Bitcoin Forum

Is there such a thing being developed and kept updated? What I mean is a distro that comes with preinstalled software that you would need for any Bitcoin related business (full node software like Core, another lightweight software like Electrum, all libraries pre-installed, Tor, some other useful tools and everything else declutted)

I ask this because if you were to for instance land in another country, and you needed to install everything from scratch, it would take a ton of time. If you could have everything in an .iso more or less ready to run, you would just get your laptop (which you wiped before crossing any borders) and install your linux Bitcoin distro, and leave it there installing everything while you chill on your hotel's swimming pool or something. After a while everything is ready so you just enter your passphrase or recover your wallet.dat which you temporarily left somewhere in the cloud encrypted and get your coins ready.

I know Tails has Electrum but it doesn't have Bitcoin Core. It also has a ton of stuff I don't need and Electrum is always outdated.

The idea would be a minimalist setup, with some sort of system that automatically downloads, verifies and compiles the required software and libraries during the installation process.

Typically, during the installation process, the operating system and its core components are installed. However, it is common for many systems to have outdated or missing software and libraries that are needed to run applications and perform certain tasks. To ensure that the system is up-to-date and functioning optimally, it is important to perform software updates regularly.

No distribution, as far as I know, carries out software updates during the installation process. Instead, the updates are done after the installation is complete. This is often done through a prompt or a notification from the operating system, inviting the user to update the installed software.

It takes a few minutes to install Electrum and Bitcoin Core on a new system. That's better than trusting an unknown iso.

Agreed! Trusting an unknown ISO could potentially lead to disastrous consequences. Taking the time to install Electrum or Bitcoin Core may take a few minutes, but it's worth it to have full control over your funds and the security of knowing that you're not relying on an unknown source. Better safe than sorry!

Bitcoin Core and minimalist usually doesn't come in the same line. You would probably need to wait for at least a day for it to synchronize on a computer with pretty good specs and I doubt those would be useful in the situation that you've listed. If you're looking for an ISO that does this, then Tails would be the closest to what you've described though they only include Electrum.

You can customize your own ISO if you want, but I think that would be too much of a hassle.

These wallet softwares don't really need that many "libraries" to install before you can install/run them. For example Electrum only requires python 3 which comes pre-installed with most Linux distros already. So there isn't much time to be spent installing these.

The time consuming part is verifying the authenticity of these which is best done by yourself instead of trusting a distro that won't be popular or reviewed enough. Besides, if you do it a couple of times you should become fast in doing the verification since it is really easy.

Why don't you bring your laptop ;)

Why would you do that? I've crossed many borders with my laptop, and nobody cares. It's normal.
Which problem are you trying to solve?

Chances are the hotel is going to complain about your 500 GB download.

You can also just encrypt your bitcoin related stuff (although obviously not the data to support a full node) in a hidden volume somewhere, disguised as something less sensitive you can decrypt if coerced.

Maybe you'll just have managed to sync everything when your vacation ends. :P

Why not just leave your full node running at home and connect to it remotely from Electrum or similar at your holiday destination? You can do all this with Tails if you want to keep all traces of bitcoin off your laptop until you arrive.

I'm not sure I understand your point. Installing a new Bitcoin Core is usually not enough. And I'm not sure you'll want to download the whole blockchain via the hotel's network (or WiFi).
And getting and installing Electrum and Kleopatra takes, what, 1-2 minutes?

I'll extrapolate what you said about Tails: any iso you'd have, it's more work than usefulness, since the things will soon get outdated. Plus there will be a trust issue.


Get with yourself a HW, maybe some paper notes spread here and there with the seed backup and you'll be fine. If you need more, just get your laptop with you, with everything already installed.

The whole idea of a bitcoin full node is you being able to download and verify the entire blockchain locally on your machine and not having to trust that someone else did it for you. If you already operate a full node, then the rules don't change just because you are on holiday. If you want to use bitcoin when on holiday, prepare some UTXOs before the holiday starts, move them to a software, hardware, or different paper wallets, and backup the seed words any way you are comfortable with.

Setting up a full-node to use during a week or two of holiday seems excessive.

Laptops are forced to be handled randomly on airport checkups for instance. Never travel with sensitive information. As far as Wifi in hotels, you can always pick an airbnb with internet if needed.


HW's are anti privacy because it already reveals by default you are holding Bitcoin.

There was one bitcointalk member MagnumOpus3k (https://bitcointalk.org/index.php?action=profile;u=2022776)who created Linux distro preloaded with Bitcoin related software and it's called LockBox (https://www.thelbx.io/) Linux OS.
He created topic (https://bitcointalk.org/index.php?topic=5351813.0) about that OS in bitcointalk forum, but I don't know how often he updates it.
Second option is Tails OS, this is minimalist Linux OS you can use with USB stick, but I think it comes only with Electrum wallet.
You don't need to install Bitcoin Core because it's unrealistic to use it minimalist like you want and you would have to wait a long time to sync.

I would rather install Fedora CoreOS or Debian myself (they are both coming without any bloatware) and than add Electrum or any other wallet or software later.

This is so wrong....with your logic if you carry a knife or axe with you than you are already a killer right?
On your laptop or phone you can carry much more than bitcoin keys, including bunch of your sensitive information.

Oh no, sounds like a terrible idea and heaven for cybercriminals. There are just so many things that could go wrong potentially: phished distro's website, hacked distro's website, phished repo, hacked repo, malicious developers, backdoor/trojan in OS, backdoor in wallet software etc etc etc... I mean such a distro, once launched will become a bullseye and a magnet for all sorts of crypto criminals. Easy way to lose your hard earned coins...  :(

I think it's much more likely for someone to steel your laptop while you're chilling in the pool, than for airport checks to steal your Bitcoin.
How are you going to bring your wallet.dat anyway? I hope you're not planning to use cloud storage....

Actually this is mostly incorrect. At least the HW I have doesn't write anywhere it's a HW and also doesn't write Bitcoin on it. So your HW is just another electronic device most will not even know what it is and for what (I don't know how all HWs look like, do you..? And then what you expect from the customs employee?)
And if you don't want to use a HW for the job then you can use an older smartphone for that, just make sure it indeed stays always offline (see this topic (https://bitcointalk.org/index.php?topic=5377997)).

Plus, you've missed the whole point. The point was that you can easily install (and check!!) a SPV wallet while you're away, you can easily restore your seed on a hardware device and you're fine. If you don't get your laptop with you, then where will you install the ISO anyway? Plus, again, how will you do Bitcoin Core's IBD there?
Arguably even Tor you may not need since you're not from home, since you don't necessarily need to hide your IP. Or you can just use a Tails USB which you already know.

Imho you either don't tell something, either you're overthinking something.

I agree, although it's less excessive if you create your own or use someone's else snapshot of pruned node (such as https://prunednode.today/ (https://prunednode.today/)).


But with recent "crypto travel rule" from FATF which followed by some country, there's higher chance border employee would know existance of cryptocurrency HW.

If you are being searched and they find an electronic device they do not recognize, then I expect them to ask you what it is, or even plug it in and show them what it is. Lie to them at your own risk.

I tend to agree with takuma sato on this point. If you want to hide the fact that you are taking bitcoin across a border, then using a hardware wallet and simply hoping no one recognizes it is not a good plan. There are plenty of better ways to hide a seed phrase, which is all you actually need to carry across a border, and you can download all the necessary software once you reach your destination.

Using Tor in this scenario also prevents the hotel (or whoever owns the WiFi you are using) from seeing which websites you are connecting to. I would definitely still use it, unless you are happy with the hotel staff knowing you are connecting to bitcoin.org, electrum.com, etc.

Both are valid (and very good) points, thank you for that.
In this case Tor remains, maybe an old phone as cold (enough) storage and the seed fragmented and scattered on multiple pieces of paper.
Still SPV wallets are the way to go given the size of the blockchain..., right?

yes

but don't do it. It's much too tempting for some employee(s) to abuse the situation and ship something that steals BTC or other data.

just get a standard distribution and figure it out, anything else is going back to "be my bank", not "be your own bank"

Not entirely sure about the phone. How would you be hiding the wallet on it? And what are you going to say under a targeted search when they ask you why you have an airgapped phone with no SIM card in it?

