Realtime disk encryption options

Thomas Charron twaffle at gmail.com
Thu Feb 22 13:26:10 EST 2007


On 2/22/07, Bill McGonigle <bill at bfccomputing.com> wrote:
> On Feb 21, 2007, at 17:26, Thomas Charron wrote:
> > It can
> > actually maintain deniability by encrypting data in such a way that
> > giving one pasword decrypts to one filesystem, and different password
> > another, encrypting the data front to back for the 'right'
> > credentials, and back to front for the fake one.
> There must be some TrueCrypt binary in the MBR or something, right?
> And so the "bad guys" would know that it's TrueCrypt, and therefore
> know you have two passwords, right?

  The boot partition needs to be unencrypted, however, it's really
cool what it can do for the root partition.

  On creation of the encrypted block device/partition/etc, you specify
what encryption it will use.  Your passphrases are then used to
initialize the encrypted block devices using the encryption you
specified.  It then is completely forgotten about.

  On bootup, it asks for your passphrase and/or keyfile.  It then
attempts to mount the device and start 'decrypting' a section of the
disk with a known pattern using your password and every single
encryption method it knows about.  If none match, it goes to the END
of the block device and does the same thing.  No knowledge of what
encryption is known by the system until it finds the 'right
combination' by brute force decryption attempts.

  More details later when I start playing now, but it's VERY cool for
sure.  The only 'dangerous' part is that the secondary data inside the
encrypted partition isn't marked as used, so if one way you use 50%,
and the other way, use 51%, you just overwrote 1% of your data and
destroyed the data on the file system for the forward looking data.

  Specifically, it's meant so the bad guys can be given the 'fake
passphrase', and not see anything, nor any sign there is anything
else.

  And this mode has to be specifically enabled, it's not by default.
So there's no way to tell beyond your own word that there are indeed
two different passkeys/passfiles.

  More on the passphrase/key later, but apperently it can use both a
passphrase combined with a key.  This is primarily used when using a
USB boot device as the boot partition, which post boot, you can
remove.

-- 
-- Thomas


More information about the gnhlug-discuss mailing list