GBDE for denialable encrypted partition


#21

Yes, but that is not the point I am making.
Hibernate or suspend is NOT the same thing as POWERED OFF.
Take a machine with encrypted partitions.
Powered Off if anyone takes the disks and puts them in another machine, they can’t see the data unless they know the keys.
Hibernate or suspend, all one has to do is “unhibernate” or “unsuspend” and the machine is back at the same state it was, all powered on, all decrypted.
That is why if you are going to go to the trouble to encrypt things on your machine, it’s either powered on with you using it or it is powered off. Anything else means you wasted your time going through the encryption process.


#22

I understand that suspend (aka sleep) means that your computer is still on as your contents are still stored on RAM and in a decrypted form. But doesn’t hibernate mean your computer is fully powered off just like when you click on shutdown?

From what I know when you hibernate your computer, the stuff stored on the RAM gets moved into a secondary storage into a swap file before the computer is fully switched off. Am I correct with this?


#23

I think you’re confusing the different states. Suspend to disk, is the same as “hibernate” not the same as sleep. When you suspend to disk (aka hibernate) you are suspending to disk, and when you turn on it’s in the exact same state that you left it in, including your loaded encryption keys.

Sleep is what used to be called “standby mode” it suspends to RAM so you can quickly resume your operations. Encrypting your swap space will not help you in either of those cases.

And even then you can’t really deny that the partition is encrypted. I’m assuming when you say “deniable encrypted partition” you want a normal looking partition that you can claim is not encrypted when it really is.

@joe232 have you read the GBDE section in the FreeBSD handbook yet?..

@mer that sounds like it came straight out of the Micheal W. Lucas storage essentials book. I remember the chapter about people just wasting their time with encryption because they did silly things like that.


#24

@Groot Yep. I have a lot of his books; I like the way he writes. The ZFS ones with Allen Jude are a fun read. He’s not shy about calling out the stupid things people do.

Storage Essentials, Chapter 5, Filesystem Encryption 101 should be mandatory reading for anyone that thinks they need to have encrypted partitions. Even if you’ve done it “a thousand times”, simply because it stops and makes you think about “what is it that I actually want to accomplish and exactly what is my threat level”.


#25

Oh I see. I thought suspend meant sleep now I get it.

Either that or something like VeraCrypt where you can an outerOS and innerOS for Windows.

You are referring to this link right? https://www.freebsd.org/doc/handbook/disks-encrypting.html


#26
Your VM can be encrypted with a different key then your host OS.
But its not plausibly deniable.
John
groenveld@acm.org