This is an interesting and old, but very complex topic that will, i hope, produce some lively debate and input.
Duress passwords on login
In terms of how this may play out - it depends on who is making the machine owner act under duress. I can see many facets - some legal, some nation state, some criminal etc. Legal side - some jurisdictions seeing a headerless, crypted partition will be saying “no legal proof, we cant do a thing,” through to some who will be saying “we see what looks like an encrypted drive” and compelling the owner into revealing the decryption keys (Regulation of Investigatory Powers Act 2000 part III in the UK for example). Nation state level, I wouldnt even like to postulate. And Criminal elements after the encryption key? Well, thats the old “heres my friend Mr lead pipe” approach, surely?
Bear in mind any IT forensics team who have any form of - uhm - common sense, will first image the drive and work from that image. For example, law enforcement or similar state services are unlikely to power up your machine and ask kindly for the passwords. They will have an image made of the drive, then return the drive to the original hardware and seal as evidence (or return the drive to the hardware if it was obtained clandestinely). The work will then be done on that image (or one of a few copies made of it). A duress password would be absolutely useless in such a situation as once that has been used and the data destroyed, any forensics team would be aware by performing a simple comparison of the images.
There is really only a very small, finite “im under duress” window where you may be actually in front of the computer and the only copy of the data is the one on the drive in the machine - some nations can ask you to log into your laptop at the border, so they can inspect the contents before granting entry, for example. Or perhaps there was some adversary performing a home invasion (legal or not) hoping to find the machine in a powered up, non encrypted state (I could see in that scenario that a lock screen duress password may be an interesting conept, as long as the machine user has enough time to actually hit lock)
Deniable encryption in the form of luks volumes without identiefiable headers could be another solution.
This would be easily visible upon analysis. Lets say i have a 512G drive, and 64G of that is non encrypted, randomOS. Then the rest of the drive is non partitioned/filled with gibberish. It would be pretty clear theres “something” there. Even containers within the partitions are not foolproof (along the lines of truecrypt hidden volumes). There is an old but reasonable paper on the concept here
HEADs enhancing paradigms where instead of only system integrity, checks for user integrity could also be applied would be best.
interesting concept, I am a heads fan. Heads already has the GPG public key of the user embedded in CBFS. Requiring the private GPG key to boot could provide user integrity checking but only as far as “someone has my physical usb key.” Also, the TPM passphrase is required to unseal the luks keys from the TPM (If the user installed that way) or the luks passphrase is needed to boot if the key is not sealed in the TPM… You could go extreme and say “if the machine boots without my GPG key in the slot, then burn it” - but remember what I said above about most situations being where an image of your drive is being worked on. Imagine a PBKAC where the user forgets to put the key in and kill their own data one day. The situations where you would get the opportunity to, under duress, type in a duress password are likely less than you think.
im sure theres plenty more others may comment on this topic. At least I hope so.