Re: How to protect an encrypted file system for off-line attack?

[Javier <javuchi@gmail.com>]

Jeff Soules escribió:
> Hi Javier,
> 
> Thank you for your reply.  Given the hypothetical (but all too
> possible) situation you describe, there are different considerations.
> 
>> Now imagine the worst situation, that a friend wants to protect his data
>> from his corrupt dictatorial government
> 
> Absolutely a possibility.  There are many levels of secrecy --
> filesystem encryption prevents the contents from being known, but does
> not hide the fact that there is a secret.  The presence of a secret
> could be enough right there.  The kind of government you describe
> doesn't need to find evidence in order to "disappear" a person.  This
> also makes it all the more possible that, if his house is raided and
> encrypted files are found, someone might try to torture the
> information out of him.  (Even if the partition is named something
> harmless-sounding, I can't imagine cops anywhere who wouldn't demand
> it be decrypted so they could check it, and refusal would not look
> good.)  In any case, with EncFS we're talking about a technological
> solution in which the encryption key is stored alongside the encrypted
> media, so whatever the password concerns are, this is unsuitable for
> keeping information truly secret when a hostile person might have
> enough physical access to the drive.
> 
> I think it is entirely too likely that a government like this either
> would be able to compromise the data (with or without recovering the
> passwords), or would be willing to punish him just for having
> encrypted data to begin with, if they know he has it.
> 
>> Then my question is: is EncFS good enough to protect his data?
>> I think the SD with stored password is a good solution. While he is not
>> in the house, he can carry the SD or have it hidden somewhere. While he
>> is in the house, and police enter, he might have enough time to probably
>> destroy the SD and turn off the computer.
> 
> With the level of danger involved here, I think the security issue is
> more that there be some rapid way to destroy any evidence of the
> existence of the data (possibly destroying the data itself), rather
> than making sure the password stays safe.  Destroying the SD card is a
> start, but really a person under this kind of government would need to
> be able to say "No, there are no secrets," not "Here's a filesystem
> that you can't read."
> 
> That was my point in the original email -- while there are some
> interesting technical problems here, I think in this case the digital
> security is less important than the social/personal security
> surrounding it.  Or, rather, the digital security will not wind up
> being the weakest link in the chain.
> 
> I wonder if in this situation it might be more appropriate to store
> the encrypted filesystem on an external pluggable device, like a USB
> key.  If a person in this environment were not using many multimedia
> files, then storage needs might be very moderate, able to fit on some
> of the larger USB keys (8-16 GB) that can be had for around US $30.
> (I don't know what kind of budget a person in this situation might
> have).  But by storing any incriminating files on an external medium,
> preferably a (physically) small one, and then encrypting that, a
> person could both hide the very existence of prohibited data, and also
> have a data store that can be more easily hidden or destroyed during a
> police raid.  (Chuck it in the sewer or something if needs be).  If
> the computer is seized or stolen while the person is away, oh well;
> there's nothing incriminating on the computer, not even any suspicious
> encrypted filesystems.  That's if there is a reasonable reaction time
> before being taken into custody.  I really don't know whether it'd be
> better to keep this on his person with a plan to ditch or destroy it,
> or to find a hiding place the police wouldn't check where it could be
> accessed without arousing suspicion.
> 
> Good luck to any person who finds himself in such a situation.
> 
> 
> As to passwords, another method that works well is to take the
> initials of a memorable phrase, and then make a few predictable
> changes.  For instance, you could take the phrase "working to enhance
> civil liberties by overthrowing kings and dictators" to create
> w2EcLx0K&D -- which has a decent 10-char length with some character
> distribution while remaining very memorable.
> 
> 
> I hope all this helps.


Thank you for your help.
The main point here is: if he is lucky enough, no police would enter
into his house. If he has little luck, police would enter while he is
not in the house, and probably has time to scape, so for this the
encryption is very good. With very bad luck, police could enter his
house and arrest him, but in this case the encryption will still be
useful, as it can save other people.

Of course, this would be just a little part of what he would do. There
would be more important issues, like taking care about not being
discovered in his movements and communications, and have a back door for
leaving the country.

Thank you again.