updated
This commit is contained in:
parent
c9ab94ee02
commit
978e2231fe
BIN
opsec/plausiblydeniabledataprotection/21.png
Normal file
BIN
opsec/plausiblydeniabledataprotection/21.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 130 KiB |
BIN
opsec/plausiblydeniabledataprotection/22.png
Normal file
BIN
opsec/plausiblydeniabledataprotection/22.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 139 KiB |
@ -64,6 +64,16 @@
|
|||||||
<h1>Plausibly Deniable Data Protection Setup</h1>
|
<h1>Plausibly Deniable Data Protection Setup</h1>
|
||||||
<img src="0.png" style="width:250px">
|
<img src="0.png" style="width:250px">
|
||||||
<p>In this tutorial we're going to look at how you can backup your critical data (Keepass accesses, pgp key, ssh key, etc) while still maintaining the plausible deniability. </p>
|
<p>In this tutorial we're going to look at how you can backup your critical data (Keepass accesses, pgp key, ssh key, etc) while still maintaining the plausible deniability. </p>
|
||||||
|
</br><b>DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling</b>
|
||||||
|
<pre><code class="nim">
|
||||||
|
source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
|
||||||
|
|
||||||
|
regarding wear leveling:
|
||||||
|
"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
|
||||||
|
|
||||||
|
</pre></code>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
</div><!-- /row -->
|
</div><!-- /row -->
|
||||||
@ -76,15 +86,8 @@
|
|||||||
<div class="row">
|
<div class="row">
|
||||||
<div class="col-lg-8 col-lg-offset-2">
|
<div class="col-lg-8 col-lg-offset-2">
|
||||||
<h2><b>Initial Setup </b></h2>
|
<h2><b>Initial Setup </b></h2>
|
||||||
</br><b>DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling</b>
|
<p>Before starting, make sure that your Whonix VM you need to make sure the USB controller is set to USB 2:</p>
|
||||||
<pre><code class="nim">
|
<img src="21.png" class="imgRz">
|
||||||
source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
|
|
||||||
|
|
||||||
regarding wear leveling:
|
|
||||||
"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
|
|
||||||
|
|
||||||
</pre></code>
|
|
||||||
|
|
||||||
|
|
||||||
<p>First install veracrypt in the plausibly deniable whonix VM (for more details on how to set that environment up in <a href="../anonymity/index.html">this</a> previous tutorial), go <a href="https://veracrypt.fr/en/Downloads.html">there</a> to download the latest .deb package:</p>
|
<p>First install veracrypt in the plausibly deniable whonix VM (for more details on how to set that environment up in <a href="../anonymity/index.html">this</a> previous tutorial), go <a href="https://veracrypt.fr/en/Downloads.html">there</a> to download the latest .deb package:</p>
|
||||||
<pre><code class="nim">
|
<pre><code class="nim">
|
||||||
@ -151,12 +154,76 @@ ONLY THEN the veracrypt volume is completed, and can be backed up somewhere else
|
|||||||
<img src="17.png" class="imgRz">
|
<img src="17.png" class="imgRz">
|
||||||
<p>write something in there such as your week in a small text file, name it with today's date. (don't reveal the presence of a hidden file in the text content). This is just an example as to what content you could put there. <b>Goal is that the content must make sense in case if you're forced to type in your password there.</b> Second goal is that <b>for each veracrypt hidden volume changes that occur, the content of the decoy partition must also change because otherwise it will reveal the existance of the hidden volume if the remote server keeps the previous versions of each file.</b></p>
|
<p>write something in there such as your week in a small text file, name it with today's date. (don't reveal the presence of a hidden file in the text content). This is just an example as to what content you could put there. <b>Goal is that the content must make sense in case if you're forced to type in your password there.</b> Second goal is that <b>for each veracrypt hidden volume changes that occur, the content of the decoy partition must also change because otherwise it will reveal the existance of the hidden volume if the remote server keeps the previous versions of each file.</b></p>
|
||||||
<img src="18.png" class="imgRz">
|
<img src="18.png" class="imgRz">
|
||||||
<p>Once you have closed the decoy volume, the Veracrypt volume is ready to be backed up:</p>
|
<p>Once you have closed the decoy volume, the Veracrypt volume is ready to be backed up, there you need to add the USB keys to the Whonix Workstation VM like so:</p>
|
||||||
<img src="19.png" class="imgRz">
|
<img src="22.png" class="imgRz">
|
||||||
