[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Tails-Whonix: It's doable, here's how. Can we offer it as a variant like Qubes-Whonix?

@AnonymousUser I stand corrected. On default Linux install there are steps that need to be taken to prevent leaving traces which i’m just beginning to discover and document. Thanks for posting as it has renewed interest in this topic and directed my attention to these problems.

1 Like

@Patrick and @HulaHoop:

I think that we should have both the grub-live thing AND my ‘Tails-Whonix’ thing developed concurrently.

An in-house amnesic ISO might be the best choice one day, but until I know it’s as robustly and (in)famously anti-forensic as Tails (with all the same code for RAM wiping upon Tails USB removal or shutdown), then I would only trust Tails for my amnesic security for now.

Indeed I’m thrilled you guys are looking into it now, I’m very excited, and I’ll of course be an avid tester of the ISO as soon as you need it. (What’s a waste of my time is trying to jump too deep into developer land when it’s way above my skill level - my time is better spent on testing, providing feedback, doing research and brainstorming like this thread, lower-level scripting like a ‘Tails-Whonix’ script, and Whonix advocacy in general, which I do a great deal.)

I still see advantages of permanently offering a Tails-Whonix script as well. By being able to fully download and Install Whonix in Tails, one’s usage of Whonix in the first place is more anonymous (and private from one’s ISP, or others watching at the same level such as governments, criminal hackers, and other private companies).

Now yes, one’s fact of using Tails wouldn’t be very anonymous or private, but AFAIK Tails at least has a larger anonymity set. So arguably, it might be a cool win-win and it will only allow the Whonix community to flourish more if some people feel safer to use Whonix if they’re already anonymized by Tails. Again, I see Whonix as a way of ‘going deeper’ into higher Tor security (or just more permanent Tor’ing), and Tails is more for casual use and has a larger user base.

And besides, there are ways one could obtain Tails offline such as sneakernets (offline USB cloning), and then people can use Bridges / VPNs to get themselves connected to Tor. I want to help colleagues living in difficult regimes, so I also will try to see if a VPN can get working (pre-Gateway VM) via my Tails script for such users.

As for the Whonix VM’s own connection to Tor when one independently runsit inside Tails, I’m assuming it doesn’t give a particularly unique signature on the Internet (as it’s just another Tor process in a linux system like Tails), and that this is something Whonix project has thought about and worked on since the beginning.

The other advantage of a ‘Tails-Whonix’ offering is that you genuinely can get both famous systems in one package. I think this is extremely compelling. People often ask, ‘Tails or Whonix - which one?’ and it can be a painful compromise to have to choose between either secure sandboxing or secure amnesia. Why not have both? They can now conveniently compare one another in a pretty safe environment (Tails), or combine both benefits at once (the best). That can only help all of Tor community.

Now yes, there would be vulnerability in using both browsing environments in the one system (e.g. you do some Internet in Tails’ Tor Browser, it downloads some malware through javascript due to it being turned on by default in Tails, then the malware somehow breaks the anonymity of your Whonix), but it’s still like any system - you can fuck up even inside Whonix (by mixing modes of anonymity). So some basic ‘RTFM’ documentation would look after that risk.


I’ve now found a colleague in the Tor community who’s going to actively work with me to develop this ‘Tails-Whonix’ script. It might take us months, but I’ll be sure to share the code as we have breakthroughs, and I hope this is welcome. :slight_smile:

Although I want to call it Tails-Whonix, I’m also starting to call it Deniable Whonix, because my particular implementation of it deeply involves VeraCrypt.

It’s deniable in two major ways: 1. At the Internet surveillance level and 2. At the hard drive forensics level.

  1. Deniable because one installs, sets up and uses Whonix fully with the anonymity provided by Tails.

  2. Deniable because (under my design) one has all vbox software and setup script(s) in a deniable VeraCrypt volume mounted in Tails.

This way, NO forensic evidence can possibly be written of you using Whonix on the Tails USB stick. If an enemy seizes your computer equipment, all they see is an unmodified stock Tails USB, and a plausibly empty hard drive (where your Whonix secretly resides in a partionless hidden VC volume).


