Re: How to protect an encrypted file system for off-line attack?



On Mon, 23 Feb 2009 00:06:02 -0500
Jeff Soules <soules@xxxxxxxxx> wrote:

Hi Javier,

Thank you for your reply. Given the hypothetical (but all too
possible) situation you describe, there are different considerations.

Now imagine the worst situation, that a friend wants to protect his data
from his corrupt dictatorial government

Absolutely a possibility. There are many levels of secrecy --
filesystem encryption prevents the contents from being known, but does
not hide the fact that there is a secret. The presence of a secret
could be enough right there. The kind of government you describe
doesn't need to find evidence in order to "disappear" a person. This
also makes it all the more possible that, if his house is raided and
encrypted files are found, someone might try to torture the
information out of him. (Even if the partition is named something
harmless-sounding, I can't imagine cops anywhere who wouldn't demand
it be decrypted so they could check it, and refusal would not look
good.) In any case, with EncFS we're talking about a technological
solution in which the encryption key is stored alongside the encrypted
media, so whatever the password concerns are, this is unsuitable for
keeping information truly secret when a hostile person might have
enough physical access to the drive.

I think it is entirely too likely that a government like this either
would be able to compromise the data (with or without recovering the
passwords), or would be willing to punish him just for having
encrypted data to begin with, if they know he has it.

Then my question is: is EncFS good enough to protect his data?
I think the SD with stored password is a good solution. While he is not
in the house, he can carry the SD or have it hidden somewhere. While he
is in the house, and police enter, he might have enough time to probably
destroy the SD and turn off the computer.

With the level of danger involved here, I think the security issue is
more that there be some rapid way to destroy any evidence of the
existence of the data (possibly destroying the data itself), rather
than making sure the password stays safe. Destroying the SD card is a
start, but really a person under this kind of government would need to
be able to say "No, there are no secrets," not "Here's a filesystem
that you can't read."

That was my point in the original email -- while there are some
interesting technical problems here, I think in this case the digital
security is less important than the social/personal security
surrounding it. Or, rather, the digital security will not wind up
being the weakest link in the chain.

This is exactly the sort of problem that StegFS was invented to solve.
Unfortunately, there has never been a stable release, and development
has stagnated.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx