Feature #16485

{live-media-encryption|encryption}=TYPE

Added by Anonymous 2019-02-26 05:03:56 . Updated 2019-06-03 16:42:50 .

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2019-02-26
Due date:
% Done:

0%

Feature Branch:
Type of work:
Discuss
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

The only supported TYPE for this live-boot option is “aes” which refers to cryptoloop/loopaes and is deprecated.

We should have the ability to encrypt a USB device using LUKS (with detached header) or plain dm-crypt encryption, copy the Tails .iso over to it, and then boot off it. By adding “plain” or “luks” support for the above live-boot option, I believe this will be possible. The device can be mounted using gfxterm from a separate grub2 installation, whether from a coreboot BIOS or perhaps a decoy operating system.

This will provide plausible deniability for those who need to hide the fact that they use Tails/Tor.

I’m wondering if anyone else feels that this feature would be valuable.


Subtasks


Related issues

Related to Tails - Feature #5929: Consider creating a persistence by default for plausible deniability Confirmed 2016-08-20

History

#1 Updated by intrigeri 2019-02-26 08:09:22

  • related to Feature #5929: Consider creating a persistence by default for plausible deniability added

#2 Updated by intrigeri 2019-02-26 08:12:16

  • Assignee deleted (None)
  • QA Check set to Info Needed

If I got it right, the goal would be that a Tails USB stick would appear to be a LUKS device, with nothing Tails specific on it (no bootloader, no kernel, no initrd). Right?

At first glance, implementing this would be a huge project. I suspect its cost would immensely outweigh the amount of real-world use cases it would improve.

#3 Updated by Anonymous 2019-02-27 03:31:01

Something like that. Except if there was support for plain dm-crypt mode then the Tails USB stick would appear to be filled with random data, since there is no header in plain mode. This is assuming that the USB stick was initialized properly (full random data overwrite before encryption).

#4 Updated by intrigeri 2019-06-02 15:11:30

  • QA Check deleted (Info Needed)

@sajolida, please triage this feature request :)

#5 Updated by sajolida 2019-06-03 16:42:50

  • Status changed from New to Rejected

Same as intrigeri on #note-2: I don’t believe in the cost/benefit ratio of such a project.