Immediately going forward, my colleague and I will work on emulating the following:

  • Tails’ existing feature for caching Additional Software offline, but in our case we put the /apt/cache dir inside your mounted VC volume so packages can apt install from there (so that installation of VirtualBox and linux-headers is quick and offline-compatible at each Tails startup). DONE (Apr 23rd)

  • All of the Unsafe Browser clearnet chroot stuff. Duplicate and modify it as our own whonix chroot and debian user, with whatever necessary features such as DNS opened and expanded filesystem access (only as needed).

  • Tails’ Dotfiles feature (for normal persistent storage) but again symlinking to our deniable VC volume. Dotfiles will include VirtualBox .config files to load from the script so one’s VMs are already there when the script launches VirtualBox in Tails.

I don’t think it has to be that complicated. We want to keep it simple.


Once ready, I’d like to have others test the script and give scrutiny and criticism so that we know it’s safe to advise others to use it, and document notable risks and subsequent warnings regarding them.

Eventually, I’d be more than happy to create and maintain a Whonix Wiki page describing this script and providing instructions / code. I’m also happy to oversee the long-term maintenance of the script and the page. If however someone wanted to take over it and was clearly more skilled than me (which wouldn’t be hard around here :rofl:), I would pass it on to them officially and move down into the ‘suggestion giver’ role. :slight_smile: And being open-source, we have nothing to lose.

AnonymousUser

PS I have actually wanted to contribute to the Wiki many times (fix errors, make suggestions)…maybe my time is coming.

Yes, and another concern (which is perhaps obvious but not very often mentioned) is that your equipment may get seized when it’s powered so no forcing will be required. No forensic experts either. An adversary only needs a good enough distraction if the user is in a public place (a “couple” pretending to be making a scene is an example I recall reading about), or may use SWAT teams for quick entry to minimize chance of equipment being shut down (I know you will laugh but: wait outside until you hear the target use the toilet / shower / kitchen sink, break in. Do you shut down your equipment on every such occasion?). If an adversary can monitor internet usage in real time it can further help in timing. Both types of cases were published.

In this scenario also the data on the amnesic solution can be seized of course, but only that pertaining to the specific session, not historical.

AnonymousUser via Whonix Forum:

I think that we should have both the grub-live thing AND my ‘Tails-Whonix’ thing developed concurrently.

Very unrealistic, not enough developers.

(What’s a waste of my time is trying to jump too deep into developer land when it’s way above my skill level - my time is better spent on testing, providing feedback, doing research and brainstorming like this thread, lower-level scripting like a ‘Tails-Whonix’ script, and Whonix advocacy in general, which I do a great deal.)

It’s not. We don’t get developers from fantasia land. It’s nearly
impossible to get people who already have the skills and then at the
same time willing to contribute. In the history of Whonix, it’s for the
most part apparently people who taught themselves.

(What’s a waste of my time is trying to jump too deep into developer
land when it’s way above my skill level - my time is better spent on
testing, providing feedback, doing research and brainstorming like this
thread, lower-level scripting like a ‘Tails-Whonix’ script, and Whonix
advocacy in general, which I do a great deal.)

By the logic, Whonix would have been and still would be a waste of my
time, too.

Now yes, one’s fact of using Tails wouldn’t be very anonymous or private, but AFAIK Tails at least has a larger anonymity set. So arguably, it might be a cool win-win and it will only allow the Whonix community to flourish more if some people feel safer to use Whonix if they’re already anonymized by Tails.

Risks: watering down the brand of Whonix with low usability convoluted
thrown together mix.; Dependency on and having to observe everything
that Tails is doing.

As for the Whonix VM’s own connection to Tor when one independently runsit inside Tails, I’m assuming it doesn’t give a particularly unique signature on the Internet (as it’s just another Tor process in a linux system like Tails), and that this is something Whonix project has thought about and worked on since the beginning.

