A technical guide for destroying sensitive or high-risk virtual machines when compelled to authenticate at border crossings or security checkpoints. The duress password is integrated at two authentication points: the lightdm display manager for system login, and the xscreensaver lock screen for session unlock. This ensures the duress action can be triggered both at initial boot authentication and when unlocking an existing session.
Make backups of all your VMs beforehand.
Download this repository in dvm:
git clone https://github.com/nuvious/pam-duress.git
then add it to a ZIP archive, for example pam.zip
Send it to dom0 and extract archive
qvm-run --pass-io dispXXX 'cat /home/user/pam.zip' > pam.zip
unzip pam.zip
Run these commands to build the module in dom0 and create duress-password:
sudo qubes-dom0-update gcc gcc-c++ make cmake automake pam-devel openssl-devel
make
sudo make install PAM_DIR=/usr/lib64/security
make clean
mkdir -p ~/.duress
sudo mkdir -p /etc/duress.d
Create a script to delete some VMs and delete this script itself:
cat > ~/remove_vm.sh << 'EOF'
#!/bin/bash
if ! [ -w /run/qubesd.sock ] && [ -z "$DURESS_REEXEC" ]; then
exec sg qubes "DURESS_REEXEC=1 $0 $*"
fi
export PATH="/usr/bin:/usr/sbin:/bin:/sbin:$PATH"
# Add the names of VMs to be deleted here 'test_vm'
/usr/bin/qvm-remove --force test_vm
EOF
chmod +x remove_vm.sh
(
Add the names of VMs to be deleted here ‘test_vm’)
Then add script in duress module:
cat > ~/.duress/remove_test.sh << 'EOF'
#!/bin/sh
/home/user/remove_vm.sh
rm -rf /home/user/remove_vm.sh
EOF
then
chmod 500 ~/.duress/remove_test.sh
duress_sign ~/.duress/remove_test.sh
add alternative password
and then:
chmod 400 ~/.duress/remove_test.sh.sha256
Check:
ls -la ~/.duress/
Module created.
Now we need to modify this file /etc/system-auth
sudo nano /etc/system-auth
Add this line
auth sufficient pam_duress.so
so that the first 6 auth-lines look like this:
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok
auth sufficient pam_duress.so
auth required pam_deny.so
then click Ctrl + C and Ctrl + X
Done. Now the specified VMs will be deleted when entering the duress password in lightdm and the screensaver.
For additional hardening, see my separate guide on system startup with forensic resistance - designed to mitigate disk and memory analysis.