Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

hidden full system encryption on gnulinux?

Here you can discuss every aspect of Debian. Note: not for support requests!
Message
Author
hthi
Posts: 213
Joined: 2015-05-09 15:43
Has thanked: 1 time

hidden full system encryption on gnulinux?

#1 Post by hthi »

I cannot say if the following is correct. I read about countries that have legal means or plan to get legal means to make a person tell a password for decryption. Countries that may not use violence to get the password. The windows versions of truecrypt have the ability to create and run a hidden encrypted operating system whose existence may be denied. I am not aware of gnulinux having this feature. It is important that gnulinux gets this encryption option that people in these countries get another means to provide privacy. If it can be made for windows it can be made for gnulinux? Can I get to know, how difficult it is to provide this option? Expensive? Many programmers required? Technically advanced?
Thanks.


tomazzi
Posts: 730
Joined: 2013-08-02 21:33

Re: hidden full system encryption on gnulinux?

#3 Post by tomazzi »

hthi wrote:The windows versions of truecrypt have the ability to create and run a hidden encrypted operating system
No, this about hidden file system (implemented in a virtual partition existing as a normal file, called a "container"). Definitely, this is not about "operating system" - quite a big difference.

Anyway, this means that in countries which have the "legal" means (which are illegal just by the nature of this problem - human rights), those "containers" can be easily detected - and "they" can ask for a password.

But:
The whole thing is about what You're risking by claiming that You have just "forgot" the password... - are they going to torture You? - do they have means for this? - that is a real question/problem here.

Regards.

PS.
GNU/Linux has a very similar solution - it's an ecryptfs - available as a ready to install package, fully documented.
Odi profanum vulgus

hthi
Posts: 213
Joined: 2015-05-09 15:43
Has thanked: 1 time

Re: hidden full system encryption on gnulinux?

#4 Post by hthi »

There are to many arrogant people on this forum. Dasein, you are one of them. You waste my time and yours. Your answer contributes with nothing. More than 6000 answers and you have not learned to meet people on their level? About my question, your answer is arrogant and wrong. Truecrypt does not provide full system encryption on gnulinux. Because you do not answer any of my questions I conclude you are not skilled enough. You are not capable of answering any of my questions. Stay away from my posts if you cannot contribute.

I frequently write posts on forums and get no answers. Likely because my questions are to difficult. What I want to know is how big a task it is to bring hidden full system encryption to gnulinux? No surprise if nobody here have the skills to answer it. Sometimes you run unsuspectingly into someone who can answer or who can tell you that your question is very difficult.

Tomazzi. I quoted wikipedia. It says hidden full system encryption is provided by truecrypt. You say, wikipedia is wrong?

Even if a law is illegal due to a convention, it will likely stand until some higher judicial body rules it illegal.
You say, what if I claim to not remember the password? It seems some countries have or want to get laws that fine or remand a person that will not tell a password. A hidden full system encryption option makes it possible for a person to tell a password and it will open a system that shows nothing.

You refer to ecryptfs. That is not what I am asking for. The hidden full system encryption has to be an option which displays when you install a gnulinux system. Can laypersons make this suggestion to debian?

User avatar
alan stone
Posts: 269
Joined: 2011-10-22 14:08
Location: In my body.

Re: hidden full system encryption on gnulinux?

#5 Post by alan stone »

hthi wrote:... The windows versions of truecrypt have the ability to create and run a hidden encrypted operating system whose existence may be denied. ...
Thanks.
Did you try this search: hidden encrypted linux operating system ?

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: hidden full system encryption on gnulinux?

#6 Post by stevepusser »

Yes, your questions are so difficult they've blown my freaking mind!

Truecrypt is old, unmaintained, and will not build on a modern Linux system. I suggest you bend your vast intellect toward learning about its successor, Veracrypt. Yes, there are Debian packages for it out there.
MX Linux packager and developer

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: hidden full system encryption on gnulinux?

#7 Post by GarryRicketson »

hthi wrote:
... The windows versions of truecrypt have the ability to create and run a hidden encrypted operating system whose existence may be denied. ...
Thanks.
I don't know, but we get so many people these days claiming, all these weird things
they want to do, work on their "windows" versions, or "When I use windows, it works",..
I get tired of that, if the versions you have on your windows thing work so great, then why don't you just use that ?
The whole thing is about what You're risking by claiming that You have just "forgot" the password... - are they going to torture You? - do they have means for this? - that is a real question/problem here.
The rest sounds more like some kind of spy verses spy movie, and then they come and torture the guy, because he either really can not remember the password, or maybe just says they forgot, because they don't want to tell it,... who cares really ? It is all from a movie, or sounds like it to me.
It all ready has been mentioned there are packages available:
Post by stevepusser »Yes, there are Debian packages for it out there.
And as suggested, : Did the OP try any searches ?
by alan stone »
Did you try this search: hidden encrypted linux operating
system ?

