On Mon, Sep 30, 2013 at 01:40:37PM -0500, Bruno Wolff III wrote:
On Mon, Sep 30, 2013 at 12:52:13 -0400,
"Eric H. Christensen" <sparks(a)fedoraproject.org> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>Someone asked me about this recently and I haven't had a chance to fully wrap my
head around the solution but thought it was an interesting scenario.
>
>Background:
>Someone knows you have encrypted your computer using LUKS. They convince you to
enter (or otherwise provide) your passphrase via the large wrench method[0].
>
>Realcrypt method:
>There is plausible deniability (if properly implemented) whereas you could provide
the person with the alternate passphrase which would give them access to a portion of the
encrypted partition but not your real working partition.
>
>LUKS:
>There is no way to provide plausible deniability.
>
>Proposed solution:
>LUKS provides four key slots to use for decrypting a partition. How about have one
key slot that when used immediately implements a deletion of the encrypted partition (or
at least the key record).
>
>Thoughts?
They'll just keep using the wrench until you tell them all of the passwords.
This isn't theoretical. That's pretty much exactly what happenned to my
grandfather:
http://en.wikipedia.org/wiki/Gustave_Bieler
Even plausible deniability might not work so well, if someone who
knows what their doing looks at you disk.
--
security mailing list
security(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/security
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545