What about including steghide in the next whonix version?

Steganography is a powerful instrument to hide the fact of hiding and avoiding suspicion from/on part of the spying bodies. Also it will let more users learn about steganography because some of them have never heard about it.

What about implementing a double encryption feature with steganography included?

I have already checked the following commands and they work nice. You can develop them further and put a shortcut to menu or smth.

The commands:

Encrypt the file1.anyextension and hide it in file2.jpgorwav with creation of the newresultingfile.jpgorwav (file2.jpgorwav remains in the original state without the embedded file):

openssl enc -aes-256-cbc -in file1.anyextension | steghide embed -z 9 -N -e rijndael-256 -p yourpassword -cf file2.jpgorwav -ef - -sf newresultingfile.jpgorwav

Extract the embedded file and decrypt it:

steghide extract -p yourpassword -sf newresultingfile.jpgorwav -xf - | openssl enc -aes-256-cbc -d > anyfilename.theknownextension

Attention! The receiver should know the extension of the hidden file and both passwords: one for ssl and one for stegide.

Actually you get a triple encryption when using GPG-based mail. Also you may change AES by other encryption algorithms.

Using this method you get double AES-256 encryption which is believed to be free of backdoors currently. If you distrust steghide software you still are protected with openssl.

Why i think this method is valuable it is because it’s quite difficult for most people to figure out how to use GPG/PGP in thunderbird, icedove. Many people do not understand the difference between MIME PGP and inline encryption. While trying to teach other people to use them I saw them making deadly mistakes all the time like sending files with inline encryption where only text was encrypted.

But with the proposed method u just need to have one wav or jpg file and use it as a container. Of course the person may write the email text in a text file and use this method to hide the text.

The obtained benefits:

  1. Enigmail is not even needed.
  2. You may use email servers not supporting GPG/PGP.
  3. You may send stegofiles from any other computer (or from the host OS) without need to use TOR and without need to hide.

What do u think about it?

By having a quick look, steghide seems unmaintained and dead upstream:

  1. Enigmail is not needed for GPG encrypted mail. It’s just convenient.
  2. A rarely seen limitation.
  3. Using Tor is irrelevant in this case.
  4. The whole field is very low signal, software is old. I am more sure in the GPG implementation of encryption algos then I am in steghide’s.