Re: [dm-crypt] few questions on truecrypt and luks

[Jonas Meurer <jonas@freesources.org>]

Hello,

Am 15.04.2013 16:59, schrieb Arno Wagner:
> On Mon, Apr 15, 2013 at 03:47:38PM +0200, octane indice wrote:
>> Responding to  ".. ink .." <mhogomchungu@gmail.com> :
>>
>>> Two differences i can think of are:
>>> 3. luks doesnt support hidden volumes.
>>>
>> It does, in a way.
> 
> True. Not much worse than the TrueCrypt variant actually. 

Ocatane, thanks for the example. Arno, thanks for additional
explanations. May I suggest adding this to the FAQ?

Kind regards,
 jonas

>  
>> Create a loop file (or an existing partition).
>> fill it with random data (important!)
>> cryptsetup luksFormat it
>> cryptsetup luksOpen it
>> Format the crypted device with FAT32 (important!)
> 
> Yes, as FAT32 fills a volume from the beginning.
> 
>> Then, use loop with a high offset, e.g. more than half of the disk,
>> create a plain cryptsetup
> 
> To avoid metadata.
> 
>> losetup -o 10000000 device
>> cryptsetup create loop secretname
>> format it with any filesystem, copy your very secret documents in it, close
>> this partition.
>>
>> By doing this, anyone without the knowledge of the offset + the password
>> won't be able to prove that you have datas hidden.
>> Warning, if you write more data in the first luks device than the offset
>> choosen, you destroy data (but in some case, you may want it).
>>
>> My 2 cents.
> 
> The problem with hidden volumes is this: Either you have the risk
> of destroying them, or you cannot use the partition they are
> hiding in (which gives a good hint to an attacker), or you need to 
> reserve space for them explicitely (which gives a strong hint to the
> attacker). 
> 
> TrueCrypt does not do any better here. Also keep in mind that
> in many situations (US border inspection, e.g.) the mere suspicion
> of a hidden partition being present will be enough.
> 
> Arno
>