The seed phrase can be easily obfuscated in a stack of academic/professional/employment related documents, notes, books, etc. Alternatively, it is easy to hide in a hidden volume on your laptop, which you could decrypt to show copies of sensitive documents such as your passport or travel insurance. Impossible to prove the hidden volume even exists.

But yes, I would just use Electrum and point it at my own server which is running at home.

The wallet software can stay not installed, as an APK. You can even get it with you on another stick or memory card.
You will (re)install it when you arrive. You will put the seed into it only when you arrive or when you actually need it first.


It doesn't have to be airgapped, it doesn't have to stay without SIM either if you don't want to. You can reset to factory later.
And you can tell it's for backup, just in case you drop your phone into the swimming pool  :D (of course, I am sure you can prepare a better story for this).


Exactly!

Since we seem to go to extreme measures: crack the screen, drain the battery, and nobody will ask you if there's any Bitcoins on it. Buy a replacement screen on your vacation address, and replace it on your own :D

How many Bitcoins do you need on vacation anyway?

I have flown across the Atlantic Ocean twice with my personal laptop and once with a brand-new one bought when I was in the US, and nobody cared about it one bit. Maybe they handpick those individuals that look suspicious for any reasons. I was asked once why I am carrying an external hard drive when I have a laptop with me. I explained that the drive was brand-new and I just bought it. The airport security said they will check it, so they took me to some sort of lab, put the drive under a beeping machine that emits some sort of lightning, gave it back to me, and apologized for the disturbance. My guess is that was a test to check if there was any explosive residue because they couldn't care less what was on it.

I have also flown with 3 mobile phones where one of them wasn't even mine and I was taking it back to a friend. Maybe I was just lucky, but no one ever showed interest in the data on my electronic devices.

Does anyone have any horror stories about airports were they were threated like criminals and terrorists?   

Last time, there was a big guy feeling me up before departure, but that's about it.
And when I come back they like to see if they can tax me on something, but my laptop is old.

If you download a distribution other than from the main source, i.e Ubuntu, Kubuntu, Slackware, Fedora or whatever it might be assume it's compromised, and don't consider it a trusted machine. That's including private key generation, and the Blockchain itself, since ultimately your operating system has control, unless it's been overridden via the hardware itself.

You can get around a lot of these problems like putting tamper evident or security seals on each component of your laptop. You can make them actually mark the casing if they're removed. You could potentially get these custom made. I've got tamper evident seals on my laptop for use when traveling, as well as a lock pad on it. I've never had an issue, and they've never even asked me to unlock the padlock to see if it turns on or anything. I've got some looks at times, but I've seen other travelers do this as well. As long, as you follow the instructions, and place it outside of a bag they usually don't have a issue. Plus, its usually setup in a way that you can watch how they are handling your stuff.

As for the internet, just use a sim cards internet instead of public Wifi. It's a little better in practice, and obviously continue using a VPN especially on untrusted connections.

This! I'm also trying to use my old laptop for travel. When the guys at the airport security see it, they're probably like: ok, let's give this guy some money so he could buy a new laptop, this one is ancient. And for sure, nobody would ever try to steal it!   ;D

Ahh right, I'm with you now. Essentially take the phone to use as a surrogate airgapped device when you are on vacation, as opposed to storing the wallet on the phone as you cross the border. Yes, that could work. You can even disguise said phone as a regular phone, and you can remove the SIM card and factory reset it when you arrive before installing your chosen bitcoin wallet, and then reset it again to remove all traces before taking it back across the border on your way home.

No, but they might wonder why you are taking a broken phone which won't turn on to another country. Seems a bit suspicious.

If you are not being specifically targeted for a search, then all of this conversation is moot. You could carry across a laptop with a full node installed, every piece of bitcoin software under the sun, and wallets holding thousands of bitcoin, and no one will be any the wiser. But if you want to be protected against an individual search, then you need to think of ways to sanitize your devices and carry a seed phrase unnoticed.

Not really. A knife, axe or a phone allows for plausible denniability. "I was carring the knife to cut some bread, the axe to chop some trees, and the phone to make some calls".

However, when you are found with a HW, what are you going to say? Exactly.


There are random searches:

https://www.reddit.com/r/privacy/comments/w0rxbu/comment/ightvoj/

You don't want to end up in a situation where you are forced to decrypt:
https://www.bleepingcomputer.com/news/legal/man-who-refused-to-decrypt-hard-drives-still-in-prison-after-two-years/

"It's a gift for a friend."

Here, chopping trees gets you in more trouble than carrying a hardware wallet.

So don't do this:
Let's not make it look as if this happens for no reason.
I'm curious how they found file hashes on an encrypted device though.

You can look at page 4 : https://cdn.arstechnica.net/wp-content/uploads/2017/03/rawlsopinion.pdf#page=5&zoom=auto,-99,637

I

Hence why I have repeatedly mentioned hidden volumes. There are other methods of deniable encryption as well, such as encrypting the entire external storage device and making in indistinguishable from simply have being wiped and overwritten with junk data. I prefer hidden volumes, though, since you can still decrypt them and hand over your decoy data, without revealing the existence of the hidden volume or the data you are actually hiding inside.

"Turn it on and show us."

Meanwhile, your name is added to a list of "People potentially trying to take large amounts of money across a border without declaring it". It's all unnecessary attention.

I think a USB live distro with encryption + persistance could do the trick. Electrum / pruned node on it

You can find 500GB usb, 1-2 TB sd cards

You can travel with your usb stick, and buy the cheapest laptop if needed once arrived / bring yours with a fresh OS install

On many country, there are prepaid SIM card which targeted towards foreign tourist or businessman. So you could say you'll buy it later (e.g. after you pass the border or enter hotel). I'm fairly sure you can buy one at most airport.


We're going back to circle. Someone already mention the worker at border might perform random search and ask you to decrypt it. If they find cryptocurrency wallet/software, they could suspect you're trying to evade "crypto travel rule" from FATF or other similar rule.

While this can easily be a solution for the case you get lucky, it's not something to rely on.
However, if you want some sort of pruned node, you can make an encrypted volume as a file (see veracrypt) and when you have all the data you need you copy that file onto the USB stick (with a generic data.dat like name), then delete it. The stick will look empty and recovering the data will be just fine as long as nothing new is written onto it. ...But if, for some reason, something gets written onto that stick.. tough luck.

But I think that the airgap phone + the seed on pieces of paper + downloading a SPV at arrival is easier and more straightforward and doesn't rely on "getting lucky" or not.

Yeah, that's a good solution. Your regular phone with no trace of bitcoin related stuff on it as everyone would have, and your dummy phone which you say you are going to use in your destination country with a local SIM.

This will only fool the most cursory of investigations - i.e. plug it in, it looks empty, oh well nothing to see here. Anything beyond that will clearly show the header of your encrypted file, and then you are back at the issue of being asked to decrypt it.

Well, then you can put some documents there like you'd write a book or a paper. Or.. use your imagination...
Also, the beauty of veracrypt volume files is that there's no clear header or anything to be read or understood. It can really be anything there.

It is really bad to trust on an entire OS when we cannot even trust a single binary file. Always verify before using using any tool and software. So it is better to use a secure OS like Tails OS and then download and configure wallets by yourself. Never trust pre-built software.

it's all very easy


without the header, there's no way to prove that a disk is encrypted

so:

• encrypt disk
• copy header
• fill the header up (on encrypted disk) with random data

Oompah-loompa - "why doesn't it switch on?"
you - "broken"
Oompah-loompa - "why did you bring a broken phone?"
you - "it broke on the way here"
Oompah-loompa - "why didn't you fix it?"
you - "if I knew what was wrong with it, I would already have fixed it"


...then just copy the header back again when you want to use the disk

It's probably easier to hide it on phone than on laptop.
If you are using GrapheneOS you can have multiple users with encrypted drives, and you can even use some random eSIM or old sim card in other account.
It's easy to disable/enable accounts and add separate PIN for each account.