Tails has its own specific ISP fingerprint to begin with, see:

https://tails.boum.org/doc/about/fingerprint/

I’ve now found a colleague in the Tor community who’s going to actively work with me to develop this ‘Tails-Whonix’ script. It might take us months, but I’ll be sure to share the code as we have breakthroughs, and I hope this is welcome. :slight_smile:

To me it still looks any time is fare more compelling spent on fixing
the remaining deficiencies of grub-live (and/or finishing Whonix Host)
than adding a dependency on Tails.

Is it welcome?

  • Yes.
  • Similar to Whobuntu.
    (Comments and thoughts on Whobuntu)
  • As Whonix’s user base grows, it seems only natural that forks will
    emerge. I am happy, if Whonix, its documentation and/or source code is
    useful for others so they can build other flavors of it with divergent
    priorities.

  • Will be useful for some people.
  • Might learn something from it’s findings / source code.
  • Might backport things to Whonix mainline if possible.
  • Though, I personally might not
    test/audit/follow/comment/oversight/etc. (much).

Some contributions are OK to be hosted on whonix.org:

  • Some wiki pages are the responsibility of specific maintainers only.
    (Those have a notice on top of the page that these have a specific
    maintainer.)
  • Whonix KVM has a dedicated maintainer.
  • Whonix RPi has a dedicated maintainer.
  • What is OK isn’t well defined yet and is fluid as we didn’t run into
    too many third party projects and issues yet.

Some contributions became so convincing that they became Whonix default
(installed), examples include:

  • port of Whonix from KDE to XFCE
  • grub-live

In this case, I think hosting a wiki page(s) about this project in
Whonix wiki with the maintainer template on top of the page would be ok.

It may not be permissible to promote it as Tails-Whonix since:

  • Tails might be a trademark.
  • Tails should be consulted on the name.
  • Even in the absence of a legal basis, the wishes of Tails should be
    respected for moral reasons.
1 Like

This.

@AnonymousUser
Your “Tails-Whonix” might be a natural fallout from the Whonix host OS development. It’s more or less just that except it is not an iso but image file. This should not matter for people using USB instead of a DVD though.
However, I don’t think it will ever officially reach the same amount of support/hardware compatibility or UX as Tails. Tails has been (and still is) developed/optimized by numerous people over several years.

2 Likes

Yes.

(Perhaps we’ll even find an existing (raw) image to iso conversion tool if iso’s become popular request vs USB.)

Agreed. Possibly.

  • Tails support/hardware compatibility or usability might be better than Whonix Host.
  • Whonix Host will have better usability (and same hardware support) than Tails-Whonix.

As for user support I guess we’ll do better here with discourse than Tails mailing list.

OK, but to me, the effort to make an entire OS have the same level of amnesia as Tails looks like a much bigger project than mine which right now is just a cute little ‘script than can’, by comparison.

And to me I feel it worth my time pursuing it, due to my explanation above. I’m very excited about it.

And speaking of:

Maybe I’m jaded. This is a very welcome, inclusive, and non-elitist attitude that I have rarely seen in the Linux / developer world.

And I guess I’m doing this at the moment. I’m looking at the Tails code, learning about Linux and Debian more (always a beautiful thing), and believe me, my rule is that I will ‘develop’ as much as I need to - if ‘developing’ is what we must call it - to achieve what I want to happen.

On reflection, I think you’re inspiring me to take a more direct role in helping develop Whonix. I’ve been on the sidelines for a while but I’ve always wanted to make Whonix easier for people to install, and nicer for them to use (so that adoption is increased, and people are safer). Maybe it’s my time to work on this closer to the center than on the side.

Whonix is a multifaceted brand with user options ranging from Windows right down to the complicated Qubes. If users want to install Tails as a host OS for Whonix, it means they really want to do it for the benefits it offers, right? All I could say in reply to that is to see how elegant I can get this script for the end user (but again, it could take time as I have much to learn).

But don’t we have to observe Debian, Qubes, VirtualBox, and all other upstreams that the different variants of Whonix use? Is dealing with Tails unfeasibly problematic compared to other codebases? They seem to document well.

