Re: [dm-crypt] LUKS self-destruct key

[Arno Wagner <arno@wagner.name>]

Ok, I will repeat some of the same old things that apparently 
have to be said time and again when somebody has this 
not-so-bright idea.

On Mon, Mar 31, 2014 at 14:19:29 CEST, Andrew wrote:
[...]
> I read the thread -- interesting reading (Gmane seems a little off for me
> at the moment though.)
> 
> A few points that were not raised directly by anyone are:
> 
>  * Some of the worst attackers *do* lack technical skills.  While various
>    interest groups do have technical experts, less skilled persons may try
>    their hand first, and succeed in destroying the evidence.  Terrorism
>    has lately tended towards a cell structure.  A particular cell may not
>    have access to adequate technical resources, while not lacking "skills"
>    like kidnapping, robbery and torture of those they target.

Even the dumbest attackers have seen the movies where the magic
computer destroys all data when the wrong password is entered.

And when you come to any writing about compouter forensics,
the first rule is always to never work on originals. 
 
>  * An attacker may guess the wipe/kill/nuke/erase password without any
>    intervention by the user (at last - a use for post-it notes!) Users'
>    passwords may well be inadequate, despite all advice to the contrary. 
>    Having an even-more-inadequate nuke/self-destruct/erase password may
>    frustrate an attacker.

See above.

>  * If it is possible for the key to be destroyed without the user's
>    intervention, then it becomes plausible that there is nothing to be
>    gained by asking for a password.  (e.g.  LEO removes device from user,
>    and upon return, the user's provided key does not work, because LEO has
>    tested some password; user complains that LEO has destroyed the data.)

See above and add to it that you may have trouble for "destroying 
evidence" by an "elecronic booby-trap". 
 
>  * A self-destruct feature is not unique, and exists in other modern
>    devices: e.g.  the iPhone's self-destruct on failed lock

These are not reliable and well-known to law-enforcement.

>  * Users have a free choice whether to create a self-destruct/nuke/erase
>    key or not.  Choice is important.

Experts have a duty not to give dangerous tools to amateurs. 
Amateurs are likely to shoot themselves in the foot. Often
repeatedly. This is not a technological problem, hence a 
responsible expert will not implement technological "snake oil"
that may look like a "solution" to an ordinary user but is not.
 
>  * Law enforcement may demand all passwords.  It would be an omission to
>    fail to provide them with passwords for the good and the bad key slots
>    ;) (rather cheeky, but it's a choice)

See above. 

> 
> > Please also note that Kali Linux already implemented the nuke feature
> > into their distribution:
> > http://www.kali.org/how-to/emergency-self-destruction-luks-kali/
> > http://www.kali.org/how-to/nuke-kali-linux-luks/
> I like!  I'll look out for the patch for my favourite distribution.

Have fun. But be aware that you do not get what you think you get.
And please complain to them when you get out of prison, not to us.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato