This sounds awesome! I hope they also implement a way to recover a lost boot environment with one click too.
The whole boot environment I think. Except all modules and stuff that is loaded, is the same in every other linux too, so that nobody know for sure what it is exactly.
Yeah it’s still encrypted which could lead someone to the conclusion that there must be a key to this lock. With available luks-header you need one minute to figure out what it is. Without header, I don’t know still not impossible I think, but I’haven’t checked the partition/disk header.
Edit: But this will maybe not yet reveal that it’s Qubes. But a valid luks-header will maybe reveal encryption settings that could lead to the conclusion that it is qubes. But thats just a guess.
Such a talk make me thirsty, so I’ll enjoy my Snakeoil-Cocktail now and looking forward to get a fancy Bitlocker-Unlock-Screen soon - I really can’t wait to press ESC for “Bitlocker recovery”
May be the approach of Veracrypt for hidden volume would do this: Creating a VM within a hidden veracrypt partition
Basically, Ali would have an OS which is “approved” on his laptop, and “inside” it will be the hidden Qubes OS …
Best,
Maybe, approach this question from another perspective. If fellow is living in a country concerned about terrorism, in desperate need of a paycheck. Goes to work in an airport.
The boss comes along, “I understand you mess with computers in your spare time. You know this electronics stuff. Cell Phones, Windows, what is that other thing that begins with an linux, how ever you pronounce it. So, I appoint you tech expert of this airport. You write up a “List” ; bunch of easy to understand rules for our guys who search people and luggage about what to look for. If it is something on your list, the guys on the search line will seize it, and bring it to this little workshop that you have back here. If it is a device or thing you can’t get information out of, then you can call this other office that is part of national crime lab to help out.”
I am guessing that someone who has the equal of a university level degree in Computer Science is not going to be at the airport security office. A high level of education fellow might be at the downtown security office, and might help out with the “List” of what to watch for.
Notice the use of this “List” means the government obeys some rules, some etiquette in how it treats individuals the authoritarian group might not like, Then is how it will treat those it has identified as it already does not like, or want to have around. Which the kindest thing might be to deny them entry into country, saves having to arrange an accident for them later.
While this may seem obvious to some of you, realize the security officers may have a lot less knowledge of electronic devices than those who worry about Human Rights,or simply Privacy. But Security Officers do follow orders.
How badly would it destroy the Qubes security model if I used this for 1)Windows never connected to the Internet and 2) Qubes and 3) Other Linux that has better GPU support?
With Shufflecake, it looks like it could even be possible to not only hide an entire operating system, but also hide certain LVM containers from Qubes OS itself, and even certain files within those VMs, depending on what password you type in at boot
Plausible deniability as to whether you have Qubes OS installed
Plausible deniability as to the fact that you do have Qubes OS installed, but whether you have certain VMs present
…AND…
Plausible deniability as to the fact that you do have Qubes OS installed, you do have certain VMs present, but whether certain files exist within those VMs
Yes. Plausible Deniability INCEPTION
Needs a lot of fine-tuning, though. For example, over-commitment is definitely possible. For example, if you don’t unlock all your drives, you can definitely accidentally (or someone could deliberately) copy something over a partition, corrupting it, or deleting it entirely…and Shufflecake doesn’t exactly know how to deal with that yet…
IBM, most likely the people who coined the term “partition”, would be like this right now:
Tell Linux that there’s something there in that space of the drive
And your plausible deniability goes in the toilet!