I’ve historically hated Tails (i.e. the experience of using it). But now that I know it can be feasibly used to host Whonix, I’m really starting to get comfortable with it (and thus dealing with it as a developer). Again, I’ve been surprised at how smooth the Tails+Whonix experience is (even in my early testing). Just takes some adjustment. I’m patient.

OK. Is Qubes similar to Tails in this regard? I.e. with ‘Qubes-Whonix’, is Qubes a trademark, has Qubes been consulted on the name, and what is Qubes written stance if any, and based on all that, what is the conclusion at Whonix Project end about ‘promoting’ the ‘product’ called “Qubes-Whonix”?

If it counts for anything, I don’t think users assume Qubes-Whonix to be a product officially offered or endorsed by Qubes (not unless they looked into it). I think it’s assumed by most right away that one is just using one OS as a host (Qubes) and another (Whonix) as a guest, each from separate websites.

But I do understand a lot of what you might be thinking about. I know that you’ve spent years building up Whonix in every way (and we owe so much to you, and also others): its code, its community, its respect, and its regard from large and well-maintained projects like Tails. I leaped with joy when I saw ‘Whonix’ listed on Tails website as a similar project the other day. :slight_smile: So I get that there’s many things to consider.

That being said, there are naming alternatives. Instead of a problematic name of Tails-Whonix, you could just list Tails as another host OS on the download page alongside Windows, Linux, macOS, and Qubes.

That makes it really clear that Tails cannot replicate Whonix (because it sure can’t). Instead, it’s just another host that offers unique protections like Qubes which some people want.

Call it Tails+Whonix if you will, facilitated by a script.

Extremely early days.

Appreciate any continuing thoughts.

1 Like

All things aside, I think it is worth pursuing a Whonix Host project as it gives us the chance to make some important security/usability improvements on the Host side that would require a lot of tinkering by inexperienced users right now. By piggybacking off Debian we can provide a widely installable base image that we can point to as the recommended platform to run Whonix VMs from bare-metal.

Tails is much more than just amnesic. Its design is about figuring out how to safely configure all system programs to use Tor and also making the necessary exceptions when dealing with things like captive portals. They are also big on usability. The amnesic aspect is just one of many that I believe we are close to achieving in a Whonix host. However we have much to learn from from their UX.

Their devs are pretty cool too and we’ve collaborated in the past. I think such Whonix support you;re interested in is actually a discussion better had with them as their OS is the base that needs to be modified to accommodate a virtualized setup without running into Tor over Tor.

3 Likes

I still fail to see how a (complicated) Tails+Whonix project would be better than running Whonix in live-mode or even better running the host in live-mode :slight_smile:

That being said, transforming the a raw file into a bootable iso (to be run as a virtual machine or directly burnt on a bootable USB device) is easily doable with syslinux, isolinux, squashfs-tools and xorriso tools. I have tested it multiple times. You can even have a bootable system working with BIOS and UEFI at the same time. I can find you my bash script if you want.

Here is a good link for more info: https://willhaley.com/blog/custom-debian-live-environment/

2 Likes

I’ll continue to share, and maybe after trying it, you could see what the experience is like and judge it afresh from that.

I’m surprised at how well we’re going at the moment in cobbling it together, but making it robust in various ways (security, stability) is what may take time. But I’ll share it as soon as we have a full working version of the basic infrastructure of the whole script. (It’ll be so damn easy to use, which is the point of me making it. The UX is not complicated at all. It just feels like a GNOME Debian Linux launching VirtualBox.)

I appreciate all efforts being done here. I just remind that my own standards of amnesia (and of what I would recommend to end users) are as high as whatever Tails offers. Why? because Tails is available.

So one thing at a time at my end, and for now, I’ll work on my script.

Still inspired by Patrick’s invitation to help develop. I mean holy shit. The idea of ‘being a Whonix developer’ is quite thrilling to me. :slight_smile:

It would be my honor to say I was in that category, even if I were a lower skill developer (but always improving).

