Emergency destruction of LUKS partition
Richard Guy Briggs
rgb at redhat.com
Mon Sep 30 19:12:46 UTC 2013
On Mon, Sep 30, 2013 at 01:40:37PM -0500, Bruno Wolff III wrote:
> On Mon, Sep 30, 2013 at 12:52:13 -0400,
> "Eric H. Christensen" <sparks at fedoraproject.org> wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA512
> >
> >Someone asked me about this recently and I haven't had a chance to fully wrap my head around the solution but thought it was an interesting scenario.
> >
> >Background:
> >Someone knows you have encrypted your computer using LUKS. They convince you to enter (or otherwise provide) your passphrase via the large wrench method[0].
> >
> >Realcrypt method:
> >There is plausible deniability (if properly implemented) whereas you could provide the person with the alternate passphrase which would give them access to a portion of the encrypted partition but not your real working partition.
> >
> >LUKS:
> >There is no way to provide plausible deniability.
> >
> >Proposed solution:
> >LUKS provides four key slots to use for decrypting a partition. How about have one key slot that when used immediately implements a deletion of the encrypted partition (or at least the key record).
> >
> >Thoughts?
>
> They'll just keep using the wrench until you tell them all of the passwords.
This isn't theoretical. That's pretty much exactly what happenned to my
grandfather:
http://en.wikipedia.org/wiki/Gustave_Bieler
> Even plausible deniability might not work so well, if someone who
> knows what their doing looks at you disk.
> --
> security mailing list
> security at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/security
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545
More information about the security
mailing list