and Dasein:
=
I frequently write posts on forums and get no answers. Likely because my questions are to difficult.
Amazing, does that not tell the OP and all of us something, but they don't get answers,
it is not that they are to "difficult", it is because they can easily be answered doing a few searches, or because they are simply pointless, with not real , true , absolute answer,
or controversial, these are the kind of questions trolls like to ask, and every body knows
the best thing to do with a troll is to ignore it. So that is what they do on many forums, and they ignore the questions, that : Please Read.. What we expect you have already Done.
When it is obvious the OP has not done any searches, often they just ignore the question.
The troll starts out in the very first post:
by hthi » 2016-04-15 09:09 The windows versions of truecrypt have the ability to create and run a hidden encrypted operating system whose existence may be denied. I am not aware of gnulinux having this feature.
With out having done any real searches, to see if there are any Debian, and linux packages with this feature. It appears to me it is deliberately trying to say it's crappy windows apps, and windows versions are better.
Now, the response probably will be something saying "garry is the troll",..hmm maybe so, but then there is also the expression "It takes one to know one",....However I don't usually try to be one , in fact I usually just ignore them, and that is what I am going to start doing after this post.
Please do not feed the trolls
http://forums.debian.net/ucp.php?i=zebr ... s&add=hthi
Especially these ones that come around telling us how much better everything works on their "Windows" things,....
I know everything works better on Debian, and I really am not interested in how or what works on windows.
They blame Debian, or gnulinux, but the facts are clear to me, no windows in my systems, and Debian, and gnulinux, and pure linux, no problems, and usually work perfectly.
99% of the people having problems with Debian and linux software, are still using windows as well, or trying to make Debian more like Windows, or expecting the Debian, and linux packages to be like their windows garbage.
So any way, that is all from me , today. I am tired of these people all ways trying to tell us how wonderful things work on their Windows, but it does not work on Debian,
If they like how things work on windows so much, that is what they should be using.

hthi
Posts: 213
Joined: 2015-05-09 15:43
Has thanked: 1 time

Re: hidden full system encryption on gnulinux?

#8 Post by hthi »

Tell me how dasein answers my question?
I frequently write posts on forums and get no answers. Likely because my questions are to difficult. What I want to know is how big a task it is to bring hidden full system encryption to gnulinux? No surprise if nobody here have the skills to answer it. Sometimes you run unsuspectingly into someone who can answer or who can tell you that your question is very difficult.
This part must be read like it is written. It is a statement of fact.

On a debian iso you may select full hdd encryption when you install. There is no hidden full hdd encryption option. I know no gnulinux iso which has this option. Likely because no one made the software.
It may be possible to make hidden full hdd encryption on gnulinux software already available. In that case there had to be tested instructions. No one should make their own encryption. If you do not know a person's skills that is an irresponsible piece of advice.

I wrote my post in general discussions because I think gnulinux systems should get the hidden full hdd encryption option when you install. I wanted to get information how the software can be provided and how difficult it would be? There is no reason to get defensive if windows has an option that gnulinux does not have. Or you cannot answer my question.

You cannot answer on the relevance about hidden full hdd encryption for others. In a country that has or plans laws that will fine or remand a person who will not tell a password and the country will not use violence, hidden full hdd encryption is another option to obtain privacy.

I named windows truecrypt because windows truecrypt shows that hidden full hdd encryption software can be made. I think same software must get made for gnulinux. That produced a lot of hooey in commenting posts. Most of it fall within misplaced loyalty about debian or inability to say something substantive. If a non gnulinux piece of software provides something that is of value, then gnulinux should also get it.

Why side with dasein? He contributed with nothing.

Veracrypt does not provide full hdd encryption on gnulinux.

dryden
Posts: 80
Joined: 2015-02-04 08:54

Re: hidden full system encryption on gnulinux?

#9 Post by dryden »

Myself I have often observed to my dismay that in general the user options for encryption are extremely limited compared to Windows (TrueCrypt) and this mostly comes down to the lack of anyone actually thinking about real use cases.

Most Linux people do not have such real use cases. Either it is mostly a hobby, or it is used in a corporate environment. I have found for instance that most initrds will spill the guts of the device being decrypted. This is bad information. Any information leak is bad. A real Linux system with multiple encryption setups at once would use a key from the first, to unlock the next ones. There is no need whatsoever to tell the casual observer what disk is getting unlocked. Just a simple example.

According the the LUKS help (cryptsetup) it does support hidden truecrypt partitions, I just have never come across the information on how to do it, and it seems so arcane that I haven't bothered with it yet.

On Windows I had the perfect setup : an encrypted system, a separately encrypted data, another encrypted disk, and something hidden inside of that.

