-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2016-07-22 16:39, Chris Laprise wrote: > On 07/22/2016 07:03 PM, Andrew David Wong wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> >> On 2016-07-22 08:15, TheFactory wrote: >>> Another good use for this feature is that you can pre-program in some >>> landmines to destroy the drive and overcome brute force. Since the >>> LUKS password prompt on my install of 3.2 has little to no delay >>> between password attempts one could use a mid range gpu to try millions >>> of passwords. The drive itself can be copied dozens of times to >>> increase the chances of getting the password. >>> >> You can configure the iteration time manually by following the >> instructions here: >> >> https://www.qubes-os.org/doc/encryption-config/ >> >> Remember that the actual number of iterations depends on the speed of >> your hardware. The cryptsetup default is one second (1000 milliseconds). >> >>> However if >>> >>> If you had a limit of 10 or 20 tries before drive wipe. >>> >>> And had a dozen or more fake passwords that would induce drive wipe. >>> >>> And had some sort of delay in each password attempt built >>> in.(veracrypt takes forever to process your password input for >>> instance) >>> >>> Using tpm ontop of this would also at least frustrate their attempts >>> at mirroring the drive. >>> >>> You could be reasonably certian that even powerful attempts at getting >>> the drive open will be hopeless. Though, you may get yourself in some >>> physical trouble. >>> >>> I have wanted features like the above ones for some time. >>> >> As Andrew pointed out, offline brute forcing doesn't work this way. >> Attackers wouldn't attempt to brute force your encrypted drive using your >> hardware and software. They would just take a copy the ciphertext and >> attempt to decrypt it with their own software on their own (much more >> powerful) hardware. (However, the use of a TPM would make a difference >> here, for the reason Andrew points out.) >> >> - -- > > Although adding TPM support for LUKS is desirable, the suggested 'LUKS > nuke' feature is separate and suffers from a poor understanding of the > threat model. >
There is more than one possible threat model. Earlier in this thread, I argued that there are threat models in which the "nuke option" can make sense. > As you point out, the main use case is when the user wants to initiate > destruction of the encrypted volume before it falls into the wrong hands. > But there is no need to patch LUKS to accomplish this, and using only > passphrases as the trigger mechanism is probably too cumbersome in some > situations anyway. > > This could be scripted with better results and flexibility for the end > user, obviating any need to meddle with LUKS code. > We certainly welcome patches for this, though it sounds like it would be a good idea to discuss the details of the implementation first. > If there is already an issue# for a 'panic button' type of feature request, > I'd suggest linking this thread to it. > As linked earlier in this thread, here is the cryptsetup-specific issue: https://github.com/QubesOS/qubes-issues/issues/921 There is currently no separate "panic button" feature request aside from this one. That would be a different feature, for the reasons you point out. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXkrSLAAoJENtN07w5UDAwEZUP/2evcPl5gKyxgiH2dhHg4pOU h8BcgW/JXy0pFR//tgOFu7HIBgnBHUVVixsQVqrJ7egYlQQ8GMs9iwqQIawx8Qld rCt500ObQHvBA+AqGYma/zUnNsrKOpolXf5YmAXKboIS014eC+XsJwBwqvzoC34H W4s2hKEXldrevjWdPQlDPAmwiFBP0Oo9lWp4lb2VguyDq3VF9Hq8YJmNpitMXn9K HRPzCMqXOfKcxLj7uTV9Fq75EiVkO10Kizm/k0cpNgQJc8Rq+/izLpy4R2Tpfst+ teuLp3MmdGEFfTvOFvIT7tvi2mdtYAC03ePAfAabaulmsDpJnNwVhjLP69wgW64W dYMq1lUYvwut7TbaOxkfutUo95f7y2zCkwR1J6md/NL5cOLJLP5kIcYlPSU+/FvD TAmmze4p8Z1gA7THNKa4x7ZlsCd3A3/ml4e+HqAoJMqj69L9dVeCm2S3fExAkBB+ hFNLCQXHp4L6zAuOZKFSrxEbPZyEN2jtdgJrL7ProXDpfyNpKRyLGn6K7SLD52JJ h9isJWfbODtX7x43T1YbigH+thoY3kq9+8IyTuc2K2vDgoUr5I77dKoRxqup8Alt aIN3+N8WJugrNjcXI7dIlsllyasBt9wUA4n7zBwaYI9Vd7QMK4uzskrtz2DJMU6g q6eLOX8hom/gmYDrYWse =1tA3 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3d6686ef-828b-5153-a80f-fadb55749e82%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.