&easy mount at boot time .

Thanks for the help

Offline

#2 2016-07-06 22:13:20

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 9,791
Website

Re: encrypted /var + plausible deniability + quick&easy mount @ boot time

famyse wrote:

I've got one premise: please let us not kill the topic with the common "they can always make you confess all your passwords through torture" argument. Thanks.

As true today as it was when it was written, make no mistake.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#3 2016-07-06 22:28:16

alphaniner
Member
From: Ancapistan
Registered: 2010-07-12
Posts: 2,810

Re: encrypted /var + plausible deniability + quick&easy mount @ boot time

@famyse Have you seen this?

@graysky I don't think he meant to dispute the premise, but was rather asking that people not do... well, pretty much exactly what you did.


But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner

Offline

#4 2016-07-07 10:02:00

R00KIE
Forum Moderator
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: encrypted /var + plausible deniability + quick&easy mount @ boot time

Plausible deniability has been discussed many times before and the conclusion is always the same, it's close to impossible to do right and not worth the trouble. Another conclusion that is always reached, and which is in line with the xkcd comic that graysky posted, is that if you are dealing with well funded and powerful adversaries pretty much anything can happen to you, and either you cough up the password or you risk being locked away somewhere indefinitely (or worse).

Just an example of what can be found if you search the forums: https://bbs.archlinux.org/viewtopic.php?id=213904


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#5 2016-07-07 18:41:00

famyse
Member
Registered: 2016-07-06
Posts: 4

Re: encrypted /var + plausible deniability + quick&easy mount @ boot time

@alphaniner - Thank you, I hadn't seen that yet. Do you reckon it could be used for my purpose (i.e. encrypted /var) ?
So far I had seen this other project https://github.com/kriswebdev/cryptsetup-deluks , which looks promising but is still at alpha stage.

@ graysky and rookie
Thank you for your participation to the thread, however I do not agree with you. I hoped I didn't have to discuss this, as of course I did read every one topic regarding plausible deniability in this forum before starting my own, and I still think I have two arguments in my favor:

1) It is not true that plausible deniability is close to impossible to do it right. In Windows, VeraCrypt does it very well, for free and with close to none trouble. It could do it on Linux too, it is just an implementation problem as the VeraCrypt developers have little familiarity with Linux and they maintain the project in their free time. That other project I quoted above is also a promising one for finally providing plausible deniability for LUKS, again is just an implementation problem.

2) I am no criminal / wanted person and I am not planning to become, and in my hard drives there is really nothing that would make any very well funded and powerful adversary going after my butt so badly. Let's suppose that in your hdd there is nothing but some pirated music and movies, some software maybe too, normal stuff pretty much everyone has. You of course then don't care protecting yourself against the standard computer thief, meaning that standard encryption is for you nothing but an hassle. But you do want to protect yourself against more entitled adversaries against which standard encryption may be not enough, because you don't want to be ripped off 50,000+ $$ just because of that little movie collection of yours. Again, it would be actually still be better not to encrypt anything if you can only use obvious encryption, since that would only end up worsening your situation: they could start thinking that you have something actually dangerous in there, and you will end up giving up your password after few hours of perfectly legal psychological pressure, and maybe get sued for not giving it up straight away too. In case you go abroad with your pc and the front police notices you have an encrypted hard drive, these days they will be suspecting you are a clandestine or even a terrorist and they will hold you for hours even if you give the password straight away.
At the same time, if you can get at least some degree of basic, far from perfect plausible deniability, you will be raising none of the above suspects and you will be fine. Since you are a mr./mrs. nobody who is only friend of other nobodies none will bother start breaking fundamental human rights to get to your data. Even if they do suspect you might have hidden encrypt your data, they most likely won't be taking the effort and costs to even prove that. That is because you are not storing anything really worth it.

That said, I hope we can close the always returning philosophical side of this topic and return to the technical issues

Offline

#6 2016-07-07 19:49:57

alphaniner
Member
From: Ancapistan
Registered: 2010-07-12
Posts: 2,810

Re: encrypted /var + plausible deniability + quick&easy mount @ boot time

Encryption notwithstanding, having a separate /var is no problem. So offhand, I don't see why something that could decrypt /home during init couldn't be used (perhaps with modification) to decrypt /var. Best bet would be to ask the folks behind the package.

I don't know if you noticed, but it's quite new (submitted May 30th) and has no votes or comments. The maintainer would probably welcome your interest and inquiries.


But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner

Offline

#7 2016-07-07 20:44:35

R00KIE
Forum Moderator
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: encrypted /var + plausible deniability + quick&easy mount @ boot time

Plausible deniability goes both ways, the adversary may not be able to prove you have an extra encrypted volume but at the same time you can't prove you don't.

famyse wrote:

But you do want to protect yourself against more entitled adversaries against which standard encryption may be not enough, because you don't want to be ripped off 50,000+ $$ just because of that little movie collection of yours.

Those sound like well funded adversaries (and probably illegal behavior), not to mention they would have your government's backing in going after you. You might also be interested in reading this [1] and doing some research on similar topics. I'll let this rest now.

[1] https://www.schneier.com/blog/archives/ … _deni.html


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#8 2016-07-14 23:24:11

thebombzen
Member
Registered: 2016-07-14
Posts: 6

Re: encrypted /var + plausible deniability + quick&easy mount @ boot time

According to the Btrfs FAQ, it appears you could use eCryptFS with Btrfs. eCryptFS is a stacked filesystem, which contains the entire BTRFS filesystem inside, behaving like a filter, and BTRFS doesn't even know it's encrypted. This would allow you to hide the inodes and btrfs superblocks in addition to, say, just the contents of files.

I'd read the wiki articles for more details because I've never actually done any of this before, so I don't think I could provide much help other than those pointers.

EDIT: You'd need a separate /var partition. Which is totally do-able.

Last edited by thebombzen (2016-07-14 23:24:52)

Offline

#9 2016-09-02 14:13:30

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: encrypted /var + plausible deniability + quick&easy mount @ boot time

Why is automatic mounting presenting such a problem to you?

Does VeraCrypt have a mount helper? Then if /var is in fstab
with a proper veracrypt file-system tag designation that helper
will be invoked.

The only thing I can't tell you if is systemd will display and
wait for any input the helper asks for on the terminal (ie.
being asked for your password) by default, or if systemd
needs a custom configuration change to do so.

Last edited by anrxc (2016-09-02 14:15:39)


You need to install an RTFM interface.

Offline

Board footer

Powered by FluxBB