I was not living in a country (like the UK) where they can force or reprimand you to give your passwords.

If then, my situation might have been different.

Most of all even if it is not available for regular installers, I am pretty sure no one has ever done it except if they have used Truecrypt for it. The Truecrypt authors were true geniuses and it is the best and most well-made software I have ever seen.

I recently compiled it on an older kernel (2.6.32) and the installer that you can download, runs just fine on modern Linuxes so I don't see why it wouldn't compile.

The real issue is usability. I have some thoughts but I don't really have the opportunity, health, reality, love or support to design or develop it. I am too abandoned in my life.

As such I am just struggling to survive and even selling off assets.

All I can offer on Linux is to create a partition within an encrypted LVM, encrypt it with TrueCrypt, and then put a hidden volume inside of that. Then wipe your trails whenever you access that.

I have not said those things ;-).

Your best bet is always a multi-encryption setup where you can please law enforcement in steps. Make sure you are capable of giving them the first password without trouble. Then make them beg for the next ones.

This is very hard to do in Linux according to real needs.

Linux is too messy, it just won't work.

Today I have my entire disk(s) encrypted and I let Grub decrypt it. It is a hell of a lot of work to set it up and I always forget one single thing causing me to have to reboot again, etc. etc.

But it is the best thing I can do myself.

I plan to adjust grub to get rid of its ugliness. TrueCrypt has a beautiful bootloader. I do not trust the VeraCrypt authors. They are open source junk.

For one thing they have ensured that unlocking your system takes up to 20-30 seconds? Because they feel they know better about what you want and need? That is the illness in Linux: the other person always thinks they know what you need and don't need, instead of you yourself.

So apparently the VeraCrypt authors decided that they know that people need that 20-30 second bootup phase. When people complain, they don't care. TrueCrypt would never design something like that. They were just outstanding. I miss them already, even though they are still here for me.

In this thread a person also claims to 'know' that if you like TrueCrypt so much, you won't need Linux, want it, or desire to use it. Because to him, apparently, it feels like betrayal. To prefer, or laud, a software not developed by open source guys. To desire something that another person created who actually is praised much more than the Linux alternatives. That feels like betrayal to him.

What rewards does LUKS win? Nothing. Its user experience is horrible. If TrueCrypt had a modern version with a great UI for Linux, I would use that.

But the GUI is not integrated and it is an older Gnome app. I will, or may, still have to use it. But it is downright detrimental. The current state of affairs for Linux is downright detrimental. People in general have never cared about real solid user experiences that completely agree with a use case. It is a wonder I guess that we had TrueCrypt to begin with.

A hidden operating system would require Grub decrypting the volume AND the volume must contain a hidden partition. Then depending on what partition is actually derypted, it starts that one.

Personally I think this is troublesome to begin with. I prefer to give law enforcement my main password. You could try to virtualize inside of that. You could try to chain boot into something else. Those are really your only options I think.

You would need a way to clear logs, or to create as few of them as possible. A regular Linux system is not really suitable for that. They haven't even solved the issue of the fixed library paths, yet. So what you need is first a way to create a hidden partition, then a way to boot into that without leaving traces. I would suggest doing this booting from a running Linux system. I would suggest ensuring that you can either use kexec for that, or a virtualizer. A virtualization solution started from a hidden volume, would be almost the same as having a hidden OS. Now you only need to ensure that the mounting, and starting of the VM, do not leave traces in the system log.

However I will say that you can also run systems from USB stick that you can hide. You may have a main harddisk but you don't have to use it. Any data that is not sensitive, store it on the harddisk. Put a nice little OS next to it you don't really use. Remember: the burden of having a hidden OS is having to boot that fake system regularly, which you will probably not do.

However, there are virtualizers, maybe all of them, that can boot a guest OS from a system partition or LVM volume. That means you can run your fake OS as a guest in your stick OS. Just an issue, just an example. That way, you can keep it "current" while not using it for anything sensitive. Lots of troubles, I know.

Law enforcement may not search your premises. They may just take the computers that are in plain sight.

Use it for gaming, you know. Run a Guest OS from a fast harddisk (or any harddisk) and use it for gaming.

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: hidden full system encryption on gnulinux?

#10 Post by sgosnell »

How would you propose full, hidden, disk encryption? Truecrypt never did that on Windows, or anything else. Truecrypt, and now Veracrypt, can provide a hidden encrypted container inside a disk. I'm not sure the OP understands what he's talking about.
Take my advice, I'm not using it.

tomazzi
Posts: 730
Joined: 2013-08-02 21:33

Re: hidden full system encryption on gnulinux?

#11 Post by tomazzi »

dryden wrote:Myself I have often observed to my dismay that in general the user options for encryption are extremely limited compared to Windows (TrueCrypt) and this mostly comes down to the lack of anyone actually thinking about real use cases.

