2
I am trying to achieve LUKS deniability on a Debian computer, but I'm stuck. I installed Debian on a computer, and formatted the hd in this way:
- sda is totaly filled by sda1 partition which is LUKS
- inside this LUKS container (sda1) there is a lvm group with 3 volumes: the root, the home and the swap
- sdb1 is
/boot
(unencrypted partition) (on an detachable USB stick)
Now I want to "move" the LUKS header to achieve deniability. So I backup the header on the stick (on initramfs):
cryptsetup luksHeaderBackup /dev/sda1 --header-backup-file /etc/luks_header/sda1-header-backup
I hooked a script to put the header accessible via initramfs in /usr/share/initramfs-tools/hooks/
to create /etc/luks_header
and to copy the header in. Then I changed /etc/crypttab
by:
sda1_crypt UUID=xxx-xxx-xxx-xx none luks,header=/etc/luks_header/sda1-header-backup
So now I should boot with /sdb1
. And the decryption is performed with LUKS header in /etc/luks_header/
(of initramfs).
Then to finish the deniability, I need to erase the LUKS header of sda1:
dd if=/dev/urandom of=/dev/sda1 bs=2M count=1
(The header's size is 2MB and begins at sector 0.) But when I'm trying to boot, the prompt tells me that he has a probleme with lvm.
I believe it is because I destroyed something after the header so I reduced my write with dd to 1MB but I have still the same problem. I thought I only touched the header (which should not be read thanks to crypttab), but I'm wrong. Can anyone explain me that?
The sites I found further information on: