Hi, yes, this is asked occasionally. But it is basically worthless in a forensic scenario (as the forensic analyst will only work on copies) and not much worth otherwise either. Basically the only scenario where it would have limited worth is one where no copy was made before forcing you to enter the passphrase. In that situation, you can simply refuse to enter the passphrase and about the same should happen to you that happens when it is discovered that you wiped the header. In fact, wiping the header could get you an additional "sabotage" or "destroying evidence" charge. A typical scenario would be a border inspection. But for that scenario it is better to not have any problematic data on your disk in the first place and transfer it later via a secure connection (ssh, scp). In basically any other scenario, the attacker will have a copy of your data and a duress code will be completely ineffective. Hence it does not solve the problem it is intended to solve (as that problem is not solvable in software) and represents the additional problem that people may not understand that and endanger themselves as a result. Consequentially, there is no "duress mode" in LUKS. Arno On Thu, Aug 15, 2013 at 02:45:13AM -0700, strife@xxxxxxxxxx wrote: > Hi, > > First, I am sorry because I guess I am not the first person to ask this. > Still, I could not find any answer via search engines. Point me at > relevant threads in the archive if possible. > > I found "pam_confused", a PAM layer to run code after entering a "duress > code". [1] I am looking for the same for cryptsetup, and I wonder what > steps would be necessary to make it more easy for people to be able to > specify a duress code that wipes LUKS headers, for example. > > Are there any efforts made in that direction? Do you think this would be a > good thing to have by default in <distribution>? > > -*strife > > [1] > https://code.google.com/p/confused/source/browse/trunk/pam_confused/readme.txt > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. --Tony Hoare _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
