Other How to geli shows pseudo decrypted partition

[milfeulle]

Hi, I'm a newbie to FreeBSD

I used Truecrypt in Windows long time ago very well.

Truecrypt offers the function that, when user input some password (NOT a real password) encrypted partition shows "NO DATA" though the encrypted partition has real some data in it.

In other words two password has been set before, a real one and pseudo the other.
So, users can cheat someone watching monitor at the same time.

Is this function possible in FreeBSD by geli(8)? (UFS partition will be used).
I read the manual and searching internet, but no solutions found.

 

[ANOKNUSA]

I don't believe geli(8) can do this, nor can any native OS encryption scheme that I know of. I don't see what good that feature would do anyway.

 

[milfeulle]

Thanx ANOKNUSA... According to Truecrypt manual, it assumes the situation when someone threatens user to open the file or secret data but user want to deceive him.

 

[getopt]

Geli has no such feature but gbde(4) has this:

Positive denial facilities
Considering the infeasibility of the above attack, gaining access to the pass-phrase will be of paramount importance for an attacker, and a number of scenarios can be imagined where undue pressure will be applied to an individual to divulge the pass-phrase.

A "Blackening" feature provides a way for the user, given a moment of opportunity, to destroy the master-key in such a way that the pass-phrase will be acknowledged as good but access to the data will still be denied.

 

[gofer_touch]

I am not completely certain about this, but I think this "pseudo encrypted partition" feature might be in DragonflyBSD, since offers a 100% compatible TrueCrypt implementation built on dm_target_crypt.

You'd have to ask one of their developers to be certain if the feature you are looking for is actually doable.

Regardless IMO, this would be a cool feature to have in FreeBSD. Does anyone know if OpenBSD can do this?

 

[milfeulle]

Thank you all for your opinions. I'd better find some other methods.

 

[ANOKNUSA]

Geli works very well for every other worthwhile encryption method. Just not this particular "feature." The thing you want is really only useful for easing the most anxious and paranoid of minds. I fail to see how it adds any real security, as you're essentially gambling on the stupidity of the people trying to obtain your data. Surely one must think that if a person went through the trouble to lock a door, that person must have something behind that door they consider worth protecting---nobody locks the door to an empty room. You're assuming that those people attempting to get your data are going to see you punch in a passphrase for an encrypted volume, see that the volume is empty, and think nothing of it. I doubt that myself, given that the people searching your drives for data already have reason to suspect that it exists, and seeing an encrypted drive will only further that suspicion. TrueCrypt was around for a long time, was very popular, and hidden volumes was one of its selling points, so anyone who's familiar with it (like state-employed forensics experts and computer crimes task forces) will immediately suspect that they're looking at a hidden volume. If you really care about security and privacy, then a) don't bank on your potential enemies being stupid, and b) try to avoid making enemies or drawing attention in the first place.

 

[gofer_touch]

Thank you all for your opinions. I'd better find some other methods.

Just verified my earlier statement. The following is from the DragonflyBSD lists, apparently they have supported since 2011:

tcplay is a fully featured BSD-licensed TrueCrypt implementation using our dm_target_crypt; it is 100% compatible (with recent versions; older versions using aes-lrw and similar are not). It supports cipher cascades, hidden volumes, system volumes, etc. I started it as an experiment to investigate the TrueCrypt header format, but it ended up as a full implementation written from scratch. It now is divided into tcplay(8), the tool itself, and libtcplay (tcplay(3)), a very simple API to mount and unmount TrueCrypt volumes. tcplay is now fully integrated into DragonFly, including cryptdisks(8) support and root mount support (the realroot type is "tcplay", as documented in mkinitrd(8)).

http://leaf.dragonflybsd.org/mailarchive/kernel/2011-07/msg00028.html

It would still be nice to know if this is doable on OpenBSD. I'll do some digging on that too.