Feature #15653
Allow unlocking any persistent volume when multiple ones are available
100%
Description
Change the greeter to support multiple encrypted persistence partitions. When the user enters a password, try that password against partition in turn until it finds a match.
Use cases:
- Allow multiple users to share a tails device whilst still maintaining privacy.
- Support plausible deniability / rubber hose protection - users can create several partitions and when pressed reveal the password to a unimportant partition
The code change for this is very simple. I’ve included a patch.
(Ideally the persistence-setup tool could be extended to support this, but that’s much more work).
Files
Subtasks
Related issues
Related to Tails - Feature #5929: Consider creating a persistence by default for plausible deniability | Confirmed | 2016-08-20 |
History
#1 Updated by Gaff 2018-06-12 23:56:47
In-case anyone is wondering - I used the disk tool to add multiple luks partitions. It’s important that they are all labelled ‘TailsData’.
#2 Updated by Gaff 2018-06-13 00:00:34
Related-to / Partial solution of: https://labs.riseup.net/code/issues/5929
#3 Updated by mercedes508 2018-06-14 11:33:30
- Assignee set to Gaff
Gaff wrote:
> Use cases:
> * Allow multiple users to share a tails device whilst still maintaining privacy.
It means for people we can’t afford having their own Tails USB?
> * Support plausible deniability / rubber hose protection - users can create several partitions and when pressed reveal the password to a unimportant partition
This use case is already being worked on, but using another mean, persistent volume by default:
#4 Updated by Gaff 2018-06-14 11:40:20
> This use case is already being worked on, but using another mean, persistent volume by default
Sure - but my fix is compatible with the other fix. (Indeed they complement each other very well. One could suppose the default install comes with multiple persistent volumes - It would be impossible to know how many have been configured with passwords and how many were dummies).
Also my fix is cheap and has no downsides that I can see. And I’ve submitted a patch for it already (see above). Is there anything else I should do in order to get this considered for merge?
Thanks!
#5 Updated by intrigeri 2018-06-14 13:04:09
- related to Feature #5929: Consider creating a persistence by default for plausible deniability added
#6 Updated by Gaff 2018-06-14 13:07:26
- QA Check set to Ready for QA
#7 Updated by intrigeri 2018-06-14 13:10:20
> This use case is already being worked on, but using another mean, persistent volume by default:
> https://labs.riseup.net/code/issues/11681
Err, it’s not ever been worked on (yet) and that ticket is about deciding whether we want to implement that and how.
#8 Updated by intrigeri 2018-06-14 13:15:27
- Status changed from New to In Progress
> Allow multiple users to share a tails device whilst still maintaining privacy.
FWIW I don’t remember this being ever requested in the past. It’s hard to explain the amount of trust each of these users must put into all others: any of these users can patch the shared Tails system to log their passphrase and get access to their data. So “whilst still maintaining privacy” is pretty weak here.
> * Support plausible deniability / rubber hose protection - users can create several partitions and when pressed reveal the password to a unimportant partition
Given all persistent volumes are visible, I can’t imagine an adversary, in such a threat model, being satisfied with being given access to only one of N>1 such volumes. So this use case is pretty weak IMO.
Regardless, I’ll take a look at the patch and if it’s really trivial, non-invasive and safe, why not.
#9 Updated by Gaff 2018-06-14 13:20:39
intrigeri wrote:
> > Allow multiple users to share a tails device whilst still maintaining privacy.
>
> FWIW I don’t remember this being ever requested in the past. It’s hard to explain the amount of trust each of these users must put into all others: any of these users can patch the shared Tails system to log their passphrase and get access to their data. So “whilst still maintaining privacy” is pretty weak here.
I accept this use-case is pretty tenuous. It’s mostly to frame justification for the other use case.
> > * Support plausible deniability / rubber hose protection - users can create several partitions and when pressed reveal the password to a unimportant partition
>
> Given all persistent volumes are visible, I can’t imagine an adversary, in such a threat model, being satisfied with being given access to only one of N>1 such volumes. So this use case is pretty weak IMO.
True. It’s strength is mostly against non-expert adversatories. This use case could be significantly strengthened if Tails created multiple partitions by default (something for another ticket).
> Regardless, I’ll take a look at the patch and if it’s really trivial, non-invasive and safe, why not.
Cheers!
#10 Updated by intrigeri 2018-06-14 13:26:57
- QA Check changed from Ready for QA to Dev Needed
I looked at the patch and indeed it’s not scary:
- The
check_output_and_error
change seems to be orthogonal to this ticket. If it’s useful/necessary, please include it in a separate commit. - Please test how “Configure persistent volume” works on a device that has multiple GPT partition entries that all have the
TailsData
name. A quick look at the code suggests it might just work but I’d like a confirmation that one can still configure their persistent volume in such a case. - It would be nice to know how partitioning software behaves in front of a device that has multiple GPT partition entries that all have the
TailsData
name. Can you please test basic operations on such a drive with at least udisks2, parted and gfdisk and report back the results + how to reproduce them?
