On 3/9/07, Helge Rohde <[EMAIL PROTECTED]> wrote:
Which is precisly why i always envyid that windoze partition encryption thingy, cant remember the name now, but it provides 2 keys, one will open the (actual) container and another one will open another encrypted container with all legal and perfectly harmless files. That way they cannot crack down on you for destruction of evidence (what second password ? häh? no idea what you mean!). But afaik theres is no such thing on any of the BSD systems. Which is sad, because -as you point out pretty precisely - it refutes most of the points file/HD encryption could be useful for - They will just order you to give them the PW as soon as they find an encrypted Partition/File.
As clever as this is, isn't it obvious to anyone investigating that the decrypted partition is much smaller than the encrypted one? Or however it's split - maybe it's two partitions. I don't know, I haven't heard of this. The problem with that scheme is that it requires re-associating the keys (or their hashes, or whatever) with the containers. So while it is fine in a highly opaque, secret-based system like Windows, in any Unix everything is too transparent to hide an association like that. Even if you keep it in the kernel, the information has to be reloaded somehow, and as soon as authorities find out it exists they'll just detect it in use on your machine. It's unreasonable to expect you can hide it - as soon as you use it they'll know for whatever reason. I guess the best you can do is sort-of rootkit yourself, and hide the information even from the kernel (e.g. df, fdisk, etc). They can't fault you for using a kernel that doesn't match any public kernel checksums. A really smart investigator will boot from a live CD and use a trusted kernel, but you can claim you use a homebrew encryption module and that their kernel won't work with it. It's like the inverse of trusted computing - using the technology against yourself so it's also against anyone investigating you. You know what? Talking about this has probably earned us our own investigation squads. The unmarked vans are probably outside right this moment. --- Dmitri Nikulin Centre for Synchrotron Science Monash University Victoria 3800, Australia