Most Linux people do not have such real use cases. Either it is mostly a hobby, or it is used in a corporate environment. I have found for instance that most initrds will spill the guts of the device being decrypted. This is bad information. Any information leak is bad. A real Linux system with multiple encryption setups at once would use a key from the first, to unlock the next ones. There is no need whatsoever to tell the casual observer what disk is getting unlocked. Just a simple example.
First, there's no such thing as "hidden full system encryption".
This stupidity has its roots in the winblows world, where the average user don't have a clue what is the HDD and how it works - so they think, that if there's no partition shown in "My computer", then nobody will know about their "secret data" -> *bullshit*.

It's trivially simple to discover that You have hidden data on Your HDD - every law enforcement division in the world will discover it in just few seconds -> just by looking at the physical layout of data on the disk surface or by checking the bootloaders.

This is a complete stupidity to rely on the "supposedly invisible" partitions - this way You can possibly cheat Your neighbor or maybe your girlfriend ;)

Regards.
Odi profanum vulgus

User avatar
dotlj
Posts: 646
Joined: 2009-12-25 17:21

Re: hidden full system encryption on gnulinux?

#12 Post by dotlj »

full system encryption means the whole system is encrypted. You can do that putting /boot on a separate device (usb flashdisk, SD card, ...) and encrypting the whole device (say /dev/sda for example).
You can not hide the fact that a whole device is encrypted.
What TrueCrypt called hidden encryption only works with disks using MBR.
Today disks use GPT and TrueCrypt does not work with GPT devices.
What TrueCrypt called hidden encryption is not the full system, it was a hidden encrypted container inside of a larger openly encrypted container, partition or device.

Linux encyrption using LUKS works with MBR and GPT devices. Linux allows encrypting whole disks, partitions and containers. Linux also allows encyrpting containers inside of encrypted devices or partitions.
As has been mentioned in other replies, it is difficult to hide encrypted containers inside encypted devices.
For more information please search for stenanography using your preferred search engine.

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: hidden full system encryption on gnulinux?

#13 Post by edbarx »

Full system encryption defies its own aim when it is used to avoid censorship. The reason is quite simple to understand: if one is caught using a fully encrypted computer in a country that enforces censorship, one would incriminate oneself. No one will go into the trouble of encrypting a full system without a motive.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

dryden
Posts: 80
Joined: 2015-02-04 08:54

Re: hidden full system encryption on gnulinux?

#14 Post by dryden »

sgosnell wrote:How would you propose full, hidden, disk encryption? Truecrypt never did that on Windows, or anything else. Truecrypt, and now Veracrypt, can provide a hidden encrypted container inside a disk. I'm not sure the OP understands what he's talking about.
You are incorrect. The OP never mentioned full hidden disk encryption, but a hidden partition inside a system disk encryption, causing two passwords: one for the "non-secure" system and one for the "secure" system. This causes the ability to deny the existence of the hidden OS, because the container looks the same from the outside and you can supply your non-secure password to law enforcement (for instance).

LUKS doesn't even really format your disk. There is no provision to wipe your disk, unless you manually fill it with zeroes yourself. Not saying it always should format. Just saying it is up to you to do it, and if you don't care enough, it won't be done.
tomazzi wrote:First, there's no such thing as "hidden full system encryption".
This stupidity has its roots in the winblows world, where the average user don't have a clue what is the HDD and how it works - so they think, that if there's no partition shown in "My computer", then nobody will know about their "secret data" -> *bullshit*.
I have never said any such thing a a hidden full system encryption. The stupidity is yours, not mine, to even suggest such a thing.
It's trivially simple to discover that You have hidden data on Your HDD - every law enforcement division in the world will discover it in just few seconds -> just by looking at the physical layout of data on the disk surface or by checking the bootloaders.
The whole point of the OP was to hide a partition within an encrypted partition. In case you don't know (are you really that stupid? I doubt it) the purpose is to give a "fake" password to any person interested that will unlock the partition you want them to see, instead of the hidden one.

I again did not say that :p. Actually I do not have any hidden partitions at this time.
This is a complete stupidity to rely on the "supposedly invisible" partitions - this way You can possibly cheat Your neighbor or maybe your girlfriend ;)
You can also fool anyone just looking at your computer. In case you think law enforcement is omnipotent: they are not. Fooling them for a moment or two may be enough to get out of a tough spot. Someone who sees a neat little encryption prompt may not think much of it, except knowing that it is encrypted. His/her attention will then go to other things. Someone who sees device data or UUIDs and who doesn't have any computer knowledge himself, may get confused and think you are doing something nasty. The difference may come down to your computer being towed away or not, or police returning to your home for a second visit, or not. You obviously have no real world experience. Perhaps I might, in fact, do. Someone who sees a password prompt may in fact not even be aware it is going to be an encryption prompt.

Personally I prefer the TrueCrypt system: a neat prompt that does show encryption, but not any other data.

When you want to be inconspicuous, you want to be inconspicuous. You want neatness, tidiness, and people not thinking much of what they see.

Weird people may think you are hacking their wifi when they cannot get online. Weird people may think you are hacking the regional power station because you are using a Linux prompt computer. And the power goes down, so it must be you. In general it is better, if you want to avoid complications, to not let people know too much. What to you is obvious and understandable, another person may think is something suspicious. You want to avoid people thinking you are suspicious.

Neatness is part of that.
dotlj wrote:full system encryption means the whole system is encrypted. You can do that putting /boot on a separate device (usb flashdisk, SD card, ...) and encrypting the whole device (say /dev/sda for example).
You can not hide the fact that a whole device is encrypted.
What TrueCrypt called hidden encryption only works with disks using MBR.
Today disks use GPT and TrueCrypt does not work with GPT devices.
What TrueCrypt called hidden encryption is not the full system, it was a hidden encrypted container inside of a larger openly encrypted container, partition or device.

Linux encyrption using LUKS works with MBR and GPT devices. Linux allows encrypting whole disks, partitions and containers. Linux also allows encyrpting containers inside of encrypted devices or partitions.
As has been mentioned in other replies, it is difficult to hide encrypted containers inside encypted devices.
For more information please search for stenanography using your preferred search engine.
Not sure why you are turning this into an advert for Linux and LUKS.

As noted TrueCrypt achieved that thing just fine, contrary to your last statement. We have no requirement at all to go search for something that professes to deny what is already so; that TrueCrypt did in fact easily achieve this thing, and perhaps, always has.

I hope you realize how dedicated and with how much attention to detail, the TrueCrypt authors are, and were. You will not find any software solution that has as much attention to detail as that. From the information you get while using the program, to the fact that they first want you to burn a rescue disk, and then proceed to change the bootloader, and then test that, and then proceed to encrypt, and even that is done while using the system, not in advance. I don't think there is any way to run-time encrypt any Linux partition or container, nor is there any way to decrypt it in-place.

It could, but apparently Windows filesystems did have this space to embed the full TrueCrypt bootloader into. In fact, you are warned, that if you use multiple ciphers, there is not going to be a backup header. I actually doubt the TrueCrypt loader extended beyond the first section of MBR, so in fact it did not need to change the partition itself, or the filesystem.

Also, there is no reason you cannot use MBR formatting these days, I believe. I'm not sure what partition tables Windows creates, since you often have little choice in what it does. But I have had no issue running modern Windows on a MBR disk, nor is there any problem doing so on Linux, so that point is moot. Also, if TrueCrypt was still being developed, that could probably be changed. I do not know the details of GPT as to why that shouldn't work, but I think that is nonsense. On Windows, only UEFI can boot GPT, but I don't use UEFI.

And again, no one has ever tried to hide the fact that a whole system is encrypted, nor has anyone ever tried to do so (in that sense). Nobody wants to do that here. That is not what the OP was talking about, and also not what either ones of me intend ;-).

So you are all responding to a statement that was never made. This is called a false flag operation, or more appropriately so, a strawman argument. You intend to refute something that was never even proposed, as though to disqualify your opponent with that, no matter if you do it out of a lacking understanding as to what was intended here.

And yes, I know, but I will not explain here. Why it is also a false flag operation.

So, to go back, and I apologize for any sense of arrogance I may have here:

LUKS does not support hidden partitions. It does support a KILL header/password that will destroy the actual header of the data, when entered.

That won't destroy the data, but you will need a backup of the header to retrieve it. This is something TrueCrypt didn't have. It's a little devious, but you can give this password to (law enforcement) and when it doesn't work, your old (real) passwords won't work anymore either. That probably only makes sense if the forensics guys are not going to use your own software to decrypt it, but still, it should work if anyone tries to open your computer. Law enforcement usually doesn't do that, though, from my perspective and experience. However, unknowing forensics people may try to boot the system instead of decrypting it own their own; I wouldn't count on it though. Because of that, this KILL password has to be used by you, yourself.
You can do that putting /boot on a separate device (usb flashdisk, SD card, ...) and encrypting the whole device (say /dev/sda for example).
You don't need a separate boot device for that, you can do it with Grub. Again, uninformed.

