On 26/05/2021 08:00, Michael Kjörling wrote: > On 25 May 2021 11:44 +0000, from xxjacs@xxxxxxxxx (JAC): >> Once the option 2 password is entered, the system will decrypt >> correctly but "covertly". The partition will be presented >> containing a series of files and/or directories that the user has >> previously wanted to incorporate and present to whoever has tried >> to force him to reveal his data. /.../ I suppose that I am not the >> first person who thinks about this solution, but I leave it there, >> in case it is possible to implement this second option (or >> password). > > No, you're not the first person to think about having something like > this. In fact, it's covered in the LUKS FAQ, and has been for a > while. > <https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions> > > See in particular questions 5.2 "Is LUKS insecure? Everybody can see > I have encrypted data!" and 5.18 "What about Plausible > Deniability?". Just from the LUKS maintainer side, I'll repeat my opinions to two ideas that appears here again and again: 1) LUKS will not implement any "self destruct" passphrases or anything like this. Everyone doing forensic analysis will work on the copy to prevent destruction of the master device. LUKS is designed to work on common hardware that is not tamper resistant - we cannot avoid that someone make copies of the encrypted drive. 2) LUKS is not designed to provide strong plausible deniability. While you can store header detached, and you can play with data offsets to unlock one device with two headers pointing to two content views of the drive, this is not a strong plausible deniability. Even if you invent some clever steganographic techniques, there will be problem with current storage devices that track used space (TRIM etc), I do not believe we can implement reliable plausible deniability system these days without help of a hardware level (FTL - flash translation layer, for example). If you know about any paper or publication that tries to solve these problems (and it has some proved concept behind it), please share it with us! Thanks, Milan _______________________________________________ dm-crypt mailing list -- dm-crypt@xxxxxxxx To unsubscribe send an email to dm-crypt-leave@xxxxxxxx