The honest truth is that you definitely have good methodology and logical thinking, but a few little things will get in the way. And I really do mean this as a compliment .
But I’ll explain why this wouldn’t even get to step 1 (in it’s current form):
In cryptography, the best algorithms are the ones that everyone knows, but still can’t break.
That’s more or less why AES (Rijndael), RSA, Diffie-Hellmann, Kyber and Dilithium are all standardised. Because everyone knows exactly how they work, and people still can’t break them
“Security through obscurity” will only get you so far (and I can promise you that they show patterns much more often that cryptographers would easily pick up on)
Uniqueness isn’t the issue, it’s predictability.
Sure, it might fool those automated boxes at border checkpoints that customs officers might plug your drive into, that try the most common methods first…
…but give it to a cryptographer, and they may well be able to see right through your obfuscation…
Ok, and how do you get it into the computer so that you can decrypt stuff?
In order for the computer to be able to decrypt your stuff, it has to have readily available:
- The decryption key
- The algorithm
These are usually stored in RAM while the computer is on. (And yes, if you know where to look, you can get them in a RAM dump)
Encrypt it with what? How does the computer know how to decrypt it if you’re not going to tell it the algorithm?
If you don’t decrypt the header, then the BIOS will likely say “No bootable device found
” unless it knows that it’s a LUKS device.
This is what a LUKS header looks like:
LUKS header information for /dev/sdb
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha512
Payload offset: 4096
MK bits: 512
MK digest: a5 2b 28 28 65 1b 72 47 b6 5e 13 03 53 d1 21 58 16 16 01 0e
MK salt: 2d 69 3a 58 a0 05 43 d4 c6 b3 12 fb 93 21 a1 0a
3d 35 78 59 a6 48 48 e3 8c 8c 4a 27 93 ec a1 d6
MK iterations: 63750
UUID: ecbc1d41-d1b6-4fc1-b2f0-7688c93cdc45
Key Slot 0: ENABLED
Iterations: 2582695
Salt: ab f9 18 8b 35 f9 f0 d6 fe a2 82 0a 08 1d 18 d9
b4 de 02 d8 71 8a a6 00 54 04 65 c5 75 66 91 8b
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
All of this information is in plaintext. It has to be for LUKS to actually function…
So, you either have to detach the header (put it on another device that is only present at boot), or write some kind of code somewhere (initramfs, external block device, a remote server, etc.) that can tell the computer the algorithm needed to decrypt it, and put it somewhere the CPU can access it and understand it.
Also, for completeness, this header stays in RAM while the computer is on, even if you remove the detached header once you’ve booted. That’s how the CPU is able to keep track of where everything is among the cipherblocks on the drive.
Sources:
LUKS1 Specification v1.2.3
LUKS2 Specification v1.0.0
Ok, but where does the ramdisk come from? Does this mean that you’d have to compile the algorithm module from your brain straight to RAM every time you turn your computer on?
If you can do that, that is absolutely incredible, but I certainly do not have that kind of brain power. And even if I did, I might do it once or twice, and then it would become tedious…
So basically you’d be decrypting every single byte/block manually, one by one, in your head? A LUKS header can be ~16MiB in length, or more.
That’s a lot of bytes to do manually…
So, you want to put the header for the volume inside the cipher…?
You end up with the same chicken-and-egg problem as you do with the detached headers:
- You can’t decrypt the drive without decrypting the headers
- You can’t decrypt the headers without decrypting the drive
It would confuse the heck out of anyone analysing the drive, but it would likely prevent you from using it, too
Detached headers already reasonably solve this problem.
You can have an internal hard drive that is seemingly full of random garbage, and the headers somewhere else (SD card, USB stick, remote server, RFID card, YubiKey, NFC reader, embedded in device firmware somewhere, TPM, etc.).
The detached header would often also include the boot partition(s).
A hard drive that is full of random garbage except for a boot partition would look very suspicious .
LUKS logical volumes are interweaved with each other, as opposed to other filesystems where they will sequentially write to blocks next to each other, which makes it harder to tell which blocks belong to which partitions/volumes, let alone which individual files.
Like I said, I really do like the idea, but it needs a lot of work before it’s actually feasible
I can see this method working for small files, but anything bigger than a few kilobytes would likely be beyond usability