🔥 Alternative duress password for selective VMs destruction in coercive environments (for example, border crossings)

A technical guide for destroying sensitive or high-risk virtual machines when compelled to authenticate at border crossings or security checkpoints. The duress password is integrated at two authentication points: the lightdm display manager for system login, and the xscreensaver lock screen for session unlock. This ensures the duress action can be triggered both at initial boot authentication and when unlocking an existing session.
Make backups of all your VMs beforehand.

Download this repository in dvm:

git clone https://github.com/nuvious/pam-duress.git

then add it to a ZIP archive, for example pam.zip

Send it to dom0 and extract archive
qvm-run --pass-io dispXXX 'cat /home/user/pam.zip' > pam.zip

unzip pam.zip

Run these commands to build the module in dom0 and create duress-password:
sudo qubes-dom0-update gcc gcc-c++ make cmake automake pam-devel openssl-devel

make
sudo make install PAM_DIR=/usr/lib64/security
make clean
mkdir -p ~/.duress   
sudo mkdir -p /etc/duress.d

Create a script to delete some VMs and delete this script itself:

cat > ~/remove_vm.sh << 'EOF'
#!/bin/bash

if ! [ -w /run/qubesd.sock ] && [ -z "$DURESS_REEXEC" ]; then
    exec sg qubes "DURESS_REEXEC=1 $0 $*"
fi

export PATH="/usr/bin:/usr/sbin:/bin:/sbin:$PATH"

# Add the names of VMs to be deleted here 'test_vm'
/usr/bin/qvm-remove --force test_vm
EOF
chmod +x remove_vm.sh

( :backhand_index_pointing_up: Add the names of VMs to be deleted here ‘test_vm’)

Then add script in duress module:

cat > ~/.duress/remove_test.sh << 'EOF'
#!/bin/sh
/home/user/remove_vm.sh
rm -rf /home/user/remove_vm.sh
EOF

then
chmod 500 ~/.duress/remove_test.sh

duress_sign ~/.duress/remove_test.sh
add alternative password

and then:
chmod 400 ~/.duress/remove_test.sh.sha256

Check:
ls -la ~/.duress/

Module created.

Now we need to modify this file /etc/system-auth
sudo nano /etc/system-auth
Add this line
auth sufficient pam_duress.so
so that the first 6 auth-lines look like this:

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_fprintd.so
auth        sufficient                                   pam_unix.so nullok
auth        sufficient                                   pam_duress.so
auth        required                                     pam_deny.so

then click Ctrl + C and Ctrl + X

Done. Now the specified VMs will be deleted when entering the duress password in lightdm and the screensaver.

For additional hardening, see my separate guide on system startup with forensic resistance - designed to mitigate disk and memory analysis.