How to set up Deniable Encryption?


Deniable encryption is where you can trick a person into thinking that your data is decrypted where in reality it is still encrypted.

I want to set up deniable encryption for TrueOS. I don’t want to use TrueCrypt as it is known to have vulnerabilities. I would have used VeraCrypt but unfortunately it does not support deniable encryption, only for Windows it supports it. I believe TrueOS possibly has Geli but that does not have deniable encryption.

I have heard of DLUKS but I don’t know if I can port that over to BSD (as it supports Linux-based OS).

Any ideas? I really can’t find anything?


To be honest, anything GPL would not make it in the *BSD communities


Why do programmers do that?


some think that the GPL is not as free as they say.

so they avoid that license.


I gotta agree with them GPL seems quite restrictive compared to MIT/BSD.


Do you know how to set up deniable encryption for TrueOS or any other BSD-based Operating Systems?


nothing off the top of my head


Native tools for encryption are GELI and GBDE. Different intents, I believe that GBDE may be more what you are looking for. I’d recommend a book by Michael W Lucas “FreeBSD Mastery: Storage Essentials”, it has a few chapters relating to this, the “whys” and “why nots” of each.
My Opinions:
You really don’t want to encrypt the OS and applications. Does it really matter if someone figures out your running Windows 10 and using Firefox? Not really.
So what does matter? Data. Your Data. That may include your complete home directory (because too many applications wind up caching things there) or simply a distinct data partition. Yes, data partition. Probably not a ZFS dataset (that would be an interesting thing. ZFS zvol used as a block device to create a GBDE encrypted UFS partition?
Basically, really think about what it is you need to (not want to) encrypt. There is always a performance penalty, there is always a risk (is the whole partition decrypted and in RAM after you give the password or is it block by block?).
You can gain a lot of security easily by making /tmp a memory based filesystem that clears itself when you power off.


Does GBDE have Deniable encryption by any chance? And does it encrypt the entire OS?

You are right about that, may I ask does your browser’s data (such as firefox, Google Chrom etc) such as cookies, temp information, does it all get stored in the home directory? (And does BSD also have a home folder, like Linux-based OSs?)


You need to make sure you are defining “deniable encryption”. It can be as simple as “noone can prove that a plaintext version of a file exists”, or it can probably be a lot more complicated (Stegnography is one complicated example).

Really, try and find the book I referenced above, it has some good real world explainations.

GDBE (and GELI) lives at a lower level on the device. You have a drive, you partition it. You pick a partition that you then “attach” GDBE to; that means anything done to that partition will be encrypted. After doing that attach to GDBE, you then create a filesystem on top of it.

Now you have a filesystem sitting on top of something that automatically encrypts. Think of this as a “scrambled phone”. You pick it up, you talk normally. Your phone encrypts your voice, the far end phone automatically decrypts it, the far end user hears clear text.

What does all that mean?
It means that you can create a separate filesystem on top of an encrypted partition for your user home directory and anything that is put into that filesystem will be encrypted when the disk is powered off. This is a key point a lot of people miss: while the computer is up and the device is mounted it is vulnerable. You have to power it off.
It means you can create partitions and filesystems and have the entire system encrypted.
On most systems, the directory “/tmp” is used for temporary data storage, like if you download and install a package, it may put some stuff there. The easiest way to protect it is to use a ramdisk for /tmp, so when the power is turned off, it’s cleared. Swap space is another thing that should be encrypted (TrueOS/Trident was doing that by default on the swap partition).

Encrypting computers is a non trivial exercise and you have to really think about what you want to do, what is your data worth, what is your life worth.
Making it overly complicated you can easily lose all access to everything that is encrypted.
Overly complicated makes it a pain in the butt to use and then you start writing things down which is an attack vector.

There is a lot of information available in the FreeBSD documentation about all this too.


Thanks for yuor help.


hi joe232 - iirc (and this goes way back) the deniability of truecrypt was based on a feature that spit a file into two parts - a front part that was visibile with normal os tools like notepad, and a hidden part that was the truecrypt enabled part where your encrypted data could live. you had to specifically declare it as such when you created the file. i don’t remember all the details, but that was the gist of it.

at the moment, i don’t know the state of geli full disk encryption, and i’ve read on the telegram channel that personacrypt, which uses a different encryption method, is also broken (or unreliable, or somesuch). that doesn’t leave very many options.


Thanks for letting me know mate.