Bitcoin-ready linux distro

[Pmalek]

You don't want to end up in a situation where you are forced to decrypt:
https://www.bleepingcomputer.com/news/legal/man-who-refused-to-decrypt-hard-drives-still-in-prison-after-two-years/

That's not even remotely the same thing. That's about a man who possessed children pornography and was suspected of having more content on the encrypted hard drives. His laptop had proof that he downloaded children pornography and copied it to the drives. Mysteriously, he "forgot" his password.

Here is a newer article that mentions that he spend 4 years in prison, although they couldn't legally hold him longer than 18 months. Still, not a pleasant situation to find yourself in whether you are right or wrong.
https://arstechnica.com/tech-policy/2020/02/man-who-refused-to-decrypt-hard-drives-is-free-after-four-years-in-jail/   

[1713554627]

1713554627

[1713554627]

1713554627

[1713554627]

1713554627

[1713554627]

1713554627

[o_e_l_e_o]

so:

• encrypt disk
• copy header
• fill the header up (on encrypted disk) with random data

There are methods of encrypting data so the header itself is indistinguishable from random data. Then you don't need to copy or overwrite anything, which adds complexity and risk.

If you are using GrapheneOS you can have multiple users with encrypted drives, and you can even use some random eSIM or old sim card in other account.

The point I'm making is that encrypting data is not enough when being subjected to a targeted search crossing a border. They will simply detain you until you decrypt it. You need plausible deniability.

Why would this be any different with smartphone, you can probably do exact same thing with them.

Is there a reputable open source encryption app which will produce hidden volumes on a phone?

[dkbit98]

Depending on the phone, it takes me 30 minutes to 2 hours. Especially Apple phones are designed to break and easily replace screens.

Unless you are working as smartphone repairman, you can easily break your display like this or damage your phone being water resistant.
I can disassemble laptops much easier but I wouldn't dare doing that with any modern smartphones.

Is there a reputable open source encryption app which will produce hidden volumes on a phone?

You don't need to have any special encryption app if you are using hidden accounts on GrapheneOS that are already encrypted isolated space by default.
If you want to use open source app I think there is one called EDS for that purpose.

[o_e_l_e_o]

You don't need to have any special encryption app if you are using hidden accounts on GrapheneOS that are already encrypted isolated space by default.

But the encrypted data is not hidden. Sure, the user profile is encrypted, and maybe you can even hide the profile from various menus on the OS, but I doubt very much the entire volume is hidden when the phone's storage is directly examined. The header and the rest of the necessary data to decrypt and log in to that profile will still be there. And so you can be coerced in to decrypting it.

If you want to use open source app I think there is one called EDS for that purpose.

You need to buy the full version if you want hidden volume support, and the full version is not open source.

[WatChe]

If you download a distribution other than from the main source, i.e Ubuntu, Kubuntu, Slackware, Fedora or whatever it might be assume it's compromised, and don't consider it a trusted machine. That's including private key generation, and the Blockchain itself, since ultimately your operating system has control, unless it's been overridden via the hardware itself.

There are so many flavors of Linux available in the market and its difficult to distinguished between clean and compromised ones. Best practise is to use  reliable distributions like Ubuntu, Fedora and Mint. I wasnt aware that there is a linux distribution that protect you againest surveillance and censorship. There is no gurantee that this distribution i.e. Linux Tail is not Eavesdropping on you.
 

You can get around a lot of these problems like putting tamper evident or security seals on each component of your laptop. You can make them actually mark the casing if they're removed. You could potentially get these custom made. I've got tamper evident seals on my laptop for use when traveling, as well as a lock pad on it. I've never had an issue, and they've never even asked me to unlock the padlock to see if it turns on or anything. I've got some looks at times, but I've seen other travelers do this as well. As long, as you follow the instructions, and place it outside of a bag they usually don't have a issue. Plus, its usually setup in a way that you can watch how they are handling your stuff.

Data on laptop or anyother digital devices should never be kept unencrypted specially if you are traveling (by road or air). If you talk about Linux then there are many tools (Linux Unified Key Setup (LUKS) that can encrypt your data and even if someone was able to login to your device he wont be able to see the data.
Just few simple cautions and you are good to go. 

[ABCbits]

it's all very easy


without the header, there's no way to prove that a disk is encrypted

so:

• encrypt disk
• copy header
• fill the header up (on encrypted disk) with random data

It could work, but this is definitely overkill considering OP mention his goal is holiday and very complex even for tech geek.

There is no gurantee that this distribution i.e. Linux Tail is not Eavesdropping on you.

But compared with most OS, Tails is probably one of best OS for privacy. It's open source, has been around for >10 years, trusted by various group and actively used by people who really need privacy/security.