Why would this be any different with smartphone, you can probably do exact same thing with them.

Please try this experiment for yourself and tell me how long it took for you to replace the screen, but they can always just plug in external screen if they want.

If wife (or someone else) is coming with me than I guess we need much more Bitcoin on vacation.  :D

Exactly what?
What you saying it's ridiculous, and if I have hardware wallet that doesn't mean it 100% have any Bitcoin there.
Good luck explaining to authorities that you use knife for bread, and not to kill someone, and btw if you don't carry bread with knife or wood with axe than you are a liar.

Depending on the phone, it takes me 30 minutes to 2 hours. Especially Apple phones are designed to break and easily replace screens.

That's not even remotely the same thing. That's about a man who possessed children pornography and was suspected of having more content on the encrypted hard drives. His laptop had proof that he downloaded children pornography and copied it to the drives. Mysteriously, he "forgot" his password.

Here is a newer article that mentions that he spend 4 years in prison, although they couldn't legally hold him longer than 18 months. Still, not a pleasant situation to find yourself in whether you are right or wrong.
https://arstechnica.com/tech-policy/2020/02/man-who-refused-to-decrypt-hard-drives-is-free-after-four-years-in-jail/   

There are methods of encrypting data so the header itself is indistinguishable from random data. Then you don't need to copy or overwrite anything, which adds complexity and risk.

The point I'm making is that encrypting data is not enough when being subjected to a targeted search crossing a border. They will simply detain you until you decrypt it. You need plausible deniability.

Is there a reputable open source encryption app which will produce hidden volumes on a phone?

Unless you are working as smartphone repairman, you can easily break your display like this or damage your phone being water resistant.
I can disassemble laptops much easier but I wouldn't dare doing that with any modern smartphones.

You don't need to have any special encryption app if you are using hidden accounts on GrapheneOS that are already encrypted isolated space by default.
If you want to use open source app I think there is one called EDS for that purpose.

But the encrypted data is not hidden. Sure, the user profile is encrypted, and maybe you can even hide the profile from various menus on the OS, but I doubt very much the entire volume is hidden when the phone's storage is directly examined. The header and the rest of the necessary data to decrypt and log in to that profile will still be there. And so you can be coerced in to decrypting it.

You need to buy the full version if you want hidden volume support, and the full version is not open source.

There are so many flavors of Linux available in the market and its difficult to distinguished between clean and compromised ones. Best practise is to use  reliable distributions like Ubuntu, Fedora and Mint. I wasnt aware that there is a linux distribution that protect you againest surveillance and censorship. There is no gurantee that this distribution i.e. Linux Tail is not Eavesdropping on you.
 

Data on laptop or anyother digital devices should never be kept unencrypted specially if you are traveling (by road or air). If you talk about Linux then there are many tools (Linux Unified Key Setup (LUKS) that can encrypt your data and even if someone was able to login to your device he wont be able to see the data.
Just few simple cautions and you are good to go. 

It could work, but this is definitely overkill considering OP mention his goal is holiday and very complex even for tech geek.


But compared with most OS, Tails is probably one of best OS for privacy. It's open source, has been around for >10 years, trusted by various group and actively used by people who really need privacy/security.


But on device with disk encryption, you usually need to decrypt it before you can login to OS user account.

Exactly. Just download Debian, which is a very lean distro, verify the checksums and install it, and then put Bitcoin Core, Electrum, and other bitcoin programs on it.

It takes way too much manpower to keep a distro updated and considering the number of security bugs that are fixed each month, it just isn't worth the effort if maintained by only 2 or 3 people.

Thanks for this info. I seriously have no idea about this distr until now. I will defiantly have a look into it. Till now my only focus was on my Ubuntu distribution.


