Re: [dm-crypt] LUKS self-destruct key

[Heiko Rosemann <heiko.rosemann@web.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/31/2014 10:17 PM, Andrew wrote:
> On Mon, 31 Mar 2014 15:06:12 +0200 Arno Wagner <arno@wagner.name>
> wrote:
>> On Mon, Mar 31, 2014 at 14:19:29 CEST, Andrew wrote: [...]
>>> I read the thread -- interesting reading (Gmane seems a little
>>> off for me at the moment though.)
>>> 
>>> A few points that were not raised directly by anyone are:
>>> 
>>> * Some of the worst attackers *do* lack technical skills.
>>> While various interest groups do have technical experts, less
>>> skilled persons may try their hand first, and succeed in
>>> destroying the evidence.  Terrorism has lately tended towards a
>>> cell structure.  A particular cell may not have access to
>>> adequate technical resources, while not lacking "skills" like
>>> kidnapping, robbery and torture of those they target.
>> 
>> Even the dumbest attackers have seen the movies where the magic 
>> computer destroys all data when the wrong password is entered.
> This is not true.

Well, the number of attackers which is knowledgeable enough to detect
a luks device and figure out that they need a password to open it (or
stupid enough to just type a password at an unknown prompt), but not
knowledgeable enough to make a backup before trying is probably
insignificant, I'm even leaning towards zero.

>> And when you come to any writing about compouter forensics, the
>> first rule is always to never work on originals.
> This is not relevant.

Yes it is. Because it's not only in any writing but also common sense.

If the attacker works on a backup and still has the original,
destroying the backup does not help anybody. This is what renders all
your further points moot.

I can see exactly one use case for a "destroy password" and that has
been discussed in the thread mentioned above and all the neccessary
tools have been implemented in the form of the luksErase command. In
short: The data is more valuable than your life _and_ you have a few
seconds of time on your computer _before_ the attacker takes control
over it. You could implement it in such a way as the machine looks for
a key on a USB stick and if none is found, runs luksErase instead of
luksOpen, or by booting from a USB stick with a working system but
when booting from the HDD (when the USB stick is missing) it runs
luksErase.

Best Regards,
Heiko

- -- 
eMails verschlüsseln mit PGP - privacy is your right!
Mein PGP-Key zur Verifizierung: http://pgp.mit.edu

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlM51UAACgkQ/Vb5NagElAVcvACbByshRHJm5r1GqO1zen0vx9t3
8HkAnRJAhxXrLru6JuKbuVkjDK8RrgD6
=jspl
-----END PGP SIGNATURE-----