0

So, as the title suggests I'd be looking for a convenient way of protecting my data while achieving plausible deniability. I've read the archwiki on the subject. I'd rather not encrypt the whole root system if I can avoid to do so, BUT I'd need to encrypt /var .

dm-crypt offers two options for plausible deniability: plain mode and detached LUKS header, but both are very unconvenient since they require long and difficult to remember cryptopen command typing. I also don't like the idea of storing a LUKS header in an non-encrypted usb drive, since if that is revealed then the whole purpose is defeated.

VeraCrypt (TrueCrypt's successor) on the other hand is very convenient since it can be used to create a hidden encrypted partition inside an outer encrypted volume (which acts as a decoy). One could write a veracrypt mount script, which once launched only asks for a password, and two different passwords can be used to mount two different partitions (either the decoy or the hidden one).

For Windows, it also exists a veracrypt bootloader that can be used to boot a fully encrypted system. In my case, I don't necessarily want to encrypt the whole system, but I want to encrypt /var, then I still need some way to mount the encrypted /var when it is needed at boot time. To your knowledge, might there be some (convenient / quick) way in Linux to run veracrypt at boot time in order to mount /var before it is needed?

Alternatively, can you think of some other way to achieve the same result with dm-crypt ? Result should be: encrypted /var and /home + plausible deniability + quick&easy mount at boot time .

Thanks for the help

Improve this question
3
  • Why don't you want to just encrypt your whole root volume? Whole-disk encryption is well-supported. I would imagine your reason is performance. I don't think it actually hurts performance that much.
    – James T Snell
    Commented Jul 6, 2016 at 23:28
  • Well it is more of a preference than a necessity. If encrypting the whole root then I would have to install a whole other OS just to act as a decoy, I'd lose storage space and it wouldn't even be convincing since an hypothetical adversary would notice how rarely used that decoy OS would be. Also, encrypting the whole root makes it more troublesome to recover the data in case the OS breaks. That said, if there is a way of doing what I described (plausible deniability + quick&stressfree access at boot) in Linux while encrypting the whole root, by all means I would do it.
    – famyse
    Commented Jul 7, 2016 at 18:53
  • I've read that "plausible deniability" will just make anyone assume that you do have hidden encrypted data... and if it's something like TrueCrypt's "hidden partition" you could be in real trouble if you actually don't have a hidden partition...
    – Xen2050
    Commented Jul 10, 2016 at 12:11

1 Answer 1

Reset to default
0

There's a couple of ideas I've had on this front:

  • On a fully encrypted disk, put a read-only liveCD as the 'plausible' partition - TAILS maybe?
    • claim you keep readable files on a USB stick that you don't have with you/you lost
    • use the rest of the disk as the 'deniable' partition containing your entire system
  • mark the deniable partition as 'encrypted swap' so it's expected to 1) change and 2) not be readable/mountable
  • use a file named /swap as your 'deniable partition' for the same reason
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .