I don’t think I follow a lot of what people are saying on installing LUKS with a detached header. Yes, if my header lives on a USB there’s effectively no way to figure out much about the partition (I believe dmcrypt
has some metadata leakage but that can be dealt with).
What I want is a Veracrypt-esque FDE setup: a LUKS encrypted disk with the header file on disk (which doesn’t look very suspicious), and then a hidden partition/container (in which I either run an entirely different OS or just keep to run disp VMs on), with the header for the second partition/container on a USB which I won’t carry with me when crossing borders.
Obviously, this means that the hidden partition must not be visible with forensic tools. I do not think that the guides talking about LUKS encrypted headers on a different drive take this into account. Unfortunately I’m too much of a Linux noob to do this myself so I’m asking the community for help. How do I keep a hidden partition on a LUKS encrypted drive?
I thought it could be done with LVM, i.e. a hidden volume using LVM on top of LUKS (so when someone takes an image of the drive, all they see is gibberish without the password), and when looking inside they cannot see any trace of the “hidden LVM”,
My threat model doesn’t include preserving the material in that hidden partition against duress - if they want to wipe my drive they can feel free to do so.
What do you think I should do?
I might have to go through a situation similar to what I describe here at some point.