đŸ”„ Alternative duress passwords for selective VMs destruction or system destruction in coercive environments (for example, border crossings). Paranoid security and privacy. Anti-forensics

A technical guide for destroying sensitive high-risk virtual machines or full system when compelled to authenticate at border crossings or security checkpoints. The duress password is integrated at two authentication points: the lightdm display manager for system login, and the xscreensaver lock screen for session unlock. This ensures the duress action can be triggered both at initial boot authentication and when unlocking an existing session.
Make backups of all your VMs beforehand.

Download this repository in dvm:

git clone https://github.com/nuvious/pam-duress.git

then add it to a ZIP archive, for example pam.zip

Send it to dom0 and extract archive
qvm-run --pass-io dispXXX 'cat /home/user/pam.zip' > pam.zip

unzip pam.zip

Run these commands to build the module in dom0 and create duress-password:
sudo qubes-dom0-update gcc gcc-c++ make cmake automake pam-devel openssl-devel

cd pam-duress
make
sudo make install PAM_DIR=/usr/lib64/security
make clean
mkdir -p ~/.duress   
sudo mkdir -p /etc/duress.d

Create a scripts with two scenarios:

1. Scenario: Delete some VMs and delete this script itself:

cat > ~/remove_vm.sh << 'EOF'
#!/bin/bash

if ! [ -w /run/qubesd.sock ] && [ -z "$DURESS_REEXEC" ]; then
    exec sg qubes "DURESS_REEXEC=1 $0 $*"
fi

export PATH="/usr/bin:/usr/sbin:/bin:/sbin:$PATH"

# Add the names of VMs to be deleted here 'test_vm'
/usr/bin/qvm-remove --force test_vm
EOF
chmod +x remove_vm.sh

( :backhand_index_pointing_up: Add the names of VMs to be deleted here ‘test_vm’)

2. Scenario: Total system destruction:

cat > ~/remove_qubes.sh << 'EOF'

#!/bin/bash

# WARNING: This script irreversibly destroys data. Use only for duress password.

if ! [ -w /run/qubesd.sock ] && [ -z "$DURESS_REEXEC" ]; then
    exec sg qubes "DURESS_REEXEC=1 $0 $*"
fi

export PATH="/usr/bin:/usr/sbin:/bin:/sbin:$PATH"

# ========== PHASE 0: REMOVE RAM-WIPE MODULE ==========
RAM_WIPE_DIR="/usr/lib/dracut/modules.d/40ram-wipe"
if [ -d "$RAM_WIPE_DIR" ]; then
    echo "[*] Removing ram-wipe dracut module to prevent shutdown stall..."
    rm -rf "$RAM_WIPE_DIR"
fi

# ========== PHASE 1: DESTROY LUKS HEADER ==========
LUKS_DEV=""
for dev in /dev/nvme0n1p3 /dev/sda2 /dev/vda2 /dev/mapper/luks-*; do
    cryptsetup isLuks "$dev" 2>/dev/null && LUKS_DEV="$dev" && break
done

if [ -n "$LUKS_DEV" ]; then
    echo "[*] Erasing LUKS header on $LUKS_DEV..."
    if cryptsetup luksErase --batch-mode "$LUKS_DEV" 2>/dev/null; then
        echo "[*] LUKS header destroyed. Triggering emergency reboot..."
        echo 1 > /proc/sys/kernel/sysrq
        echo b > /proc/sysrq-trigger
        xl debug-keys R 2>/dev/null || true
        exit 0
    fi
fi

# ========== PHASE 2: FALLBACK - DESTROY ALL VMs + CORRUPT LVM ==========
echo "[!] LUKS erase failed or not found. Executing fallback destruction..."

echo "[*] Removing all qubes..."
qvm-remove --all -f 2>/dev/null || true

echo "[*] Corrupting LVM metadata..."
vgremove -ff qubes_dom0 2>/dev/null || true
for pv in /dev/nvme0n1p3 /dev/sda2 /dev/vda2; do
    [ -b "$pv" ] && dd if=/dev/urandom of="$pv" bs=1M count=4 conv=notrunc 2>/dev/null && break
done