Although in that case you will have a visible partition table, whereas you wouldn't if you used a separate disk. Still, that's the only difference. You will have a partition table with one partition (in the case of MBR) and two (in the case of GPT).
Linux also allows encyrpting containers inside of encrypted devices or partitions.
No crap sherlock. That is because they are just files. Although, perhaps it is worth mentioning because Linux needs some special tools to do it (pmt-edh) although that is not really true either, I believe they are just convenience wrappers (from libpam-mount). Still you cannot hide anything in a Linux system (partition) other than in the sheer madness of its disorganisation, except when you modify the kernel, but that won't stop a forensics guy.
edbarx wrote:Full system encryption defies its own aim when it is used to avoid censorship. The reason is quite simple to understand: if one is caught using a fully encrypted computer in a country that enforces censorship, one would incriminate oneself. No one will go into the trouble of encrypting a full system without a motive.
Do you not understand much, do you. Incriminating oneself and people having knowledge as to why you do it, is not the same thing. The mere fact that you have used encryption is like 1 bit of knowledge. People will not know why you have done so. Unless encryption is persecuted by itself, people know no other fact than that 1 bit of information. They have no other leads. Perhaps this gives them reason to search your stuff, but police don't always do that, because it takes a lot of work, and needs to be done on-site. With no other information, and you not in other ways suspect, police will actually respect what you do. They start to bargain with you to get the passwords, but you won't give it to them.

And you can have very good reasons to encrypt: you don't want random people (which police are) looking into your stuff. That is stuff people can understand. So you can explain very well why you are encrypting in the first place, even if there is nothing incriminating stored on that.

It depends on how important you think your privacy is, or how important you think it is, that people who have nothing to do with you, stay out. This also applies to police, and is a reason to refuse them knowledge.

What I am saying is that you can very well explain, attest and justify, that there are other reasons to encrypt than hiding incriminating facts. In the end, police don't have more than that 1 bit of information. Which is not a lot, I can tell you.

And all you need to explain, is that 1 bit choice you have made. You can do that, I'm sure, right?

What it requires though is a stance that says that police are not any form of authority over you, and they are no different from other random people who have nothing to do with who you are, what you do, or how you live.

What it requires is shedding this notion that the state holds power over you, not just from a practical reality point of view, but from the perspective that you are somehow a subject.

If you disregard authority, you can encrypt just fine. In most cases, in the West. Unless perhaps people start devising laws that incriminates encryption in the first place; that makes it illegal to encrypt. Or illegal to encrypt and then not give your passwords or keyfiles.

When that happens you need something more. You need a system that is visible to everyone. At least your main system should be. You need to be able to give police access, while not giving everything. Everyone has a right to *some* private data. If they *then* are going to prosecute you for it, you stand much stronger. But if, at that point, "in the end" you succumb and give your password(s), what gives if they are not the real ones? What if you have a whole hierarchy of encryption, some of which are hidden? Police may never know.

They can't ask you what they don't know about, and this is called: I bet you know it. Plausible deniability. That is what this topic was about. Don't be confused by the topic title. The guy meant full system encryption with a hidden operating system, as mentioned in the original post.

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: hidden full system encryption on gnulinux?

#15 Post by edbarx »

dryden wrote:
edbarx wrote:Full system encryption defies its own aim when it is used to avoid censorship. The reason is quite simple to understand: if one is caught using a fully encrypted computer in a country that enforces censorship, one would incriminate oneself. No one will go into the trouble of encrypting a full system without a motive.
Do you not understand much, do you. Incriminating oneself and people having knowledge as to why you do it, is not the same thing. The mere fact that you have used encryption is like 1 bit of knowledge. People will not know why you have done so.
Police represent authority which means a citizen's refusal to cooperate with their investigations is often seen as a corroborate that there is something sinister to hide on the part of the investigated.

In reply to your argument about "privacy", well, I value more my freedom, rather than risking a free stay at some police lockup facility or a prison. People who reason like you are forgetting the state has authority and I, you and every common Joe have none.

If you can afford a very expensive lawyer, it is completely a different story.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

dryden
Posts: 80
Joined: 2015-02-04 08:54

Re: hidden full system encryption on gnulinux?

#16 Post by dryden »

edbarx wrote:Police represent authority which means a citizen's refusal to cooperate with their investigations is often seen as a corroborate that there is something sinister to hide on the part of the investigated.
You disregard experience just fine. And common sense as well. I mean how .... can you be? The rule of law implies that criminal facts need to be proven.

Unless hiding evidence itself is a criminal act, you cannot be prosecuted for hiding any form of information.

I repeat: you cannot be prosecuted for such things.

They *have* no information on you. Therefore, they can also not really get away with doing anything to you based on nothing but the "random thought" that you are hiding something sinister based on nothing, particularly if you can justify what you do against a judge, or argue your way out of it, no matter how you wish to express that.

