Emergency destruction of LUKS partition
Kurt Seifried
kseifried at redhat.com
Mon Sep 30 17:01:46 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/30/2013 10:52 AM, Eric H. Christensen wrote:
> Someone asked me about this recently and I haven't had a chance to
> fully wrap my head around the solution but thought it was an
> interesting scenario.
>
> Background: Someone knows you have encrypted your computer using
> LUKS. They convince you to enter (or otherwise provide) your
> passphrase via the large wrench method[0].
>
> Realcrypt method: There is plausible deniability (if properly
> implemented) whereas you could provide the person with the
> alternate passphrase which would give them access to a portion of
> the encrypted partition but not your real working partition.
>
> LUKS: There is no way to provide plausible deniability.
>
> Proposed solution: LUKS provides four key slots to use for
> decrypting a partition. How about have one key slot that when used
> immediately implements a deletion of the encrypted partition (or at
> least the key record).
>
> Thoughts?
>
> [0] http://www.xkcd.org/538/
>
> -- Eric
Because they'll be using a cloned copy most likely. If not you're now
guilt of destruction of evidence. Truecrypt's plausible deniability is
much better, "emergency deletion/crypto shredding is not effective.
There are commercial devices you can plugin that will then let the
attacker clone the system easily while the system is running:
http://www.linux-magazine.com/Issues/2012/140/Security-Lessons-Hacking-Hardware/(language)/eng-US
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBAgAGBQJSSa56AAoJEBYNRVNeJnmTeeMP/2LM3Q0m7EvK3UaF4GIQyWPU
mAdgQ4gBiJgRByX2fNT10feGkvi+slTOUSlya4u8R2iya11lvIVKR4aNplC2D9eh
BzYB5dbDXYpv5CR3AnQivRbe4ZJFRayLzOdgzfMNWHen/QenNupKs0ZfTjVpTqcD
JVkaCLg5kl5A1iQ2qz0GBdGMC2+7yj+CEOHUrig8NtsySu1O8UWuv3j51JLOGIkW
/cUBo2AUYqHwDb0a/10oihnF7or/+g5dQOYeKlqHoHUMQHemqz31GalWUjIbP0VS
kpcJbost4nrWlEXEtWNZPBUI3bOdyQnvJUFqGkwe0fBsMVs0S+04VunO0gSF8Ly7
pgriFkxEbVnLOSLHpVfs0EvBIsvxYU/ffCBGempDZHaQij8cMZat9NtF3TH6bnOi
yj7aqL/Y5jMzAf/j3NUEVrkfrURUCWrw7umdB+1Zz6j7qIG6U496UtWqpAIywCWe
zAuao3UgaKoKUb2uqIbFez/xZCSi/CVSik/RsTd/g5QxW+EpcJBKcZgb044s9l1a
ZiWykwl8MLR7ZNa80P8amPRT2678fICUNc42acDq4RNLXme/befBywythtMkl0Gp
AZ5zM4BYDfNFa1LskMwxEW7MZpeJVUxumwB6DMkgglK5GjTJW0h7/vPQkGXxBAsD
NCPNu+GzLNrrQw9hVKrB
=0k9E
-----END PGP SIGNATURE-----
More information about the security
mailing list