# ========== PHASE 3: INSTANT REBOOT ==========
echo "[*] Triggering emergency reboot..."
echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger
xl debug-keys R 2>/dev/null || true
EOF

chmod +x ~/remove_qubes.sh

Then add scripts in duress module:

cat > ~/.duress/remove_passwd.sh << 'EOF'
#!/bin/sh
/home/user/remove_vm.sh
rm -rf /home/user/remove_vm.sh
rm -rf /var/log/qubes
EOF

cat > ~/.duress/remove_passwd2.sh << 'EOF'
#!/bin/sh
/home/user/remove_qubes.sh
EOF

then

chmod 500 ~/.duress/remove_passwd.sh
chmod 500 ~/.duress/remove_passwd2.sh

duress_sign ~/.duress/remove_passwd.sh
add alternative password for destroying VMs

duress_sign ~/.duress/remove_passwd2.sh
add alternative password for destroying system

and then:

chmod 400 ~/.duress/remove_passwd.sh.sha256
chmod 400 ~/.duress/remove_passwd2.sh.sha256

Check:
ls -la ~/.duress/

Module created.

Now we need to modify this file /etc/system-auth

sudo nano /etc/system-auth

Add this line
auth sufficient pam_duress.so
so that the first 6 auth-lines look like this:

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_fprintd.so
auth        sufficient                                   pam_unix.so nullok
auth        sufficient                                   pam_duress.so
auth        required                                     pam_deny.so

then click Ctrl + C and Ctrl + X

Done.

:fire: Now first duress password will remove some VMs.
:radioactive: Second duress password will destroy and forcibly shutdown the system. It should protect against forensics (disk will become unreadable).

For additional hardening, see my separate guide on system startup with forensic resistance - designed to mitigate disk and memory analysis.

4 Likes

It worked! I deleted test qubes and several files. Which command will completely destroy the system? @unman please suggest the most efficient and fast commands for emergency quick destruction of Qubes OS

1 Like

So they police forces you to enter your disk encryption password, which you enter, but then during login, you enter a special password, which DELETES (qvm-remove? or how exactly) VMs (Qube’s).

Do I get this approach correctly?

1 Like

I’m not entirely sure, but these commands might destroy the system (I don’t want to test these commands - they’ll definitely seriously break the system):

#!/bin/bash
# WARNING: This script irreversibly destroys data. Use only for duress password.

if ! [ -w /run/qubesd.sock ] && [ -z "$DURESS_REEXEC" ]; then
    exec sg qubes "DURESS_REEXEC=1 $0 $*"
fi

export PATH="/usr/bin:/usr/sbin:/bin:/sbin:$PATH"

# ========== PHASE 0: INSTANT BLACKOUT ==========
blackout() {
    chvt 12 2>/dev/null || true
    killall -9 Xorg 2>/dev/null || true
    systemctl stop lightdm 2>/dev/null || true
}
blackout

# ========== PHASE 1: DESTROY ALL VMs ==========
echo "[*] Removing all qubes..."
qvm-remove --all -f 2>/dev/null || true

# ========== PHASE 2: FIND AND NUKE LUKS ==========
LUKS_DEV=""
for dev in /dev/nvme0n1p3 /dev/sda2 /dev/vda2 /dev/mapper/luks-*; do
    cryptsetup isLuks "$dev" 2>/dev/null && LUKS_DEV="$dev" && break
done

if [ -n "$LUKS_DEV" ]; then
    echo "[*] Erasing LUKS header on $LUKS_DEV..."
    cryptsetup luksErase --batch-mode "$LUKS_DEV" 2>/dev/null || true
fi

# ========== PHASE 3: CORRUPT LVM METADATA (fallback) ==========
if [ -z "$LUKS_DEV" ] || ! cryptsetup isLuks "$LUKS_DEV" 2>/dev/null; then
    echo "[*] Corrupting LVM metadata..."
    vgremove -ff qubes_dom0 2>/dev/null || true
    for pv in /dev/nvme0n1p3 /dev/sda2 /dev/vda2; do
        [ -b "$pv" ] && dd if=/dev/urandom of="$pv" bs=1M count=4 conv=notrunc 2>/dev/null && break
    done
fi