I don’t always have time to be a regular presence here, but long-term, I’m definitely committed to this project.

AnonymousUser

2 Likes

I would be very pleased to do so, once I have a clear understanding of what concrete advantages your solution would bring compared to what we already have, i.e. grub-live (on host or vms), a repeated request that you have never addressed a single time, unless I have missed it somehow.

1 Like

Several people here stay up to date on changes in Debian and AFAIK there is a very good cooperation between Patrick and the Qubes team so that project is certainly closely watched. Not sure how likely you are to get anything of that kind with Tails guys.

Question is, given the already reasonably good solution of Live Whonix on a Linux host, does this project have a big enough added value? Personally before diving into this project I’d first try to perform some intensive testing on Live Whonix on say Debian, trying to identify any actual cases of memory leaking to the HD.

3 Likes

Qubes-Whonix trademark:

The build process for templates distributed through Qubes community repository is handled by Qubes.

If it counts for anything, I don’t think users assume Qubes-Whonix to
be a product officially offered or endorsed by Qubes (not unless they
looked into it). I think it’s assumed by most right away that one is
just using one OS as a host (Qubes) and another (Whonix) as a guest,
each from separate websites.

Qubes users don’t need to got to Whonix website to acquire Whonix when
they previously acquired Qubes installer from qubes-os.org. Qubes
installer iso comes with Qubes-Whonix.

I think since it’s easy to install Qubes-Whonix on Qubes (as offered by
Qubes installer) (as Qubes-Whonix is included on Qubes installer iso)
the separation of Qubes community repository and Qubes repository goes
easily unnoticed for most users.

OK, but to me, the effort to make an entire OS have the same level of
amnesia as Tails looks like a much bigger project

We don’t make an entire new OS. Tails and Whonix are derivatives of
Debian. We’ll “just” “add our scripts/packages” on top for
configuration. Since there’s “hardened debian” (needs to be renamed as
mentioned earlier) (created by Whonix) already, most work is done
already. In the grub-live thread and wiki page we are already done with
the analysis of any Tails amnesia features. Any possibly missing source
code related to amnesia can most likely be copied over from Tails and
packaged for Whonix-Host. It’s only missing a bit of implementation.

To quantify this better, I started creating the tickets. Steps towards
Whonix host:

https://phabricator.whonix.org/tag/whonix-host/

For now it’s “just 13 tickets”. So really not a far fetched project.
Some of them are more reminders than big tasks. “make sure there is no
swap by default” shouldn’t take more than 10 minutes. And not all need
to be done in the first version such as Clock Drift Detection" seems
nice but non-essential.

To get that into perspective:

  • For Whonix 15 we squashed around 50 tickets.
  • For Whonix 14 we squashed around 100 tickets.
  • Not even counting issues never a ticket created for (such as found
    during own re-reading or forum report).

AnonymousUser via Whonix Forum:

Whonix is a multifaceted brand with user options ranging from Windows right down to the complicated Qubes.

Risking self-praise here, I would like to think that all options offered
on whonix.org marked as supported offer a best-practices following,
sane, clean, best-effort, good implementation of an anonymous operating
system which can be expected given the truthfully described state of the
project.

As any Linux distribution, it’s complicated enough for laymen and Whonix
due to its specialized purpose is even more complicated.

But a Tails-Whonix for download on whonix.org would be the least
usability version of all flavor offered on whonix.org.

Well, Tails-Whonix isn’t yet supposed to be a download. Just a script.
But I am sure, once there’s a script, its users will ask for a download.

The issue of a script: it doesn’t have much users.

But don’t we have to observe Debian, Qubes, VirtualBox, and all other upstreams that the different variants of Whonix use? Is dealing with Tails unfeasibly problematic compared to other codebases? They seem to document well.

Qubes: will notify regarding any changes that relate to Whonix and
usually doesn’t change much that relates to Whonix.

VirtualBox: just a single application that doesn’t change much.

Debian: unavoidable but packages we’re using (more so after using KDE)
don’t change much over time. The latest port stretch to buster was the
easiest since many previous ports I got used to it.