<p>copy it to a server (wherever you want online), and then copy the file on your mainpc, your laptop and then you can also put it on a usb key to be hidden somewhere.</p>
|
<p>And you need to copy the "diary" file to a server (wherever you want online), and then copy the file on your mainpc, your laptop and then you can also put it on a usb key to be hidden somewhere.</p>
|
||||||
<img src="0.1.png" class="imgRz">
|
<img src="0.1.png" class="imgRz">
|
||||||
<p>Like so you're covered in case if you are forced to give away your password, and in case if an adversary fills the decoy partitions of your veracrypt volumes in an attempt to destroy the hidden partitions.</p>
|
<p>If you want to automate the backup process, place the following backup.sh bashscript inside the whonix VM:</p>
|
||||||
<p>You can get creative as to how you choose to hide the veracrypt volume aswell, such as replacing a random linux binary in the /bin/ folder, or a library in /lib, or a file in /etc/, burying the usb key somewhere underground, etc</p>
|
<pre><code class="nim">
|
||||||
|
[ Whonix ] [ /dev/pts/2 ] [~]
|
||||||
|
→ cat backup.sh
|
||||||
|
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#QEMU setting:
|
||||||
|
#whonix workstation configuration > Controller USB 0 > USB 2
|
||||||
|
# add each USB as host usb passthrough
|
||||||
|
|
||||||
|
#mount all 3 usb sticks:
|
||||||
|
sudo mkdir /mnt/usb1
|
||||||
|
sudo mkdir /mnt/usb2
|
||||||
|
sudo mkdir /mnt/usb3
|
||||||
|
|
||||||
|
sudo mount /dev/sda1 /mnt/usb1
|
||||||
|
sudo mount /dev/sdb1 /mnt/usb2
|
||||||
|
sudo mount /dev/sdc1 /mnt/usb3
|
||||||
|
|
||||||
|
#mount the veracrypt volume to add new diary:
|
||||||
|
echo "[+] Mount DECOY volume, to add new diary:"
|
||||||
|
veracrypt --mount /home/user/diary
|
||||||
|
vim /media/veracrypt1/$(date --iso-8601).txt
|
||||||
|
echo '[+] DIARY COMPLETE:'
|
||||||
|
ls -lash /media/veracrypt1
|
||||||
|
|
||||||
|
#mount the veracrypt volume to add new diary:
|
||||||
|
echo "Mount remounting volume, to backup critical data:"
|
||||||
|
veracrypt --dismount /home/user/diary
|
||||||
|
veracrypt --mount /home/user/diary
|
||||||
|
|
||||||
|
#backup whats critical in the veracrypt volume:
|
||||||
|
cp -r /home/user/.gnupg /media/veracrypt1/
|
||||||
|
cp -r /home/user/.ssh /media/veracrypt1/
|
||||||
|
cp -r /home/user/backup.sh /media/veracrypt1/
|
||||||
|
cp -r /home/user/Passwords.kdbx /media/veracrypt1/
|
||||||
|
|
||||||
|
ls -lash /media/veracrypt1
|
||||||
|
echo '[+] CRITICAL DATA ADDED TO VERACRYPT, BACKING IT UP TO USB STICKS:'
|
||||||
|
veracrypt --dismount /home/user/diary
|
||||||
|
|
||||||
|
sudo cp -r /home/user/diary /mnt/usb1/diary
|
||||||
|
sudo cp -r /home/user/diary /mnt/usb2/diary
|
||||||
|
|
||||||
|
ls -lash /mnt/usb*
|
||||||
|
|
||||||
|
echo '[+] CRITICAL DATA BACKUP ON the 3 USB STICKS COMPLETE, UNMOUNTING...'
|
||||||
|
sudo umount /mnt/usb1
|
||||||
|
sudo umount /mnt/usb2
|
||||||
|
#sudo umount /mnt/usb3
|
||||||
|
|
||||||
|
echo '[+] REMOTE BACKUP'
|
||||||
|
rsync /home/user/diary remoteserver:/root/diary -razP
|
||||||
|
|
||||||
|
echo '[+] REMOVING LOGS'
|
||||||
|
echo '' > ~/.histfile
|
||||||
|
sudo rm /var/log/*.log /var/log/*/*.log
|
||||||
|
sudo dmesg -c
|
||||||
|
|
||||||
|
echo '[+] SENSITIVE BACKUP COMPLETED, NOW HIDE ALL 3 IN HIDDEN LOCATIONS, UNMOUNTING...'
|
||||||
|
|
||||||
|
</pre></code>
|
||||||
|
<p>For instance, you can backup your critical files <b>in places that you own (your apartment, your car, on your keyring)</b>, but these places can be found easily. If you want to actually hide (and be able to claim that there are no more copies of your USB keys), <b>get the USB keys in places totally unrelated to you</b>, get creative such as burying the usb key somewhere you can remember, far away from your home, or hiding the file in a remote server, in a location that you remember.</p>
|
||||||
|
<p>Like so you're covered in case if you are forced to give away your password, and in case if an adversary takes your harddrives, USB keys (minus the ones you managed to hide elsewhere), <b>and if the adversary fills the decoy partitions of your veracrypt volumes in an attempt to destroy the hidden partitions, even in that case, you can still recover your data from the remaining places you successfully managed to hide your data to.</b> </p>
|
||||||
|
<p>Get creative as to how you choose to hide the veracrypt volume aswell, such as replacing a random linux binary in the /bin/ folder, or a library in /lib, or a file in /etc/, burying the usb key somewhere underground, etc</p>
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
</div><!-- /row -->
|
</div><!-- /row -->
|
||||||
|
Loading…
Reference in New Issue
Block a user