From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ilgkseYEQHgO for ; Tue, 16 Apr 2013 01:02:28 +0200 (CEST) Received: from mail01.freesources.org (mx01.freesources.org [80.237.252.132]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Tue, 16 Apr 2013 01:02:28 +0200 (CEST) Received: from ip-78-94-74-71.unitymediagroup.de ([78.94.74.71] helo=[192.168.0.110]) by mail01.freesources.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1URs4v-000326-Ln for dm-crypt@saout.de; Mon, 15 Apr 2013 22:40:52 +0000 Message-ID: <516C81F0.1080704@freesources.org> Date: Tue, 16 Apr 2013 00:40:48 +0200 From: Jonas Meurer MIME-Version: 1.0 References: <1366033658.516c04fa751b1@www.inmano.com> <20130415145952.GA30994@tansi.org> In-Reply-To: <20130415145952.GA30994@tansi.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] few questions on truecrypt and luks List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Hello, Am 15.04.2013 16:59, schrieb Arno Wagner: > On Mon, Apr 15, 2013 at 03:47:38PM +0200, octane indice wrote: >> Responding to ".. ink .." : >> >>> Two differences i can think of are: >>> 3. luks doesnt support hidden volumes. >>> >> It does, in a way. > > True. Not much worse than the TrueCrypt variant actually. Ocatane, thanks for the example. Arno, thanks for additional explanations. May I suggest adding this to the FAQ? Kind regards, jonas > >> Create a loop file (or an existing partition). >> fill it with random data (important!) >> cryptsetup luksFormat it >> cryptsetup luksOpen it >> Format the crypted device with FAT32 (important!) > > Yes, as FAT32 fills a volume from the beginning. > >> Then, use loop with a high offset, e.g. more than half of the disk, >> create a plain cryptsetup > > To avoid metadata. > >> losetup -o 10000000 device >> cryptsetup create loop secretname >> format it with any filesystem, copy your very secret documents in it, close >> this partition. >> >> By doing this, anyone without the knowledge of the offset + the password >> won't be able to prove that you have datas hidden. >> Warning, if you write more data in the first luks device than the offset >> choosen, you destroy data (but in some case, you may want it). >> >> My 2 cents. > > The problem with hidden volumes is this: Either you have the risk > of destroying them, or you cannot use the partition they are > hiding in (which gives a good hint to an attacker), or you need to > reserve space for them explicitely (which gives a strong hint to the > attacker). > > TrueCrypt does not do any better here. Also keep in mind that > in many situations (US border inspection, e.g.) the mere suspicion > of a hidden partition being present will be enough. > > Arno >