Re: Various questions on encrypted partitions

To: debian-user@lists.debian.org
Subject: Re: Various questions on encrypted partitions
From: dennis@basis.uklinux.net (Dennis Furey)
Date: Sat, 3 May 2008 17:56:13 +0100
Message-id: <[🔎] 20080503165613.GA4379@basis.uklinux.net>
In-reply-to: <9543b3a40804240600g37ee8c7fq53e7119d15fc5c37@mail.gmail.com>
References: <9543b3a40804240600g37ee8c7fq53e7119d15fc5c37@mail.gmail.com>

On Thu, Apr 24, 2008 at 08:00:39AM -0500, Jordi Guti?rrez Hermoso wrote:
> So when I installed Debian, I told d-i to wipe the hard disk and
> encrypt my lappy's hard drive. My tinfoil-hatted heart loves it.
> They'll never take me or my data alive.

Hee hee. I'm more paranoid than you because I don't trust the hash
algorithm (that maps the password into a bit vector) not to introduce
statistical bias. I've agitated a little bit on the luks mailing list
for a feature that allows the key to be entered directly as a
hexadecimal number but wasn't able to drum up any support.

Another missing feature is to have the exit code from cryptsetup
encode the number of the keyslot as part of a defense against "rubber
hose" attacks. When the attacker compels you to surrender the key, you
provide an alternative to the usual one, which decrypts the disk
normally but is detected during the boot sequence by a script that
feeds him disinformation by altering particularly sensitive files in
advance.

An attacker who's aware of this countermeasure could defeat it by
mounting the root volume from a rescue cd, but it may find a niche in
the U.S.. Prosecutors there have been trying lately to subvert the
fifth amendment right of non-self-incrimination by compelling a
defendant to perform the decryption himself rather than telling them
the key.

Reply to:

Prev by Date: Re: sync ftp-folders (rsync?)
Next by Date: Errors on upgrading from etch to lenny
Previous by thread: probs installing vmplayer on Debian Etch on AMD64
Next by thread: Errors on upgrading from etch to lenny
Index(es):
- Date
- Thread