On Thu, Apr 24, 2008 at 08:00:39AM -0500, Jordi Guti?rrez Hermoso wrote: > So when I installed Debian, I told d-i to wipe the hard disk and > encrypt my lappy's hard drive. My tinfoil-hatted heart loves it. > They'll never take me or my data alive.
Hee hee. I'm more paranoid than you because I don't trust the hash algorithm (that maps the password into a bit vector) not to introduce statistical bias. I've agitated a little bit on the luks mailing list for a feature that allows the key to be entered directly as a hexadecimal number but wasn't able to drum up any support. Another missing feature is to have the exit code from cryptsetup encode the number of the keyslot as part of a defense against "rubber hose" attacks. When the attacker compels you to surrender the key, you provide an alternative to the usual one, which decrypts the disk normally but is detected during the boot sequence by a script that feeds him disinformation by altering particularly sensitive files in advance. An attacker who's aware of this countermeasure could defeat it by mounting the root volume from a rescue cd, but it may find a niche in the U.S.. Prosecutors there have been trying lately to subvert the fifth amendment right of non-self-incrimination by compelling a defendant to perform the decryption himself rather than telling them the key. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]