On Mon, 31 Mar 2014 11:52:34 +0200 Jonas Meurer <jonas@xxxxxxxxxxxxxxx> wrote: > Am 2014-03-31 07:17, schrieb Andrew: > > Greetings dm-crypt folks, > > > > Is it feasable to add a self-destruct password to cryptsetup for > > LUKS, such that when this password is entered, the decryption code > > silently and deliberately overwrites all or part of the master key? > > Hello Andrew, > > As others already pointed out, the topic has been discussed on the > list recently. The discussion was quite controversal. And while it is > true, that the majority of expressed opinions was against implementing > the requested nuke feature, there've been quite some statements that > opposed to this majority. In my eyes, quite some valid realworld > examples have been mentioned. > > You can read the full discussion thread here: > http://thread.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/7104 Thanks Jonas, I read the thread -- interesting reading (Gmane seems a little off for me at the moment though.) A few points that were not raised directly by anyone are: * Some of the worst attackers *do* lack technical skills. While various interest groups do have technical experts, less skilled persons may try their hand first, and succeed in destroying the evidence. Terrorism has lately tended towards a cell structure. A particular cell may not have access to adequate technical resources, while not lacking "skills" like kidnapping, robbery and torture of those they target. * An attacker may guess the wipe/kill/nuke/erase password without any intervention by the user (at last - a use for post-it notes!) Users' passwords may well be inadequate, despite all advice to the contrary. Having an even-more-inadequate nuke/self-destruct/erase password may frustrate an attacker. * If it is possible for the key to be destroyed without the user's intervention, then it becomes plausible that there is nothing to be gained by asking for a password. (e.g. LEO removes device from user, and upon return, the user's provided key does not work, because LEO has tested some password; user complains that LEO has destroyed the data.) * A self-destruct feature is not unique, and exists in other modern devices: e.g. the iPhone's self-destruct on failed lock * Users have a free choice whether to create a self-destruct/nuke/erase key or not. Choice is important. * Law enforcement may demand all passwords. It would be an omission to fail to provide them with passwords for the good and the bad key slots ;) (rather cheeky, but it's a choice) > Please also note that Kali Linux already implemented the nuke feature > into their distribution: > http://www.kali.org/how-to/emergency-self-destruction-luks-kali/ > http://www.kali.org/how-to/nuke-kali-linux-luks/ I like! I'll look out for the patch for my favourite distribution. > > Kind Regards, > jonas _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