If you talk about Linux then there are many tools (Linux Unified Key Setup (LUKS) that can encrypt your data and even if someone was able to login to your device he wont be able to see the data.

But on device with disk encryption, you usually need to decrypt it before you can login to OS user account.

[NotATether]

Is there such a thing being developed and kept updated? What I mean is a distro that comes with preinstalled software that you would need for any Bitcoin related business

yes

but don't do it. It's much too tempting for some employee(s) to abuse the situation and ship something that steals BTC or other data.

just get a standard distribution and figure it out, anything else is going back to "be my bank", not "be your own bank"

Exactly. Just download Debian, which is a very lean distro, verify the checksums and install it, and then put Bitcoin Core, Electrum, and other bitcoin programs on it.

It takes way too much manpower to keep a distro updated and considering the number of security bugs that are fixed each month, it just isn't worth the effort if maintained by only 2 or 3 people.

[WatChe]

But compared with most OS, Tails is probably one of best OS for privacy. It's open source, has been around for >10 years, trusted by various group and actively used by people who really need privacy/security.

Thanks for this info. I seriously have no idea about this distr until now. I will defiantly have a look into it. Till now my only focus was on my Ubuntu distribution.

But on device with disk encryption, you usually need to decrypt it before you can login to OS user account.

Yes thats very much correct. My point is that if you are traveling or in condition where your laptop gets away from you then you must have some security mechanism in place that restricts anyway to see your data. Although I think placing a password on your laptop is good enough but still if you wanna add extra layer of security then you can choose such options.

[Carlton Banks]

There are methods of encrypting data so the header itself is indistinguishable from random data. Then you don't need to copy or overwrite anything, which adds complexity and risk.

ah, what's the name for that method then? sounds too good to be true, clearly there's been developments in this area that I didn't follow


(this part of) the thread ended already if o_e_l_e_o's link checks out... and airport security searching "encrypted" disks also ended

[dkbit98]

But the encrypted data is not hidden. Sure, the user profile is encrypted, and maybe you can even hide the profile from various menus on the OS, but I doubt very much the entire volume is hidden when the phone's storage is directly examined. The header and the rest of the necessary data to decrypt and log in to that profile will still be there. And so you can be coerced in to decrypting it.

I didn't test this myself, but I can bet they would much easier find your hidden volumes on laptop you are using, than hidden profile in pixel phone with GrapheneOS that have secure space.
They could also coerce you to give them access to your hidden volumes, or anything else they are looking for.
I am also not against people using Linux and doing whatever they want with it.

You need to buy the full version if you want hidden volume support, and the full version is not open source.

I just gave you one example, and I didn't use this app, but I am sure there are other options available.

[o_e_l_e_o]

ah, what's the name for that method then? sounds too good to be true, clearly there's been developments in this area that I didn't follow

I'm not sure if it has a name, but VeraCrypt does it. A VeraCrypt encrypted file or volume has no unencrypted parts, and is indistinguishable from random data. See below:

Until decrypted, a VeraCrypt partition/device appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it should be impossible to prove that a partition or a device is a VeraCrypt volume or that it has been encrypted (provided that the security requirements and precautions listed in the chapter Security Requirements and Precautions are followed).

But of course, if someone finds a section of purely random data on your otherwise unencrypted drive, then they will start asking questions. Which is why I have repeatedly mentioned hidden volumes in this thread. You can even use this method to create entirely hidden operating systems. Or alternatively encrypt the entire disk like this so that the whole disk is indistinguishable from random data, and you can state that you simply securely erased everything on the disk by writing random data to it.

I didn't test this myself, but I can bet they would much easier find your hidden volumes on laptop you are using, than hidden profile in pixel phone with GrapheneOS that have secure space.

The whole point of a hidden volume is that it cannot be found and is completely indistinguishable from random data, even if you are coerced in to decrypting the outer volume.

[Carlton Banks]

You can even use this method to create entirely hidden operating systems.

I heard there are ways to prove the hidden volume exists, although VeraCrypt appears to have evolved since the last info I'm aware of

Or alternatively encrypt the entire disk like this so that the whole disk is indistinguishable from random data, and you can state that you simply securely erased everything on the disk by writing random data to it.

this to me sounds more reliable.

best thing is to explain it simply:

Oompah loompa: "what's on this disk?"
you: "nothing"

if you say "it's completely random data officer, which is completely indistinguishable from any other random data ", despite that being true, you're still gonna get looked at through narrowed eyes

[DaveF]

If you are worried about crossing borders / going through security with BTC on your laptop or leaving it unattended someplace there are still a bunch of laptops with easily removable drives.

