Red Hat Bugzilla – Bug 454855
Full disk encryption: allow for hidden system, accessed by different password
Last modified: 2013-02-08 06:58:11 EST
Description of problem:
Truecrypt 6.0 allows to setup a second (hidden) OS inside an already protected
OS (currently Windows only).
Fedora 9 has introduced a very well working full disk encryption.
It would be great to take it one step further:
Allow to create a second /home(2) partition, that is hidden from the first
/home(1) partition. Depending on what password is entered upon boot, either
/home(1) or /home(2) is unlocked and can be accessed.
- hidden volumes are supported by truecrypt on Linux now
- the whole truecrypt engine uses dm-crypt module in version 6
(except protection of hidden volume)
- LUKS has a visible header marker, useful for identicication by blkid,
but cannot be used for implementing hidden volume
Anyway, hidden volume (without volume overwriting protection) can be created
using simple script - something like this:
- create standard LUKS device with some "fake files", use some fs which
occupies only beggining of the disk (IIRC truecrypt uses FAT by default)
Be sure that you initialized whole device using random data before formatting.
- manually create dm-crypt mapping (without LUKS header, cryptsetup still
suports this mode) to part of device, where are unused blocks (usually end of
device, use --offset parameter in cryptsetup)
The script then should try to decrypt hidden volume with known offset and checks
against some known pattern there.
(But just existence of this script shows an anomaly that you are are hiding
Nobody without password (and properly used cipher) cannot distinguish if the
blocks are part of hidden volume or just unused blocks in "outer" volume.
(Of course if you write something to outer volume, you can destroy data in
hidden volume in this trivial mapping mode; device-mapper easily allows mapping
that will protect hidden part - by mapping that part to to error target, but
again, it shows to potential attacker that you are hiding something there...)
Anyway, it is interesting idea to automatize it somehow, but probably low