Date: Tue, 22 Jul 2008 18:51:40 +0100 From: RW <fbsd06@mlists.homeunix.com> To: freebsd-questions@freebsd.org Subject: Re: disk encryption; hidden containers Message-ID: <20080722185140.25c022d4@gumby.homeunix.com.> In-Reply-To: <20080722154742.GA43358@epia-2.farid-hajji.net> References: <20080718155624.GA2886@kokopelli.hydra> <20080722154742.GA43358@epia-2.farid-hajji.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 22 Jul 2008 17:47:42 +0200 cpghost <cpghost@cordula.ws> wrote: > On Fri, Jul 18, 2008 at 09:56:24AM -0600, Chad Perrin wrote: > > My preliminary searches on the subject suggest that neither GBDE > > nor GELI encryption offers hidden volume/container capabilities. > > Are there any plans for implementing this in the future? What disk > > encryption softoware would you recommend for use with FreeBSD to > > provide hidden containers? > > Unless the containers are spread randomly across the partition > and are small enough, they WILL appear very prominently, because > they will usually have maximun entropy. > > To locate them, all a cyrptanalyst has to do is to look out for > regions on the partition with very high entropy, The trick is to hide the volume somewhere that is legitimately filled with random numbers. One simple way to do this is to simply argue that an encrypted partition was previously an ordinary partition has been securely erased by filling it with random numbers. Since this is a reasonable thing to do, it provides a significant level of plausible deniability. Unfortunately you can't do this with geli, because it's actually designed to be detectable (I'm not sure about gbde). Some encryption software goes much further by allowing one or more levels of nesting within volumes. The way it works is that you create a normal volume, put in some dummy files, and then create a second level container in the freespace. Since it's good practice to prefill freespace with random numbers, and some encryption software does it automatically, it's very had to detect the second level. The advantage of this is that even if someone knows that you are using encryption, and can compel you to give-up the passphase, you can still keep the real secrets hidden.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080722185140.25c022d4>