Qubes OS Detached LUKS Header Installation

waterfrontpark · August 21, 2021, 1:50pm

Is it really possible to install Qubes OS detached LUKS header on separate encrypted drive? If so it would have plausible deniability for qubes installation.

fsflover · August 22, 2021, 12:47pm

51lieal · August 23, 2021, 5:17am

I don’t think encrypted detached header will add more security. But it’s possible to configure detached boot, and header. Soon when i have time i’ll post the guide.

waterfrontpark · August 23, 2021, 6:15am

I think it does. If the user destory the USB reading the qubes disk is impossible

51lieal · August 23, 2021, 6:39am

The problem is, “IF” you are arrested, and there’s a usb and a laptop. They’ll know you are hiding something, and in any case if you are just losing usb / laptop. still they would know nothing. That’s what I believe for now, I don’t know how the attack method will be in the future.

waterfrontpark · August 23, 2021, 7:01am

Destroying USB is way easier than destroying storage devices/laptop. In some countries users are forced to hand over the decryption password, If the user can destroy the USB there’s no way to unlock the disk.

redmind · October 3, 2023, 6:51am

In a scenario which you’re to be arrested NOT on the move, such as at home or hotel room, there’s enough time to destroy or hide the USB. In case they confiscate everything you can give them anything but claim it worked perfectly before and they “broke” your equipment. As far as I know, most law enforcement agencies don’t employ smart enough people to realize the header is missing.
Another trick would be to “hide in plain sight”. Rig a printer or other peripheral device that use USB connection, and set it so your USB drive (containing the header) is hidden inside it. You can either use a USB splitter or kill the printer internal USB connector and connect your USB drive instead, in a hidden way. I highly doubt “regular” law enforcement agent will bother with confiscating your old printer/scanner/UPS, so if they take your computer they leave the header behind (their problem). For the traveling people, you can try using a portable “tea cup warmer”, “portable light”,“fan” or some other nonsense device that is reasonable to find, that has a USB connection and hid your USB drive inside. even if you don’t get to destroy it, someone will have to be smart enough to realize they need to connect your “cup warmer” to the laptop for it to start working

That said, I would really like to see a decent guide on how to do the detached header thing.
Also, is it possible to detach the header of a working system (without killing it of course) or do I have to install Qubes from scratch?

Thanks