Could you please slightly update Full Disk Encryption (FDE)? @HulaHoop
The plausible deniability feature is available with volume types
Normal+Hidden Truecrypt/Veracrypt. Veracrypt volumes support crypto-cascades as a feature, so manual nesting is unnecessary. However, be warned that Truecrypt/Veracrypt volume types only support AES-128. Plain dm-crypt containers with a non-zero offset can be used to provide hidden volumes according to Zulucrypt’s manual. This is yet to be tested by Whonix ™ developers.
As is could be misconstrued as endorsement of deniable decryption?
It may be possible to get plausible deniability on Linux hosts using methods other than those listed below, but the topic is a rabbit hole (see footnotes). [2]
That reference is offline and not archived.
Plausible deniability and Full Disk Encryption (FDE) are also useless if subjected to physical abuse by a captor.
Could you please add its own chapter for plausible deniable encryption?
Could you please also add that in some scenarios it is actually better to avoid using software with plausible deniable encryption? Using such software by itself is suspicious. If one unlocks the decoy disk and the adversary is not happy, one might face indefinite detention or worse, if there really is no hidden volume. Related to that, is this article any good to link to or quote from?
Sleep mode:
Hibernation is also a safe alternative because the swap partition is encrypted in the default FDE configuration for various platforms (like Debian), so long as no changes were made.
But cryptsetup LUKS key does not get wiped from RAM.
systemd feature request: cryptsetup luksSuspend (wipes encryption key from kernel) on suspend [archive]
Perhaps own chapter for sleep mode too?