On Tue, Jul 02, 2013 at 03:05:38AM +0200, Arno Wagner wrote: > On Mon, Jul 01, 2013 at 09:17:03PM +0200, Milan Broz wrote: > > On 1.7.2013 12:33, Jan Janssen wrote: > > >Hi, > > > > > >while testing how the tcrypt passphrase + keyfile logic works, I > > >realized that there doesn't seem to be a way to protect the hidden > > >volume from being damaged by writes to a mounted outer volume like > > >truecrypt does. I think this deserves a warning in the man page > > >since this is a potential data loss. > > > > Yes, you are right. There is no protection of hidden volume once > > outer volume is mounted. > > (BTW the protection itself reveals hidden volume existence.) > > > > Protection can be done on DM (kernel level) quite easily > > (map this linear part to virtual zero or error target masking > > out the data underneath) but it would require quite big changes > > in cryptsetup wrapper (which was meant to be simple 1:1 mapping). > > So I decided to ignore this problem for now... > > > > But yes, there should be some note in man page. > > I have just added one. It seems to me that the TrueCrypt > documentation itself is fuzzy in this issue. The page > at http://www.truecrypt.org/docs/hidden-volume > does describe how it works and it is easy to conclude > that opening the outer volume can compromise the inner > one, but there is no clear warning to that effect. > Also missing is a warning that having an outer volume > that has not been mounted forever and only has old data > is suspicuous in itself. I think the idea of hidden volumes > is not too useful at this time. There would need to be a > way to regularly use the outer volume to change that. > Not that I have any idea how to do that without giving > away that there _is_ a hidden volume. > > Anyways, added both warnings to the man-page in git. I just saw that there is a way in TrueCrypt to protect the hiden volume: http://www.truecrypt.org/docs/hidden-volume-protection Not that this is really better, as it will leave filesystem annomalies and possible error messages that indicate the presence of a hidden volume. The TrueCrypt documentation claims as they make both volumes read-only immediately after a write that would have damaged the hidden volume, they preserve plausible deniability. I seriously doubt the validity of that. Looks more like their will be truncated files and metadata that indicates a setting to read-only. If, for example, the disk this is on has no CRC or other errors in its SMART log, then a device suddenly set read-only is not plausible. Added a warning about this as well in the man-page. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. --Tony Hoare _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt