Qubes Seizure Drill

Recently I asked if there were any examples of Qubes being part of evidence for a criminal case here in the U.S. Thus far there isn’t anything that qualifies, there’s just one entirely theoretical mention of Qubes in some whistle blower litigation.

I’ve lived the last twelve years being aware that there is non-zero chance that I’ll get raided and my electronics will be seized. Without going crazy deep into the particulars, I keep contemporaneous information in a neatly sorted fashion and it gets backed up off site.

Once upon a time I was responsible for continuity of operations for a regional ISP. I make plans, then I periodically test them. I would like to do this with Qubes. A reasonable scenario is that I get up from my workstation, go around the corner for a coffee, and I get intercepted as I’m returning home. The system is found running, the power plug gets pulled out a little bit, a clamp goes on the plug, and the machine gets taken away as evidence.

Let’s assume I’m not cooperating in any fashion. Starting with the password protected lock screen, what could happen? What happens with the drive data once the machine is turned off and imaged?

What I’m looking for here are the 4th Amendment angles and where the obstruction of justice pitfalls might be. As an example, has anyone successfully limited any inspection to just the VM(s) involved in the incident that was used as probable cause for the seizure? Deleting data is obstruction, using system tools that limit data being saved are generally not. Has Qubes or any components it uses been tested in this fashion? A simple example of what I mean here are the disappearing chats in Signal. Wiping them is a problem, setting them to auto-delete after a week is not.

This shares a lot of similarities with getting a laptop in and out of the U.S., but the constitutional protections are much better. There has to be at least some information out there that fits this scenario, but I’ve not yet located it.


If your machine is not actually turned off when seized then the LUKS encryption key can likely be extracted from RAM (though that’s not trivial with LUKS2 as opposed to LUKS1 AFAIU, but probably possible for competent attackers), so if you leave your machine physically you best turn it off first.

You could also take a look at this, which is an experimental attempt to have LUKS suspend the volume during a kind of “standby”, so you don’t have to regenerate the system state from scratch when you return.

As for the legal aspect, IANAL, but a quick search brought this up (it seems to be complicated; perhaps in the US you can be compelled to surrender decrypted data).


If the system is using memory encryption, it should be protected against most types of attacks that read the memory. It would at least protect against cold boot attacks, or trying to read data directly off of the memory chips.

1 Like

Where is encryption key for encryption in memory? TPM?

1 Like

It’s a read protected ephemeral key generated by the CPU when it boots, not sure where it’s stored, probably in the CPU itself or north bridge / DRAM controller.

1 Like

There’s a balance between security and usability. Unless external pressure enforces something, people will shortcut. I am a people, albeit a professionally paranoid one, so I pay attention to compartments and anything that really must not be seen is encrypted at rest with veracrypt or age or something. Having some friction with the system if I get up and walk away for a bit would be a nonstarter - definitely one of those things that would get shortcut.

The closest match for my use case would be “researcher in a repressive country”. I’m always on the lookout for violations of that cluster of statutes that hackers have to heed - CFAA, access devices, wire taps, interstate threats, accessory after the fact, obstruction, etc. But just due to the path I have traveled I gotta be forever vigilant re: dirty feds. I’m super aggressive about it - any new person I meet gets told straight up “DO NOT MAKE ME A MATERIAL WITNESS”, and if they have trouble sticking to that, they get removed quickly. I make absolutely certain nobody with a badge ever gets some dumb idea like they can put me to work framing my fellow travelers :slight_smile:

So unlike a lot of people, there’s a bunch of stuff on my system that I WANT the feds to dig into. I think they should start with All Enemies, Foreign And Domestic, Especially Roger Stone. I found something the Mueller investigation missed and I have no confidence that it’s ever been properly investigated.

Depending on how the next eleven months go, maybe the heat will come off me. Or maybe a whole lot of people are suddenly going to need to know all this stuff I learned the hard way.

1 Like

I’d say this is is Qubes-specific enough to belong in General Discussion


The FBI applied for a search warrant on their own evidence lockup. Reading between the lines, they envisioned some 4th Amendment defense against the CHS (confidential human source) they had recruited. The BlackCat ransomware operators publicly posted a job(!) and the CHS just applied.

They claim they sought the warrant “out of an abundance of caution”, which likely has something to do with the manner in which the CHS was “recruited” - it’s probably part of a cooperation deal. A witness that is being paid and/or put over a barrel can be impugned.

So … not Qubes specific, but this is a great example of why one has to closely examine all the paperwork.


1 Like

Agree & Done.

1 Like