# ========== PHASE 4: INSTANT REBOOT ==========
echo "[*] Triggering emergency reboot..."
echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger
xl debug-keys R 2>/dev/null || true
2 Likes

Yes. This is a password for lightdm and screensaver for deleting VMs and files. So that whonix, vault, kali, tor, vpn, bitcoin, and other suspicious qubes don’t catch the eye

Yes. This is a password for lightdm and screensaver for deleting VMs and files. So that whonix, vault, kali, tor, vpn, bitcoin, and other suspicious qubes don’t catch the eye

VERY BAD IDEA! Forensics team will find you had those and panic-deleted it (from dom0 logs or so).

I think deleting things in this situation makes exactly zero sense. Kill the whole system.

cryptsetup luksErase

This is the only thing that makes sense to me, and after that a sysrq shutdown. Then its game over.

There was this luks plugin(?) that can do that during the time when you enter the root disk encryption password, that might be the better option.

I think you’re tool is very cool! But the “deletes things” I think is a very bad approach. The “destroys the luks header and does a sysrq shutdown” would be the only approach that makes sense here.

qvm-remove would create logs in dom0.. In many countries its illegal to delete things to hide from the police.. Its a dangerous game thats played here.

But I LOVE the idea of having this in pam!! Definitely very nice work and keep going! :slight_smile:

PS: I read the rest of the script now, sorry x) I think its a bit long, and maybe I’d just use dd to fuck up the /boot partition + a bit extra, sync and then force shutdown (don’t reboot cause RAM). Other than this it looks quite good to me! Love the idea of having this in PAM honestly. Good work!

I can’t resist the urge to do marketing for kuhbs at this point (WIP), which uses a backup mechanism by default that has plausible deniability encryption for the usb backup device - as in “thats just some usb stick I overwrote with random data before using it for sth else later maybe”.

Then before you cross the border you can just nuke the laptop disk and not get into that situation in the first place.

Bring a Ubuntu Linux USB stick or so and say your old laptop crashed and you lost all your data to not look to weird maybe. It’ll still be super suspicious, but you are not forced to look normal either.

However deleting things (qvm-remove) is a really bad approach. I really wouldn’t recommend that.

  • nuke the box (wipe luks header)
  • sysrq shutdown

Thats the approved panic mode approach. And you should not get into this panic mode at the border, but wipe the box clean before the border :wink:

Forensic examiners rarely work with ordinary people. Most of the time, people are simply asked to unlock their phone and laptop regarding prohibited applications. Therefore, destroying the system immediately will raise suspicion and you’ll definitely be detained for additional screening. That’s why you need to protect yourself differently against forensics - live mode, or make a backup, send it to the cloud, and install Ubuntu on the laptop before border crossing.

2 Likes

Firmware is an issue too and can be infected without your luks password.

Best approach is to not bring a laptop when crossing the border. Buy a burner or a new one in the other country x)

Haha, I literally pictured cops at the border imaging everyone’s disk - that takes hours and hours, of course. Sure, people are asked to show Tor and messengers, and they look for chats about drugs. Forensics specialists work with wanted individuals.

But also, this password could come in handy to hide certain vms from parents. Or from a wife (qube with chat with mistress). There are plenty of scenarios, so it’s a great tool.

Could it be implemented in dracut at password entry?

I think yes, but it won’t be a duress password. This is a dracut duress module that will break the system (deleting VMs is impossible in initramfs). I can write a guide later on how to create a dracut duress-module.

1 Like

Probably, I wrote wrong description and title for the guide and it’s misleading. This guide isn’t just for deleting dangerous VMs - duress password can execute any commands, and of course it will run emergency system destruction commands. I will edit guide right now.

Now guide has 2 duress passwords for different situations - either just deleting some VMs, or total system destruction to protect against forensics.

p.s.: if you use live mode, when add removing /usr/lib/dracut/modules.d/40ram-wipe/ in duress total system destruction script - it will speed up emergency system shutdown (otherwise this module will perform a check, which may take several seconds).**

What I don’t get with this is: OK, you entered special password, you destroyed what had to be destroyed, and they let you go.

Now what when you’re in your cushy AirBnB bed?