Ther is a way to have some plausible deniability with cryptsetup (not LUKS). Basically, all resides with the ability of losetup to have an offset (i.e. jump a certain number of bytes in the beginning of the loop file). Create a LUKS container, don't fill it too much, jump behind the last data and create a second one: First, the ciphered one, known file: dd if=/dev/zero of=/tmp/bigfile bs=1024k count=1024 losetup /dev/loop0 /tmp/bigfile cryptsetup luksFormat /dev/loop0 cryptsetup luksOpen /dev/loop0 crypted_one (fill the disk with random data) mkdosfs -F 32 /dev/mapper/crypted_one mount -t vfat /dev/mapper/crypted_one /mnt/crypt echo "confidential file" > /mnt/crypt/secret Second, hide your real secrets with plausible deniability: losetup -o 512000 /dev/loop1 /tmp/bigfile cryptsetup create second_crypt /dev/loop1 mke2fs /dev/mapper/second_crypt mount -t ext2 /dev/mapper/second_crypt /mnt/hd2 echo "very very secret" > /mnt/hd2/secret You must be careful to don't use too much the crypted_one; if you fill it too much it will overwrite the second_crypt... You _must_ use the FAT filesystem in the crypted_one partition: ext copy the superblock everywhere on the disk. It will be overwritten by the second_crypt, and therefore an attacker with the first key can be suspicious... You mustn't use LUKS for second_crypt: the format of LUKS header can be found very easily in the middle of the /tmp/bigfile The secret lies with two parameters: the offset and the key. I think we can call it plausible deniabilty: It is impossible for an attacker to know that a second container resides in the first one. Hope this helps En réponse à OndÅ?ej Pelech <ondra.pelech@xxxxxxxxx> : > ------------------ Début du message d'origine -------------------- > > Hello, > > dm-crypt is a great project, but it seems to me, that it's > missing one > very needed feature - Deniable encryption[0] (support for > hidden > containers). > will it be possible to do this (1 vault, many keys, each > reveals > something "different") in future using dm-crypt? are there any > plans > to support this feature? > > Best regards > > Ondra Pelech > > [0] http://en.wikipedia.org/wiki/Deniable_encryption > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > > ------------------- Fin du message d'origine --------------------- Envoyé avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