Tails: completely own build script
https://tails.boum.org/contribute/build/ /
https://tails.boum.org/contribute/build/vagrant-setup/ /
https://tails.boum.org/blueprint/reproducible_builds - that doesn’t
matter as long as Tails-Whonix is just a script but when creating a
download and building a pre-modified iso from scratch, both build
environments would be used.

https://tails.boum.org/blueprint/reproducible_builds sounds like Tails
build process is using binary packages from Tails repository. I don’t
like that.

Whonix build script was recently ported to mmdebstrap and added full
onion-only build support for better build security. It would take a long
time for me to grasp Tails build process.

That being said, there are naming alternatives. Instead of a problematic name of Tails-Whonix, you could just list Tails as another host OS on the download page alongside Windows, Linux, macOS, and Qubes.

On https://www.whonix.org/wiki/Download that would be possible.

2 Likes

@Patrick:

Will reply mostly in non-quoting form this time.

Thanks for sharing the Qubes info.

That I can definitely identify with.

I definitely believe we can emulate everything Tails does in terms of amnesia. I wouldn’t say that unless I already relied on Whonix for my critical anonymity needs vs. using Tails (and was aware of its excellent extensive wiki documentation for many years now).

I guess our own native ‘Whonix’ host which is amnesically as robust as Tails might be the best in the end, but I think it’s beneficial to try Whonix on Tails for now. It’s a good test for an environment we want to natively emulate ourselves. And the code that my friend and I are working out may be helpful for adapting in the native Whonix offering. (And it would only be better code if it’s first shared, used, tested and refined over several months or a year+ by many users, which is something I can offer.)

So such a transition, to me, wouldn’t be zero sum.


BTW, what desktop interface do you intend for such a host? XFCE is amazingly fast, but its UI (especially the default theme in Workstation) is unfortunately dated. I did agree in the end that the move from KDE to XFCE was good (even though it was a big adjustment for me and others), because I love how non-buggy XFCE is compared to KDE. But at some point people still want sleekness and and ease of UX as one of their highest priorities.

I deal with beginner Whonix users a lot in the community. And these things matter to them. They’re used to Windows, and I’m encouraging them to move over to Linux. They will less likely do this if the interface looks like it’s from 1997.

UI matters. Tails is very polished and it uses the GNOME desktop which to most people has a much nicer feel (and I assume that’s a reason why Tails uses it). It doesn’t matter what I think of GNOME, it matters to me whether most potential Whonix users would prefer it. And the people voting in a Whonix forums poll by no means represent the silent majority of users who are at the beginning of using and trying Whonix.

Maybe when XFCE 4.14 comes around it can finally be brought into the 21st Century. But we’ve been waiting 3 years now for that to come.

Alternatively, are there existing 4.12 themes which actually make XFCE look and feel modern, in contrast to the frankly awful default theme that Workstation-XFCE currently comes in? Thunar looks disgusting.

I’m not saying graphical Whonix should necessarily move to GNOME, BTW…I’m just kind of making a major point. Tails has a high standard of usability. And if we want to increase the anonymity set that Whonix has, this is an important matter.

This is just one of many quality comparison issues of ‘Whonix host’ vs. ‘Tails’ at this early stage. But we can work through them all, I don’t mind.


BTW we need a name that is actually good.

‘Whonix host’ communicates nothing. It may give the impression that it’s ‘double Whonix’ if you’re not careful (i.e. a host OS that doesn’t real meaningful value) and people won’t investigate what it offers.

People already know the brand name of ‘Tails’ and what it offers. ‘Whonix’ is a brand name that’s equally great now, but another word like ‘amnesic’ or ‘deniable’ also needs to be in the title to be eye-grabbing and indicate what it is.

My coinage of ‘Deniable Whonix’ is too esoteric, even though it’s eye-grabbing.

How about Live Whonix?