#11 Updated by Gaff 2018-06-14 13:45:36
intrigeri wrote:
> * The check_output_and_error
change seems to be orthogonal to this ticket. If it’s useful/necessary, please include it in a separate commit.
It’s definitely a useful bugfix. Willdo.
> * It would be nice to know how partitioning software behaves in front of a device that has multiple GPT partition entries that all have the TailsData
name. Can you please test basic operations on such a drive with at least udisks2, parted and gfdisk and report back the results + how to reproduce them?
I’ve been using parted, fdisk, and gnome-disks extensively to test this. Honestly these apps do little more than present the labels in the output / GUI. No issues whatsoever with this. [As an aside - one could argue that labelling your partitions TailsData is terrible for plausible deniability. Something for another ticket!]
> * Please test how “Configure persistent volume” works on a device that has multiple GPT partition entries that all have the TailsData
name. A quick look at the code suggests it might just work but I’d like a confirmation that one can still configure their persistent volume in such a case.
Configuring an already-mounted device “just works”. Obviously it’s not possible to create multiple volumes this way - and I confess I didn’t attempt to use the tool to delete a TailsData partition. Having said that - even if the tool fails it’s not relevant for this ticket. There are dozens of ways to misconfigure your USB device such that the tool fails (trust me - I found a whole bunch of them while testing!). The tool doesn’t pretend to work for every configuration, and I’m not pretending that multiple TailsData partitions are fully supported (yet). Even so this patch is good to go (IMHO).
#13 Updated by Gaff 2018-06-14 13:56:04
Moved the bugfix to Bug #15656
#14 Updated by Gaff 2018-06-14 14:01:17
- QA Check changed from Dev Needed to Ready for QA
#15 Updated by intrigeri 2018-06-14 14:31:59
> I confess I didn’t attempt to use the tool to delete a TailsData partition. Having said that - even the tool fails it’s not relevant for this ticket.
Fair enough.
Please set the ticket as Ready for QA again whenever you feel it’s ready for another review.
#16 Updated by intrigeri 2018-06-14 15:34:10
- Assignee changed from Gaff to intrigeri
- Target version set to Tails_3.9
#17 Updated by intrigeri 2018-06-14 15:42:43
- Subject changed from Support multiple persistence partitions to Allow unlocking any persistent volume when multiple ones are available
(As per “I’m not pretending that multiple TailsData partitions are fully supported”.)
#18 Updated by intrigeri 2018-06-14 15:42:58
- Category set to Persistence
- Estimated time deleted (
1 h) - Affected tool set to Greeter
#19 Updated by intrigeri 2018-06-18 06:58:48
- Feature Branch set to tails:feature/15653-15656-greeter-unlock,greeter:feature/15653-15656-greeter-unlock
Applied in a topic branch, let’s see how it fares on Jenkins.
#20 Updated by intrigeri 2018-06-18 06:58:59
- % Done changed from 0 to 20
#21 Updated by intrigeri 2018-06-18 07:06:01
By the way, Gaff, if you’d like to improve the Greeter in more ways, now that you’re somewhat familiar with its code, I’ve cooked a custom query for you that lists good candidates: https://labs.riseup.net/code/projects/tails/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=o&f%5B%5D=cf_18&op%5Bcf_18%5D=%3D&v%5Bcf_18%5D%5B%5D=Greeter&f%5B%5D=cf_15&op%5Bcf_15%5D=%3D&v%5Bcf_15%5D%5B%5D=Code&f%5B%5D=cf_9&op%5Bcf_9%5D=%21&v%5Bcf_9%5D%5B%5D=Info+Needed&v%5Bcf_9%5D%5B%5D=Ready+for+QA&v%5Bcf_9%5D%5B%5D=Pass&f%5B%5D=category_id&op%5Bcategory_id%5D=%21&v%5Bcategory_id%5D%5B%5D=177&f%5B%5D=priority_id&op%5Bpriority_id%5D=%21&v%5Bpriority_id%5D%5B%5D=3&f%5B%5D=&c%5B%5D=status&c%5B%5D=priority&c%5B%5D=fixed_version&c%5B%5D=subject&c%5B%5D=category&c%5B%5D=cf_15&c%5B%5D=assigned_to&c%5B%5D=cf_9&group_by=&t%5B%5D=. Usually we would leave alone tickets that are already assigned to someone but in this case, I think it’s fair enough to take anything that’s been assigned to Alan for a long time with no recent progress.
#22 Updated by intrigeri 2018-06-19 16:11:25
- Status changed from In Progress to Fix committed
- Assignee deleted (
intrigeri) - % Done changed from 20 to 100
- QA Check changed from Ready for QA to Pass
Merged, thanks!
#23 Updated by intrigeri 2018-09-05 16:20:14
- Status changed from Fix committed to Resolved
#24 Updated by intrigeri 2020-04-15 06:02:17
- Affected tool changed from Greeter to Welcome Screen