MX Linux Forum

JayM wrote: Mon May 24, 2021 4:42 am If the OP decides to use Veracrypt, one tip: at some point when you decrypt the volume it will ask for either your password or root's: enter your own password.

Yes. To further clarify, for each session two passwords must be entered. The first is the one used when creating the container then the second is the user/sudo password, not root's. That's assuming the process is started from the gui.

I did consider Veracrypt, for reasons of privacy really, but was put off by the issue of hidden volumes, and the dangers outlined in the following article. Bear in mind we may live presently in semi-democracies but will that last? I wouldn't bet on it.

https://proprivacy.com/privacy-service/ ... en-volumes
"A VeraCrypt hidden volume makes it impossible to know (and therefore prove) that hidden data exists, which is what lies at the heart of the concept of ‘plausible deniability’. The problem comes when you are dealing with an adversary who doesn’t care about proving the data exists, and will imprison or torture you simply on the grounds of suspicion.

In such a situation, using VeraCrypt to protect your files may be especially dangerous, since if no hidden volume actually exists then you can neither prove this to be the case, nor surrender the non-existent keys. If your adversary chooses not believe you, then you have nowhere to go…"

They do suggest that, If we are sure only one hidden volume Can exist in each instance, then always create that volume so you can submit the key to prove it.

The solution I chose was a 3rd. party app Cryptomator which is very easy to use and one can create numerous vaults locally or on external usb etc. A good long passphrase for each vault secures. You then only need to open the vault(s) which has your current work. It can hold files and folders. I think it needs Systemd, which I use anyway.
It is primarily designed for Dropbox-like use, where both parties know the passphrase, but I've had no problem using it locally.

Stuart_M wrote: Sun May 23, 2021 8:58 am I have been using VeraCrypt for years and it has performed flawlessly. It is a solid encryption program that has been independently audited. I can't emphasize that enough.

great choice !

Re: veracrypt and plausible deniability. Interesting issue. If charged with the task of proving that you are not hiding anything on a computer (upon pain of death or torture), I'd have thought that whether or not you have a veracrypt container or not is just the tip of the iceberg.

How do you go about 'proof of non-concealment'? Seems like an almost impossible task. It's kind of the opposite of plausible deniability. 'You can't prove I'm hiding something' vs 'I can prove I'm not hiding something'.

"They do suggest that, If we are sure only one hidden volume Can exist in each instance, then always create that volume so you can submit the key to prove it." - this does seem to solve the issue for Veracrypt though. But what about all those other places on your computer / phone / cloud etc...?

LinnitXa wrote: Mon May 24, 2021 8:44 am I did consider Veracrypt, for reasons of privacy really, but was put off by the issue of hidden volumes, and the dangers outlined in the following article. Bear in mind we may live presently in semi-democracies but will that last? I wouldn't bet on it.

https://proprivacy.com/privacy-service/ ... en-volumes

If society is forced into the dystopian picture that article paints then it won't matter which encryption software you use - you'll be deemed guilty just by having such software installed. Although I seem to recall Veracrypt under Windows offered a portable mode where you could install it onto a usb stick thereby leaving no trace on your system but that doesn't seem to be available on Linux.

That said, Veracrypt offers another level of plausible deniability you may have overlooked and that is to encrypt an entire drive:

'A possible plausible explanation for the existence of a partition/device containing solely random data is that you have wiped (securely erased) the content of the partition/device using one of the tools that erase data by overwriting it with random data (in fact, VeraCrypt can be used to securely erase a partition/device too, by creating an empty encrypted partition/device-hosted volume within it).'

With this approach there'd be no issue with hidden volumes as you wouldn't be working with containers. So to anyone but yourself it is simply a drive that has been securely erased. Then there's the added advantage of storing this external drive in a different location.

But then if your computer is targeted for forensic examination then presumably they''ll also have a search warrant and such a search would probably discover this drive. In which case you'd need a normal container or two somewhere on your system to justify the presence of Veracrypt as you'd likely be accused of encrypting the drive, that is assuming there's no way to hide the fact Veracrypt is installed, which I don't think there is on Linux. Then it'd be advisable to have a dedicated data erase program like Dban so you can say you used that to do the secure erase. I'd say their forensic capabilities would have to pretty good to determine which was actually used. That is assuming the data erase program wrote random data like Veracrypt does, as opposed to all zeros for example.

Then again if things get that bad then just having data erase software would probably be almost as incriminating as having encryption software. It could be a real can of worms.

All this depends on what your threat model is, who you're trying to protect your data from, doesn't it? Do you merely want to keep personal data safe from possible identity thieves or blackmailers? Are you worried (for good cause) about the Secret Police knocking your door down at 3AM to take you away? Those are roughly the two extremes. Of course the OP could be just experimenting with encryption to learn about it, and not even have a potential security threat.

JayM wrote: Wed May 26, 2021 5:12 am All this depends on what your threat model is, who you're trying to protect your data from, doesn't it?

Yes that's a valid point. But I was actually addressing LinnitXa's post and in the scenario presented there (if that ever comes about) it seems to me one would be better off with Veracrypt, as long as it was used with drives and not containers.

Have a nice pinoy day.