I have hidden data and this has made no difference whatsoever in a case against me, because it was not even a computer case to begin with, and the only consequences have been
  • some amusement as law enforcement first tells me that they "will crack it just fine" but subsequently continues to plead with me and beg with me, even 6 months after the fact, for the passwords
  • a measure of respect from these people as I did not comply, and as such, they had to see me as an equal of sorts
  • the fact that due to their decryption attempts, I did not get my stuff back within the same time frame as I otherwise would have.
In reply to your argument about "privacy", well, I value more my freedom, rather than risking a free stay at some police lockup facility or a prison.
Then I will respond by saying that you are rather uneducated, and it was none other than Theodore Roosevelt who said "Those, who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety", perhaps as a citation of others, I do not know. This was in response to the statement, or following the statement, that "No realistic American can expect from a dictator’s peace international generosity, or return of true independence, or world disarmament, or freedom of expression, or freedom of religion - or even good business". And it implies exactly what is being said here.

So, people who "reason like me" are sometimes people in very good standing and far greater people than you or me have ever been thus far.

Your freedom then, is a lack of freedom. You sacrifice your ability to encrypt in the first place, only to bow down to law enforcement who tries to take that freedom away with you, with the promise that then they won't imprison you. And in the end you will find out you have been scammed.
People who reason like you are forgetting the state has authority and I, you and every common Joe have none.
Only if the state is without laws, and can act like a complete and utter tyrant, does your statement make any sense. The laws of the state often serve to protect civilians from abuse of authority. And even then, if you stand tall enough, you will garner respect, and I can tell you from experience that thus far they have had nothing on me as a result of encrypting some disks. I really doubt you have any experience whatsoever, in that sense.

Judges in my country at least are critical beings who often have their own doubts as to the proper behaviour of police, and do not necessarily fall in line with whatever police is doing. They are usually rather intelligent people or they would not take office like that. They study law and are used to complex reasoning, they are also used to disregarding "underbelly sentiments" in favour of what the law actually says is allowed, and what not.

If you read jurisprudence (in this case, civil) you will often find extremely logical reasonings reducing a case to a single point that needs to be proven, disregarding everything else, because it has already been dealt with. Even though this takes away the heart out of it, and reduces it to something formal and nothing more, it does indicate that, especially in the case of criminal proceedings, judges are not unwilling to follow the letter of the law, and if you know it, the law provides much more protection for civilians than the random and spurious opinions of law enforcement officials.

In this my country it is not possible really to use a hiding of electronic information as proof in anything not related to it. If you are charged with hacking, stalking, theft, whatever, it doesn't matter, you cannot be convicted for any such thing simply based on something unrelated such as the hiding of data, because many times a proof needs to be "beyond reasonable doubt". Also even if police did use it as reason to pick you up and arrest you, they could not hold you for longer than a few hours unless it was for interrogation, but an official from the public ministry (a prosecutor) must give them permission for it. This is also a maximum of I believe 3 days -- not that it is pleasant being there. In practice it is never longer than a single night, but that depends on the case, and clearly "encryption" is no reason to keep you longer by itself. "Encryption" cannot even (in this country) be a reason to keep you for longer than those few hours. This is because the reason for keeping you is to keep you at the disposal of police, or, to prevent you from interfering with an investigation.

Moreover, the police that arrest you do not inspect your stuff, they send it off to the detectives apartment. "Your stuff was encrypted" is no reason to arrest you again. They will seek other ways to get at you, but cannot ever arrest you based solely on that. So what you are saying implies police having been witness to electronic communication, and arresting you based on that.

However, you make some kind of blanket statement that in essence only applies to "countries that enforce censorship" whatever that may be. Many countries enforce censorship, our western countries do as well. I have said that I live in a European country and you know full well that most of the web uses encryption constantly. Your statement, therefore, seems to be rather irrelevant to begin with, and more a way of saying something smart, than something that actually applies.

Now I will not say that if police were aware of such reasonings, they would not use that to hurt you on purpose. They probably have more means than I am aware of here, but this implies an ongoing relationship with them here, in which case you are already a "known person" to them. So just from the hypothetical position that you live in a country where all encryption is outlawed: from SSL/TLS to SSH to whatever Whatsapp uses these days.

It is obvious that China is not going to be this country. I doubt Iran is going to be this country. Maybe North Korea could be this country, but in that case you have different problems.

Not even Egypt, or anything like it, is really going to be this country. Sure China may block a lot of foreign websites, but they cannot in honesty block all SSL. So your theoretical country may not even exist on the planet earth. I don't say I know everything, I just say that it seems rather impractical for anyone these days.

So theoretically, someone using encrypted communication may very well set himself apart in a strong way. However if you keep a clear view, stand tall, and don't bargain, they may still not have anything against you. They still only have one bit of information. Even if they roughed you up and searched all your stuff. They might still only have 1 bit of information. And in that case, you have different problems. In that case, you live in a country that has not any sense of democracy. You probably get terrorized by police for other things as well (such as wearing condoms, or having them on you). Electronic communication is really a step beyond that and you have other challenges to meet in the meantime. So the point is really moot to begin with. It is like superimposing atomic bomb concerns on countries that have not even yet developed guns.

