[arch-general] LUKS emergency self-destruct

newer
[arch-general] systemd claims /run...

Paladin

13 Jan 2014 13 Jan '14

10:57 a.m.

Hi, does anyone know if there is plan to implement this: http://www.kali.org/how-to/emergency-self-destruction-luks-kali/ in Arch?

Patch https://github.com/offensive-security/cryptsetup-nuke-keys is not too big and IMHO it would be great to have this option..

Patch is for 1.6.1 but it cannot be that difficult to port it to 1.6.3 which we have.

Paladin

-- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments

Attachments:

attachment.sig (application/pgp-signature — 836 bytes)

Show replies by date

Allan McRae

13 Jan 13 Jan

11:07 a.m.

On 13/01/14 20:57, Paladin wrote:

...

Hi, does anyone know if there is plan to implement this: http://www.kali.org/how-to/emergency-self-destruction-luks-kali/ in Arch?

Patch https://github.com/offensive-security/cryptsetup-nuke-keys is not too big and IMHO it would be great to have this option..

Patch is for 1.6.1 but it cannot be that difficult to port it to 1.6.3 which we have.

Arch provides vanilla packages. So no.

Florian Pritz

11:07 a.m.

On 13.01.2014 11:57, Paladin wrote:

...

does anyone know if there is plan to implement this: http://www.kali.org/how-to/emergency-self-destruction-luks-kali/ in Arch?

Things like this belong to the bug tracker, not the mailing list.

Is the patch merged upstream? If no, it is highly unlikely that we will implement it. (read as no we won't)

Quintus Public

1:06 p.m.

New subject: [arch-general] LUKS emergency self-destruct

Hi Paladin,

On Monday, January 13, 2014, Paladin wrote:

...

Patch https://github.com/offensive-security/cryptsetup-nuke-keys

https://github.com/offensive-security/cryptsetup-nuke-keys> is not too big and IMHO it would be great to have this option..

...

Patch is for 1.6.1 but it cannot be that difficult to port it to 1.6.3 which we have.

This would be a suitable AUR project. You could provide a PKGBUILD which implements this additional functionality, but *you* alone are responsible for additional functionality which isn't maintained upstream. If there is, in fact, demand for this feature, it would be well received on the AUR.

It could be useful to model the vmware-patch[1] PKGBUILD, which provides a post-installation patch to vmware. (I found this with a search and have not tested it.)

Also, in the future, please consider not using "emergency" in the subject line of this mailing list unless it is warranted.

Cheers, Quint

[1]: https://aur.archlinux.org/packages/vmware-patch/

Thomas Bächler

1:11 p.m.

Am 13.01.2014 11:57, schrieb Paladin:

...

Patch is for 1.6.1 but it cannot be that difficult to port it to 1.6.3 which we have.

This feature has already been rejected by the cryptsetup authors as far as I can see. So no, we will not keep maintaining our own cryptsetup modification.

Bigby James

4:07 p.m.

On Mon, Jan 13, 2014 at 11:57:28AM +0100, Paladin wrote:

...

Hi, does anyone know if there is plan to implement this: http://www.kali.org/how-to/emergency-self-destruction-luks-kali/ in Arch?

Patch https://github.com/offensive-security/cryptsetup-nuke-keys is not too big and IMHO it would be great to have this option..

Patch is for 1.6.1 but it cannot be that difficult to port it to 1.6.3 which we have.

Paladin

-- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments

It's already in the AUR---was submitted the day that blog post came out, in fact: https://aur.archlinux.org/packages/cryptsetup-nuke-keys/

Taylor Hornby

8:48 p.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/13/2014 03:57 AM, Paladin wrote:

...

Hi, does anyone know if there is plan to implement this: http://www.kali.org/how-to/emergency-self-destruction-luks-kali/ in Arch?

Patch https://github.com/offensive-security/cryptsetup-nuke-keys is not too big and IMHO it would be great to have this option..

Patch is for 1.6.1 but it cannot be that difficult to port it to 1.6.3 which we have.

If you use this, be careful that you're using it for the right thing. Unfortunately the way it's implemented makes it seem like it's purpose is something that it's not.

The intent is for it to be an easy and fast way to destroy the key information (and optionally recover it if you have a backup), when you are in a SAFE environment. A convenient alternative to manually doing it with dd and a live CD.

It's not intended to be an "If I'm tortured I can enter the duress password and it will destroy the keys" feature. Obviously, your torturers (or law enforcement (they can be the same thing)), will clone the disk and make you enter your password into the cloned system.

Just a warning.

- -- Taylor Hornby

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS1FEXAAoJEP5tMebkC3Ru7oEP+gPNCGgmyi0ovRLLZhwb+BV8 jU0+6MYKFYoZiTCe3VGSWsOBdAp1J14+f7q0NkG24fFvmlN6g8WYfHGsENGjn1ZO JrsPSMwD3rl7C9pEKS2zCzGlVhQcTgUTwkz7KaWqhoaZ2XoGTdSL3N9Hdkpl1hxo VreJC4hpBF42ON+3Up6ZUCPsgY67U2kGe5Mz4CZxm7uDKa15CtqFsbcUQIN+Ep0m e2VzztRZECz7NVYbcAPFA+XXWG5gU8lGNL29j8I49sdjZfOQGSsmM0VUDpXMfaN6 OLeOP1i/oBCQ/5AUMZJu/EK5xsbO+vTauAPSHCvxy1Go9lugYcxTYU2LdwrPFnDH 2rWCwRijyARoKvF+hsrfuXTPOSzH5jhnw827DQfL/PsimkWv1C0ZkbYqDEpy9cT9 /13TGonoOfm0uMgOvG2y9A7ZA8Z7OsqPXSKvZG/iife5q4513Lry9o8EwKOzIyNp yuiVD5o1ZW+fcBi11mlUu2D2wrKDp9YGBOUbRb2yHzgapjJ92Dh6L/kCVlC179AX ZnJqjXOltuGYLFCpZPmBXSYaMkt5rLkVvoD7X1NETNHRDUOucdRo3sxWT9ZAWOve o01J0y7QKH/eJQgJCObHlGQjdsCM9iFMPuEBodXwDH+FpZrodgvSJ3+BhoA0IUVX Rub5n0E/8OsuzGEU3mp6 =hll7 -----END PGP SIGNATURE-----

3614

Age (days ago)

3614

Last active (days ago)

List overview

Download

6 comments

7 participants

tags (0)

participants (7)

Allan McRae
Bigby James
Florian Pritz
Paladin
Quintus Public
Taylor Hornby
Thomas Bächler