With the rugged ones from Dell and Panasonic and others you pop down a panel, push a tab and the drive and caddy come out. You can always get a 2nd one that you have a small drive in so the unit will work and boot with no issues.

-Dave

[o_e_l_e_o]

I heard there are ways to prove the hidden volume exists, although VeraCrypt appears to have evolved since the last info I'm aware of

There are methods, but they can all be mitigated against: https://veracrypt.eu/en/Security%20Requirements%20for%20Hidden%20Volumes.html

A common one would be if you change the data inside the hidden volume, and someone is able to compare an image of your drive before and after you did this. What reason would you have for writing over already random data with different random data? Perhaps you could say you used the drive in the meantime and then securely wiped it again?

this to me sounds more reliable.

You are also less likely to leak data to the unencrypted parts of the drive if the entire drive is encrypted rather than just a file.

[LoyceV]

A common one would be if you change the data inside the hidden volume, and someone is able to compare an image of your drive before and after you did this.

How "common" is that, really? It's a theoretical possibility, but I'm sure I'm not interesting enough for anyone to go through such lengths. It would be much easier to install a camera in the lamp above me, and record all keys I press. This made me inspect the lamp: I think I'm still good.

[o_e_l_e_o]

How "common" is that, really?

It's probably the most likely way for a TSA agent or similar to bust you, if we are assuming you are being specifically targeted for a search. They examine your encrypted drive, you state that it is just random data, but while you are doing that they make an image of it. When you return from your vacation a few weeks later, they do the same thing and compare the two images. It's a highly unlikely scenario, but it would be the most common way for someone to detect the presence of a hidden volume.

Alternative detection methods, such as determining the blocks of "random" data which actually contain your hidden volume have been read more times than other blocks of actually random data, are far more niche and require equipment the TSA does not possess. At this stage you are now looking at being targeted by much higher up three letter agencies, at which point you will have much bigger issues when trying to cross a border than taking some bitcoin across it.

[LoyceV]

It's probably the most likely way for a TSA agent or similar to bust you, if we are assuming you are being specifically targeted for a search. They examine your encrypted drive, you state that it is just random data, but while you are doing that they make an image of it. When you return from your vacation a few weeks later, they do the same thing and compare the two images. It's a highly unlikely scenario, but it would be the most common way for someone to detect the presence of a hidden volume.

That's easy: something else wrote to that random data sector. Sorry TSA guy, I didn't expect you really wanted to know I keep my naked pictures in StegFS (unfortunately development ended a long time ago).

Steganographic file systems allow the user plausible deniability of files within. It achieves this by becoming a lossy file system: writing a file to the file system may overwrite an existing file without warning.

[o_e_l_e_o]

That's easy: something else wrote to that random data sector. Sorry TSA guy, I didn't expect you really wanted to know I keep my naked pictures in StegFS (unfortunately development ended a long time ago).

That steganographic file system depends on there being an actual file system. If the entire disk is encrypted to appear as nothing more than random data, then there is no file system at all.

A more plausible explanation would be that I am traveling for work, I will use this hard drive when I arrive to install Linux and then work on trade secrets/confidential information/whatever, and I will securely wipe it again before I travel home.

[LoyceV]

If the entire disk is encrypted to appear as nothing more than random data, then there is no file system at all.

You can add encrypted files inside your encrypted file system

A more plausible explanation would be that I am traveling for work, I will use this hard drive when I arrive to install Linux and then work on trade secrets/confidential information/whatever, and I will securely wipe it again before I travel home.

It's even easier if you use a dual boot and use the second to overwrite the first. I do that for my Fork claiming adventures:

Code:

# cat sda1.iso.gz | gunzip > /dev/sda1; sync; halt

In a few minutes, all trade secrets (or in my case: untrusted wallets) are gone and I have a fresh installation again.

[takuma sato]

it's all very easy


without the header, there's no way to prove that a disk is encrypted

so:

• encrypt disk
• copy header
• fill the header up (on encrypted disk) with random data

Oompah-loompa - "why doesn't it switch on?"
you - "broken"
Oompah-loompa - "why did you bring a broken phone?"
you - "it broke on the way here"
Oompah-loompa - "why didn't you fix it?"
you - "if I knew what was wrong with it, I would already have fixed it"


...then just copy the header back again when you want to use the disk

This is an interesting option, what do you use for encryption? Could you do this with a GUI? I know about dm-crypt and luks, but Veracrypt has the best and easy to use GUI, which means there's less chance to screw up in the process.

Also, not sure if that would work in certain places. Perhaps in the west, but what about places like China? they may think you are just trying to do plausible deniability. It's one of those things.