Not saying it could never be an issue. Just saying you'd have more things to worry about. Encryption may very well be the least of your concerns (or at least further down the line) and even without encryption, they could still hurt you. And even in that situation, hiding an encrypted USB stick might not hurt you all that much. Not really.
If you can afford a very expensive lawyer, it is completely a different story.
Or you study a bit of law yourself, I don't know. I will testify and vouch though that the inexpensive lawyers get in the way more than that they help.

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: hidden full system encryption on gnulinux?

#17 Post by edbarx »

dryden wrote:Then I will respond by saying that you are rather uneducated, and it was none other than Theodore Roosevelt
Insults?! :shock: :?

That is enough as proof to disregard your argument.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

dryden
Posts: 80
Joined: 2015-02-04 08:54

Re: hidden full system encryption on gnulinux?

#18 Post by dryden »

I'm sorry, but you do not really espouse any sense of what in Dutch we call "ontwikkeling" (Asian term, I guess, would be "cultivation") if you start saying things that in common culture have already been dealt with, or at least, recognised, or at least, understood by some. If you make the same argument that has been made centuries ago, and if one common great man in modern human history, at least in the West, has already made unforgettable statements regarding your very issue.

And then you claim that I do not care about freedom (which is also an insult, in a sense) and that you would rather have freedom over the risk of ending up in jail. You basically attribute to me a disregard for freedom.

When the great Theodore Roosevelt has already made that speech aeons ago so to speak. And *many* people know about it and his words are world-renowned.

Then don't make me say those things.

Don't act as if you are so wise, and as if you have no regard for, and knowledge of, current history.

Don't paint a picture of yourself as being vastly uneducated, or "underdeveloped" as we would say in Dutch. Another word would be unevolved, but that is also not something any language uses, probably.

You know what I mean: being oblivious to previous achievements in our culture, requiring me to restate them, but also, attacking and insulting me, in a general sense, because I tend to agree with Rooseveld here, or, more likely and more appropriately, and more accurately, because I say the same things he has said.

Achieving anything in the Linux world becomes rather hard when the people that live in it claim to be so highly advanced, and then espouse a disregard, or lack of knowledge, or lack of awareness, of important achievements in our culture.

In general I feel Linux people consider themselves to be more advanced than others (because of the FLOSS principles) and will attack you if you say anything that goes in opposition of it, while the principles themselves, that they believe in, may go in direct opposition of previous achievements, that have founded our society. So basics tenets of democracy, no matter how sullen, are being thrown away, and the wheel supposedly reinvented.

And then someone who claims, apparently, to know a lot about safety, security, and fighting for freedom (?) then attacks someone who actually does so.

The very thing Roosevelt uttered back then, I utter here. Also based on experience, I might add. Why do we have a need to redo what has already been done in the past? Do we need to be unaware of everything, not learn from history, and try to do all those things, try to achieve all those things, try to reach that level that has already long since been reached?

I know current culture is succumbing and degenerating, and in many assets and aspects, in many facets, is going down the drain, and that many people are unaware of such things, and many people even want to do away with, on occasion, and repeatedly, common achievements (we call them "verworvenheden" in Dutch -- things we have acquired or obtained or attained) such as that everyone is equal under the law, or that prisoners have a right of fair treatment, etc. etc.

I know that many people espouse brutality. Many people disagree with a system of law that protects everyone.

But if you say that you would rather have "freedom" (of being in a jail cell for 2 days) and that you would rather give up any right of encryption (which is basically what your stance comes down to) then I would consider you a weakling but also someone unaware of these issues at heart.

Yet you try to convince me that I have it wrong and that I am saying stupid and uneducated things.

Then don't make me say these things.

Don't make me object to such rudimentariness.

Don't make me object to such a scared way of living life. To think that, even in our current societies, governments are tyrants and can get away with anything. And that your only defense is a really expensive (or good) lawyer, but you won't do it for yourself, and the way I hear you speak, you do not have access to that attorney or lawyer.

And in a certain sense you are trying to dissuade me (or others) from using encryption in the first place, or using hidden encryption, or using stacked encryption, or using any whatever scheme we may have to be safe. Because apparently you do not believe you have any power.

Do not make me object to any statement that we are powerless, please.

dryden
Posts: 80
Joined: 2015-02-04 08:54

Re: hidden full system encryption on gnulinux?

#19 Post by dryden »

Another way of phrasing this is:

The people who say it cannot be done, should not prevent the people who say it can be done, from doing it.

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: hidden full system encryption on gnulinux?

#20 Post by edbarx »

Value laden subjects are always open to discussion no matter for how long and by whom they have been debated. This twisted view that certain subjects are not to be discussed as they are generally accepted is similar to religious and political dogma.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

Post Reply