Yes thats very much correct. My point is that if you are traveling or in condition where your laptop gets away from you then you must have some security mechanism in place that restricts anyway to see your data. Although I think placing a password on your laptop is good enough but still if you wanna add extra layer of security then you can choose such options.

ah, what's the name for that method then? sounds too good to be true, clearly there's been developments in this area that I didn't follow


(this part of) the thread ended already if o_e_l_e_o's link checks out... and airport security searching "encrypted" disks also ended :D

I didn't test this myself, but I can bet they would much easier find your hidden volumes on laptop you are using, than hidden profile in pixel phone with GrapheneOS that have secure space.
They could also coerce you to give them access to your hidden volumes, or anything else they are looking for.
I am also not against people using Linux and doing whatever they want with it.

I just gave you one example, and I didn't use this app, but I am sure there are other options available.

I'm not sure if it has a name, but VeraCrypt does it. A VeraCrypt encrypted file or volume has no unencrypted parts, and is indistinguishable from random data. See below:


But of course, if someone finds a section of purely random data on your otherwise unencrypted drive, then they will start asking questions. Which is why I have repeatedly mentioned hidden volumes (https://www.veracrypt.fr/en/Hidden%20Volume.html) in this thread. You can even use this method to create entirely hidden operating systems (https://www.veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html). Or alternatively encrypt the entire disk like this so that the whole disk is indistinguishable from random data, and you can state that you simply securely erased everything on the disk by writing random data to it.

The whole point of a hidden volume is that it cannot be found and is completely indistinguishable from random data, even if you are coerced in to decrypting the outer volume.

I heard there are ways to prove the hidden volume exists, although VeraCrypt appears to have evolved since the last info I'm aware of


this to me sounds more reliable.

best thing is to explain it simply:

Oompah loompa: "what's on this disk?"
you: "nothing"

if you say "it's completely random data officer, which is completely indistinguishable from any other random data :D", despite that being true, you're still gonna get looked at through narrowed eyes

If you are worried about crossing borders / going through security with BTC on your laptop or leaving it unattended someplace there are still a bunch of laptops with easily removable drives.

With the rugged ones from Dell and Panasonic and others you pop down a panel, push a tab and the drive and caddy come out. You can always get a 2nd one that you have a small drive in so the unit will work and boot with no issues.

-Dave

There are methods, but they can all be mitigated against: https://veracrypt.eu/en/Security%20Requirements%20for%20Hidden%20Volumes.html

A common one would be if you change the data inside the hidden volume, and someone is able to compare an image of your drive before and after you did this. What reason would you have for writing over already random data with different random data? Perhaps you could say you used the drive in the meantime and then securely wiped it again?

You are also less likely to leak data to the unencrypted parts of the drive if the entire drive is encrypted rather than just a file.

How "common" is that, really? It's a theoretical possibility, but I'm sure I'm not interesting enough for anyone to go through such lengths. It would be much easier to install a camera in the lamp above me, and record all keys I press. This made me inspect the lamp: I think I'm still good.

It's probably the most likely way for a TSA agent or similar to bust you, if we are assuming you are being specifically targeted for a search. They examine your encrypted drive, you state that it is just random data, but while you are doing that they make an image of it. When you return from your vacation a few weeks later, they do the same thing and compare the two images. It's a highly unlikely scenario, but it would be the most common way for someone to detect the presence of a hidden volume.

Alternative detection methods, such as determining the blocks of "random" data which actually contain your hidden volume have been read more times than other blocks of actually random data, are far more niche and require equipment the TSA does not possess. At this stage you are now looking at being targeted by much higher up three letter agencies, at which point you will have much bigger issues when trying to cross a border than taking some bitcoin across it.

That's easy: something else wrote to that random data sector. Sorry TSA guy, I didn't expect you really wanted to know I keep my naked pictures in StegFS (https://github.com/albinoloverats/stegfs) (unfortunately development ended a long time ago).

That steganographic file system depends on there being an actual file system. If the entire disk is encrypted to appear as nothing more than random data, then there is no file system at all.

