LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   duress passwords, encryption, and linux (https://www.linuxquestions.org/questions/linux-security-4/duress-passwords-encryption-and-linux-867862/)

unihiekka 03-11-2011 12:27 AM
duress passwords, encryption, and linux
 
Hello!

Is it possible to have two passwords associated with one account, one that is the actual one, and another one, a duress password, that upon entering gives a similar (desktop) environment with "decoy data"?

The idea is to have the bogus password go to an encrypted home drive that looks as if it were the real deal, but it is wiping particular sensitive (encrypted) data that is visible only with the real password in the background, so that the actual data that need to be protected are not compromised. While the person who unlocked the computer tries to find the information on it between all the rubbish files, the real files are securely wiped. The files are very sensitive in nature, so it's better to have then destroyed than have unauthorized people access them, in the event of that happening.

I happen to know that TrueCrypt has a similar option but that requires an entire decoy operating system (and I think that might be a bit conspicuous), but is there a native linux way to do it?

Look forward to hearing your thoughts.

Noway2 03-12-2011 03:45 PM
This sounds awfully extreme in the paranoia department. The only individuals who I can think of that would likely be put in such a situation are ones that would most likely not be taking any machines that have that sensitive of information on them at all.

A former coworker who has a friend who works for the NSA recommends Iron Mountains' Data Defense. Too many wrong password attempts or a remote poison-pill and the data is toast.

As far as a duress account to kill the data, create a second user account that will execute a script on startup that securely wipes the home directory. Such a process is slow and will use a lot of HDD activity and will probably be noticed, so you are better off targeting only the sensitive information. A simple zero or random data wipe should be sufficient.

Honestly, though, I think if you are facing such a situation, you aren't too far away from the $5 wrench scenario either: drug them and hit them with this $5 wrench until they tell us the password.


All times are GMT -5. The time now is 10:31 AM.