Unlikely (and very stupid, I might add) for them to do it this way
Allow the overwrite, not fix the hidden partition, and not update the partition map
You have plausible deniability, but now your entire drive is corrupted, and the way Shufflecake currently works, causes a Segmentation Fault, and your partitions won’t mount properly
Allow the overwrite, not fix the hidden partition, and update the partition map
List the partition as “damaged”, “tainted”, “over-comitted”, or something like that, to let the user know that it’s been overwritten by something in a partition that’s higher than it
And likely alert the user the next time that partition has been successfully unlocked
TrueCrypt is quite old. The last Ubuntu version that actually supported TrueCrypt was Ubuntu 8.10, from 12 years ago (See: TrueCrypt - Community Help Wiki)
Shufflecake does all of this and more, which is why I’m leaning more towards Shufflecake being a better fit…
But hey, it’s still worth investigating
If all jobs were like this, then none of us would have even bothered with CompTIA or Linux+ certifications
Surprisingly, it’s the opposite. Usually those jobs have high turnover, and are full of highly-skilled, highly-qualified people, who’s qualifications have nothing to do with their current employment. They are just there temporarily so they can keep paying their bills, while just waiting for an opportunity to move onto something else.
If anyone reading this genuinely has a passion for airport security screening, more power to you. But even you would agree with me that most of the people you work with fit the description above
@catacombs, I think @barto means the anti-List™ of things that will piss off an Officer enough for them to look at their list of powers and go “OK, what can I do to this blockhead to ruin their day, and isn’t going to get me fired for overreach? Wow! I can actually do A LOT! Take a seat. You’ll be here a while. Hans, prepare the long rubber glove…”
If you mean what I think you mean (correct me if I have misunderstood you), then running Windows in a partition that shares “empty space” that isn’t really “empty space”, then that’s a recipe for disaster.
Windows is the Steve Stifler of OSes (if anyone doesn’t get that reference, see here: Steve Stifler | American Pie Wiki | Fandom). It comes in, acts like it owns the place, touches whatever it wants, with little to no regard for anything else that might be on your computer.
Yes, COMPUTER, not just hard drive. Windows touches your UEFI firmware, your system clock, your BIOS (if your BIOS lets it), your other partitions, your partition map, and even your CPU microcode in some circumstances.
Windows does this as part of its startup process. Anyone who dual-boots will have countless stories about their computer being borked after booting into Windows.
Hell, even booting the Windows Installer ISO from a USB does this!
Does it ask you if it can do this, or even notify you that it’s doing this? Of course not. Why would it? It thinks it’s the center of the universe
So I can imagine that the first thing that Windows might do is “touch” all that empty space™, forcing all your other things to essentially disappear.
Shufflecake recommends that you do all your daily driving inside the lowest partition, because to be able to unlock that partition, you have to, by definition, also unlock all the other partitions…
…and trust me, I’ve tried it. It’s chaos if you don’t…
Shufflecake appears to be excellent for single-use plausible deniability, assuming the following:
You do your daily driving in the lowest partition
You do regular backups of your important files
Or complete drive clones if you’re 1337
You operate under the assumption that you have lost ALL your data if you ever need to play the Plausible Deniability Card™
Just in case anyone was wondering why Qubes OS does not have good hardware acceleration support:
A lot of GPU firmware and drivers are GIGANTIC, and likely way larger than they need to be to perform the functions they claim to perform. Because of this, there’s a lot of speculation that they may be doing extra things other than just drawing polygons on your screen
Nobody wants that in their dom0…
So, just in case, it’s been deliberately left out of dom0, at least until such time as the firmware can be compartmentalized without causing a cataclysmic meltdown of your machine.
Reading this, you seem to suggest Shufflecake instead! How? Shufflecake is still experiemental! https://shufflecake.net
If one would use Shfflecake, they will be known to be a Linux user, because Shufflecake is mainly for Linux (1), and they will be known that they primarily use Hidden System because Shufflecake is made only for Hidden System (2).
Using VeraCrypt, you avoid these 2. VeraCrypt is not primarily for hiding, and acutally supports Windows more than Linux. This means that if you’re even asked why do you use VeraCrypt or what is this VeraCrypt you use, you can reply: “I saw it while doing non-sense on youtube it’s pretty cool! It protects computer much, like antiviruses!” (or other words like that.)
