nihilist@mainpc - 2024-01-31

The main source of Plausible Deniability: Deniable Encryption

VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. It is based on Truecrypt, This tool will be used for Plausible Deniability.

But why is Plausible Deniability important first of all ? From a legal perspective, depending on jurisdictions, you may be forced to type your password into an encrypted drive if requested. All it takes is for an adversary to be able to prove the existence of an encrypted drive to be able to force you to reveal the password to unlock it. Hence for example the regular LUKS encryption is not enough, because you need to be able to deny the existence of the encrypted volume. If that is the case, we have to use Veracrypt, which is an encryption tool used to provide protection (which is Plausible Deniability) against that scenario where you're forced to provide a password.

DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling


source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd

regarding wear leveling:
"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."

OPSEC Recommendations:

Hardware : (Personal Computer / Laptop)
System Harddrive: not LUKS encrypted [1]
Non-System Harddrive: 500Gb (used to contain our Veracrypt encrypted volumes)
Host OS: Linux
Hypervisor: QEMU/KVM
Packages: grub-live and ram-wipe

Deniability Context

Let's install the .deb package for veracrypt (you can install it safely from non-live mode), so that the software is available whenever you want to use it while the host OS is in live mode:


[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ wget https://launchpad.net/veracrypt/trunk/1.26.7/+download/veracrypt-1.26.7-Debian-12-amd64.deb

[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ sudo dpkg -i veracrypt-1.26.7-Debian-12-amd64.deb

[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ sudo apt install -f

[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ sudo dpkg -i veracrypt-1.26.7-Debian-12-amd64.deb
	
[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ which veracrypt
/usr/bin/veracrypt

[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ veracrypt

So now that you have veracrypt installed, before you start to use it, you need to be aware of the lack of deniability you have when using the Host OS in regular mode:

By default, your host OS directly writes into the system drive all sorts of potential forensic evidence that an adversary may use against you, such as system logs, kernel logs, non-standard logs, etc, and unless if you remove each of those manually, you're never sure of wether or not the Host OS saved proof of the existence of the hidden volume onto the system drive. That's why you need to use the Host OS in live mode, to be able to use veracrypt.

That way, as you're loading the entire host OS in the RAM due to being in live mode, you are not writing anything on the system drive anymore, but rather only writing all that potential forensic evidence of the veracrypt hidden volume in RAM alone, which can be easily erased with a simple shutdown.

So now that we have installed veracrypt, let's reboot the Host OS into live mode:

And only now once we are in live mode, we can use veracrypt to create hidden encrypted volumes and unlock them. But be aware that everything you write into the system drive will be wiped upon shutting down, if you want to store something persistent accross reboots from live mode, you need to save it in a non-system drive.

So now from there we can create the encrypted volumes (either as files or as entire drives). In this example we'll create an encrypted file:

Here we select that we want a Hidden veracrypt volume as well (which will be able to deny it's existence).

Then we want it to be a simple file in my home directory for testing purposes (so be aware that upon rebooting it will be erased due to being in the system drive). If you want it to not be erased upon rebooting, you'll need to put it in a non-system drive like in this tutorial.

Leave the default settings for the encryption

As a test we'll make a 1Gb volume, can be smaller or as big as all the available space.

Now here we want to remember our first password A, for the decoy volume, This is the password you'll type when you're forced to give out your password.

Here we can select the FAT filesystem

Then move your mouse to make sure the randomness of the encryption is best, then let it complete the formatting. If you are creating a large encrypted volume, it will take time to overwrite all the data. DO NOT SELECT QUICK FORMAT, or you risk having the hidden volume being discoverable by an adversary.

Now that's completed, we then create the Hidden Volume, which we'll open only when we are all alone, the existence of this volume must never be revealed to anyone, only you should know about it. then we repeat the previous steps:

Here we select the size we need for the hidden volume.

And here we use the second password, this is the one you must remember in order to access the data you want to hide from an adversary. Then we repeat the previous steps to create the volume:

The main source of Plausible Deniability: Deniable Encryption

OPSEC Recommendations:

Deniability Context

Mounting the Volumes

Nihilism

My Links

About nihilist