Re: [dm-crypt] Pass+keyfile

[Arno Wagner <arno@wagner.name>]

On Tue, Dec 02, 2014 at 01:15:45 CET, 0x14@unseen.is wrote:
> Ok then. You know, firstly I wrote long answer for you, but I then I
> thought it would be counterproductive. So I try to make things
> simpler.
> 
> cryptsetup has a --header option, right? So, my first question -
> why? :) From man: "This options allows one to store ciphertext and
> LUKS header on different devices." Why would anyone want header to
> be on different device? From FAQ, about differences between plain
> and LUKS mode: "it is not readily apparent that there even is
> encrypted data on the device, as an overwrite with crypto-grade
> randomness (e.g. from /dev/urandom) looks exactly the same on disk."
> (and yes, I read the side-note below). So, I thought --header is for
> those, who want their LUKS containers look like just random data,
> having one device with random data and a file, where it is written
> "I am a LUKS header". And I wanted to have one device with random
> data and a file with random data - I thought it would be more secure
> in some ways. So, the second thing I really want to know - where is
> the bad logic in my reasonings? :)

No bad logic so far, I overlooked that you use plain devices
and that you seem to be after some form of plausible deniablility, 
not after increased security. Sorry.

So if that is your goal, that would work. But be aware that 
you always have to type the full (long) command in and that
you must make sure it does not end up on disk (shell history),
otherwise it becomes obvious the two things are not random.

But now a warning: Plausible deniability has been discussed
countless times on this list, and generally, it does not work.
It is one of these ideas that sound good on paper, but it
assumes the enemy is rational, an assumption that usually
fails in practice.

For example, there is the problem that in many countries law
enforcement can just assume that "random" data is encrypted 
and it is up to you to prove otherwise (which, of course is 
impossible, but when has law enforcement ever been rational
or even reasonably intelligent...)

See also FAQ Item 5.18 and note the tendency to label anybody 
not obedient to "authority" a "terrorist" these days 
which sometimes opens up the possibility of torture even in 
supposedly civilized countries. FAQ Items 5.19 and 5.21 are
also somewhat relevant.

Gr"usse,
Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier