As a follow-up, I wanted to create a new post on the same subject. That’s how I found this thread.
Due to the increased tyranny in the world, I feel that QubesOS, like any other operating system, must create built-in solutions to the problem of invasive border control searches.
One solution is to create a backup in the cloud, wipe the system, and restore it at the travel destination. However, that is very cumbersome, and I wish we could do better. Not necessarily against adversaries who don’t care about human rights, but at least to have decent legal protection, such as plausible deniability.
In other words, QubesOS needs an out-of-the-box solution! Let’s brainstorm and get some funding!
Second follow-up (sorry for the spam): What are the best tools for plausible deniability outside of full-disk encryption? Are there any options that are more effective and trustworthy than VeraCrypt’s hidden containers?
This kind of stuff depends heavily on an individual’s threat model and computing needs.
For example, this thread is great for detached header but as the note in the first post mentions, trim being on could ruin plausible deniability and turning it off might impact performance so as to not meet users needs.
Another issue is that UEFI shows old boot entries (itll say Qubes on boot up)
If a detached LUKS header does not work, QubesOS may be able to create dedicated VM storage that offers plausible deniability. Like direct, integrated VeraCrypt containers. This would work around the UEFI boot entry issues. My overall point is that I believe QubesOS should work towards and transition to an out-of-the-box solution.
It’s one of the first lines in @apparatus’s LUKS tutorial. It’s great, don’t get me wrong, but I think the community could benefit much more from a built-in solution. This would generate more user interest, adoption, and peer review. No one wants to switch to TTY just to tinker with cryptography.
Perhaps QubesOS could do even better than a detached LUKS header. I consider legal plausible deniability to be important here. Like invasive border control. It might actually be better to boot up the system. With a detached LUKS header, it’s always “oops, my drive failed, aka, I don’t know what’s going on” (suspicious). Therefore, QubesOS might be much better with a dedicated, per-VM storage solution that can be mounted at VM startup. Something similar to VeraCrypt. Two modes would be great: 1) normal encryption and 2) a second hidden container encryption. Do you think something like this would be possible?