A more plausible explanation would be that I am traveling for work, I will use this hard drive when I arrive to install Linux and then work on trade secrets/confidential information/whatever, and I will securely wipe it again before I travel home.

You can add encrypted files inside your encrypted file system :)

It's even easier if you use a dual boot and use the second to overwrite the first. I do that for my Fork claiming adventures (https://bitcointalk.org/index.php?topic=2836875.msg60084872#msg60084872):
In a few minutes, all trade secrets (or in my case: untrusted wallets) are gone and I have a fresh installation again.

This is an interesting option, what do you use for encryption? Could you do this with a GUI? I know about dm-crypt and luks, but Veracrypt has the best and easy to use GUI, which means there's less chance to screw up in the process.

Also, not sure if that would work in certain places. Perhaps in the west, but what about places like China? they may think you are just trying to do plausible deniability. It's one of those things.

If I ever go there, I'll leave all electronics at home.

luks


I don't think so

it's easy (:D) to do with linux dd command, just practice it with a disk you don't care about.

It's also easy to screw it up and write the random data to your main PC disk, so maybe use a VM on an old USB disk as your practice...

workflow:

• md5sum on the first x bytes of the encrypted disk, save that hash somewhere (using linux tail lets you feed the exact number of bytes to md5sum, do it with the pipe character)
• dd using x bytes as the offset to backup the header
• md5sum the file with the backed up header, compare to saved hash
• dd i=/dev/random to the encrypted disk device with that x offset as the value for where to end

the variable x will be the size of the LUKS header, I don't know what it is off the top of my head, but either LUKS utilities or the LUKS manpage (probably man cryptsetup) will also tell you

so long as you get the right number for x, and the right device for the disk, you'll be alright. possibly LUKS header is variable length (I expect it is as it's possible to add multiple keys or something like that), but that's why practicing is a good idea

But then you lose your explanation.

"Why has this data, which you told me was nothing but random data from a secure wipe process, changed?"
"Oh, that's just because of my encrypted files inside my encrypted file system, which is disguised within this supposedly random data. Sorry, what I meant was, I have no idea!"

Personally, I would have my entirely encrypted drive appearing as nothing but random data, and a laptop with nothing sensitive on it. When I get to my destination, use Tor to download Tails and run it from a USB as a live OS, and then use that to mount and decrypt my drive. This avoids the risk of my regular OS storing any unencrypted information about my drive.

In that case, I'll take another approach: "what's random data?"
Seriously, I don't think anyone is ever going to ask me that, it's far above the investigation skills of the guy checking your suitcase for explosives.

Exactly :)

right, it's vital to know accurately which byte the header ends so that you know which byte the encrypted volume begins. using a graphical hex editor could work, e.g. perhaps there is a byte sequence at the end of the header that's always the same.

if not, knowing exactly the length of a key slot, exactly how many key slots your header has, and the exact length of the data before them is very important.

---

an extra trick I thought of: I expect that the header for a disk partition is smaller than a basic disk encryption header. Instead of replacing the encryption header entirely with random data, why not:

• find out the size of a partition header
• subtract it from the size of your encryption header
• overwrite the start of the disk encryption header with a partition
• fill the remaining space with random data (only as far as the last byte of the encryption header! use the number you found in step 2)

then, instead of having a "suspicious" random data disk, you have a disk that an OS filesystem window would recognize when you plug it in. Sure the rest of the data is your encrypted volume, but it "looks" otherwise like a normal disk that's got nothing on it.

you: "really? nothing on it? damn, must've taken the wrong disk with me, my bad"

or

you: "yeah, that's my disk to put the holiday photos on, would you like to see my photos of the church organs of Europe?"

:D that sort of thing

Someone with forensic tools would just be able to see a relevant chunk of random data irrespective of how your headers look. Sure having a reasonable looking header increases your chances of plausible deniability but I don't see how tricks anyone that has been instructed in this field. Also playing around with the header is quite dangerous if you screw up in the process. Id rather never put myself on a situation where someone gets to my encrypted data to begin with. So far I have concluded that you just cannot cross any borders with encrypted stuff.