On 01/16/2014 11:30 AM, Thomas Bastiani wrote: > I would argue that it's really independent from any actual crypto > logic. The only thing that need's to be done is wrap the password/key > prompt and check the password against a known salted hash or PBKDF > (same as all Linux distros do). Then "nuking" the container is > actually quite simple. Just erase the LUKS header by zeroing it. This > is not any more complex than what distros already have to do to > support root-on-LUKS. Yes, these are perfectly valid arguments. Another one is just use detached LUKS header on USB flash which is kept separately. Another one is to use steganography (either hidden disk or whatever you like). Another one is to use special distro with customized wrapper scripts. ... But let's think out of the (engineering) box... This destroy functionality (btw yes, I do not want to name it "nuke" either) should be used only in very specific situations and almost for sure it could create danger situation for you. But that's your problem to decide if it is worth it. People (like war journalist) are usually not technical people, they are trained to handle such risky situations. Let's assume that they had data which can put them (or others) in more danger if revealed. Some crazy situation, please take it as illustrations... - you can destroy keys before some problematic meeting keeping notebook in ram suspend. If notebook is later confiscated (and you managed to switch it off) you can sleep better - there was no key, no data recovery possible. (If you have separated LUKS on USB, they will confiscate it with nb as well of course.) Obviously, they can torture you or just confiscate running nb and get key from RAM. But still, it could help to secure some situations. Or not - that's the risk. It will never protect you from sophisticated attacks but it can help when someone had a chance to copy your encrypted notebook when you end up in some unexpected situation (think some strange hotel when you missed a flight). You can destroy it as prevention - they cannot be successful in recovery of nuked disk. And you can recover it from backup later. - you can destroy key on disk of your colleague if there is a need, but you have no access to his data (you know only destroy password) - you can do this for LUKS USB flash in ANY Linux computer, even from user account (mounting LUKS removal devices is enabled for user usually, this is enough for this code to work) [obviously this expects distro maintainers will not disable it :)] Yes, I know million ways how to destroy it other ways - but these users are not unix gurus, and entering passwords through any Linux distro gui is very simple, it can be easily learned and moreover it is not too suspicious behavior. And yes, I am playing Devil's advocate now :) I am afraid there are people who need to do crazy thinks like this sometimes. I see many situations when using this feature is just utterly stupid and solves nothing. But I cannot say that all possible situations comes under this qualification. Maybe it can help someone in dangerous situation to not leak some important data which later help others. Dunno. Still it doesn't mean it is worth to be implemented but let's think at least twice here please. Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