My question is: What does VeraCrypt fall short on so you are recommending Shufflecake over it? I saw only one post by @agrozdanov recommending VeraCrypt:
Why is that? What information do I miss?
Is VeraCrypt Hidden System the best option? If no, then what is the best option?
@solene you’re looking at this from a technical level assuming adversaries are always sophisticated and spend lots of resources to figure something out.
Someone looking at a locked Debian screen with low understanding of computer may not send that computer off to advanced forensics with a top computer scientist.
Sometimes just getting the computer to sit in an evidence room as a locked Debian computer, waiting a year, and doing nothing could result in a person getting released and if the computer boots to Qubes it’s ends up different because by default the Qubes system includes Tor-Browser while Debian is a distro used on servers and in educational environments. Many governments don’t like Tor. In real situations things get overlooked all the time because of limited time and resources unless it’s an advanced investigation with extreme resource allocation.
VeraCrypt whacks a big continuous block in the “free space” of the partition it’s in
Painfully obvious, especially if you haven’t set it up properly (which is quite possible)
Shufflecake “interweaves” the logical blocks of each volume throughout the entire drive, at random places in amongst the unused blocks
Unused blocks are full of “random garbage”
Used and unused blocks look identical when forensically examined
You can have as many logical volumes inside your Shufflecake partition as you like - (standard) VeraCrypt can only have 1.
An attacker has no real way of knowing whether all volumes in a Shufflecake partition have actually been unlocked or not.
By design, Shufflecake partitions will always declare volumes that haven’t been unlocked as “free space”, and will allow writes to them
Indistinguishable to the OS
Allows locked volumes to be corrupted
Kind of necessary to achieve plausible deniability
Resistant to Snapshot Analysis
Very resistant to forensic analysis
Where they look at your drive only once
Cloning your drive once, and analysing only that
Also resistant to even snapshot analysis
They clone your drive multiple times over a period of time to see what’s changed
If a block remains unchanged across multiple snapshots, it’s a strong indication that it’s got data on it.
Shufflecake gives each block write fresh Initialisation Vectors
IVs are essentially a random value that is used to encrypt the first block of a data write, to make it look different to blocks encrypted with the same key at a different time.
Resistant to padding attacks
If a block isn’t successfully decrypted, it just reports it as “free space”
More Fallback Options Available
In Shufflecake:
You can structure your data in levels of importance/secrecy
You can have multiple keys for each level (like LUKS)
Each key will unlock its level, but also all levels above it
This allows you to store your private
An example of a Shufflecake volume table might be this:
Level
Purpose
Data
Purpose
Notes
0
Decoy
Fake Windows Update Animation
“Show me it’s a working laptop, and not a bomb”
1
Decoy
Real Barebones Windows Install
“Let Windows Update finish. Show me the login screen”
If mounted, ignore Volume 0
2
Decoy
Fake Windows User Data (Cat photos, browser history, etc.)
“Log in and let me have a look around”
3
Decoy
Fake Secret VeraCrypt container
Comprehensive non-forensic device inspection by someone tech-savvy who knows a hidden partition exists
“Ok, ok. Here’s the password for the secret files…”
4
Production
Qubes OS Vanilla Install
“I know you have Qubes OS on here. OPEN IT!”
If mounted, ignore Volumes 0-3
5
Decoy
“Work” Qubes OS VM Pool
“What? I just use Qubes OS for business documents and zoom meetings, I swear…”
6
Decoy
Fake Secret Qubes OS VM Pool
“Ok fine. Here are the secret files. I swear. That’s really all there is. Those other blocks? I don’t know why they’re not zeros. Maybe it’s to extend the lifespan of my SSD. Can I please go now?”
7
Top Secret
Actual Secret Qubes OS VM Pool
Daily-driving
They get into this, it’s Game Over™
“So, you wouldn’t mind if I wrote over these ‘unused’ blocks on your drive?”
“No, of course not. Go for it…”
Shufflecake, when it’s ready, will be so much more versatile and effective than VeraCrypt.