I see that the words in reverse form (‘Whonix Live’) is the other sub-project, but in the larger context of Tor community and Tails, when people think ‘live’ they think the WHOLE system at the hard drive level, and amnesia (not just a VM resetting itself). So a re-naming could be the new amnesic host OS to be ‘Live Whonix’ and the other one to be something like Whonix in ‘Live VM’ mode.

I apologize if I’ve asked some questions already answered elsewhere, but my open thinking may stimulate good discussion.

In my opinion:
KDE vs XFCE: XFCE preferred (I see nothing slick about KDE really).
KDE vs XFCE vs GNOME: GNOME preferred.

Another general consideration: making the host and VMs look too similar increases the risk for user mistakes. Not sure it must be handled by using different desktop interfaces but something to think about nevertheless.

1 Like

XFCE can be very beautiful and modern after some theming. Just as beautiful as GNOME but less buggy and more user-friendly.

2 Likes

Could you post please XFCE beautification packages (preferred) or
settings in a separate thread?

The case for porting Whonix to GNOME should be made in a separate thread
too. It would have to compare RAM and performance in VMs too. Not sure
how realistic that is. We only got Whonix ported XFCE since the code for
the port was contributed while at the same time KDE was eating too much
RAM and too slow.

2 Likes

Done

http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/xfce-theming-a-few-suggestions/7205

I would also add that XFCE compared to GNOME is closer to what people coming from classical proprietary OSes such as Windows and macOS are used to (panel, desktop icons, etc.).

2 Likes

are we sure the “plausible deniability” aspects matter? unless things have changed, i recall the “plausible deniability” claims of veracrypt being largely exposed as security theater. someone can just as easily rubber hose a a verycrypt hidden partition out of a user as they could a luks key. unfortunately, this is not a scenario that can be solved by software alone. it requires human behavior modifications and potentially a contingency plan involving more than one person.

one example i’ve discussed with others is somewhat implemented in the guide i work on. it involves using a randomly generated 8192 byte key as the luks key to decrypt the drive. then, the gnupg implementation of luks is used to encrypt the 8192 byte key and copy it into the boot image which is stored on a small external usb key. this creates a scenario where, if an attacker gains access to a user’s computer or target hard drive, but does not have access to the boot key, the user cannot possibly know the passphrase to decrypt the drive, as the luks passphrase is a random 8192 byte string. but, that alone is not enough. it also requires a human plan where one can hide their boot key in a physical location that will not be discovered by an attacker upon the initial ambush. it also requires on a secondary individual receiving (or not receiving) some form of signal that would tip them off to come fetch and destroy your boot key without being detected by your attacker who’s identity you also could not expose under torture. in short, in an incredibly difficult and disciplined process.

fde is a great and useful tool, especially against thieves. however, in jursidictions where coercion and torture are used against individuals in order to gain access to otherwise secured data, it’s truly only as strong as the user’s will. “plausible deniability” of veracrypt won’t change that. it simply results in a scenario where one will be coerced out of two passphrases instead of one.

there was at least one point in time where the theoretical idea of an encrypted file container may allow one to more easily pass through a physical check point undetected if they could boot up their computer without issue or if a quick forensic sweep was done. but, it was largely nothing more than subjective conjecture and, given how many devices now enable an fde system by default, i’m not even sure how much it holds up anymore.

the fact of the matter is, particularly when tor usage is part of the standard operating procedure, if an attacker has found you and has access to your physical drives, the game is over and fde will be a last line of defense in even less brutal states where you will likely have to politicize your prosecution and hope that works out to your favor after years of legal struggle.

Interesting, in fact it reminds me of an article which explained that, according to the game theory, TrueCrypt/VeraCrypt hidden volume capacity makes it actually worse for people under torture.

In short, a government using torture that catches you with a TrueCrypt/VeraCrypt volume will have no interest to stop torturing you until you give them the password of the hidden volume, even if you don’t have a hidden volume, as they know that you could theoretically have one… Whereas if there was no such capacity, they would stop torturing you as soon as you gave up your TrueCrypt password. The theoretical possiblity of the existence of a hidden volume makes the use of infinite torture a rational choice…

So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you.

Here in more details:

https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm

2 Likes