Hardening entry mechanisms and implementations

a concept i hope to be pursued is a addition of hardening on the entry mechanism in qubes as spoken of here Qubes Duress - Deniable Qubes Instalation - #6 by Sven

possible enhancements to plausible deniability could include the use of “duress passcodes” used to erase disks upon submitting, the in house creation of a hardware tool similar to Yubi Key, or the implementation of hidden volumes in combination with duress passcodes. if it can be denied that a disk is qubes to begin with this is a stronger form of denial than current status what is no possible denial at all. including a implementation like this in R4.1 should be priority and could benefit the community greatly.

have any qubes enthusiasts had success with projects such as this? whether it be implementing duress passcodes, external hardware for passcode verification, or hidden volumes? let us discuss possibilities or please include references in good faith for a implementation of this feature in the 4.1 release.

another interesting reference worth to check How to install Qubes OS on block device without a partition table?

If you are open to the idea of using an Opal 2.0 SSD then there is a way to keep a drive looking unused/blank until the correct password is entered to unlock the drive. I have used this specific feature to hide partitions but there is no reason it could not be the whole drive as well. One can do this easily by using the shadow MBR for the real partition table while in the default locked configuration you can make it so there is not even a visible partition table. The underlying partitions and data are all encrypted, so without the proper key, the drive would just look like random bits. You can even make the drive (range) read-only so that it can not be tampered with until you unlock it (a true anti-evil maid device).

disclaimer - I used to work with the author of this paper.

On top of this, you can build in a dead-mans-switch by triggering software to reset the drive if tampered with. When you reset the drive you are just changing the key back to the default factory setting which simultaneously flips every bit on the storage device. Unlike DBAN or other file wiping software, this is instantaneous erasure, and once done there is no way to get your data back

sedutil --yesIreallywanttoERASEALLmydatausingthePSID

Sedutil

1 Like

excellent idea and i thank you for your contribution. would there be any other security focused projects that i could implement to qubes you would recommend i glance at? this dead means switch is very intriguing.

The main feature I would like to see with qubes is making the boot partition and partition table read-only so that it is impossible for an evil-maid to tamper with the system startup sequence. Once the system is operational, unlocked, and self verified it can be made read/write just before any system updates are to be applied.

The downside is that fixing a failed boot strap related update would then require unlocking the device and changing it to read/write mode before any boot repairs could be made, so a software utility would likely be required on a bootable emergency repair usb or something similar. Otherwise a SSD/Opal factory reset and restore would be required to recover. In any case, nobody without the proper keys and passphrases is ever getting the system back.

1 Like