diff --git a/graphs/.$sensitivevms.drawio.bkp b/graphs/.$sensitivevms.drawio.bkp index 56c26d4..5cf03cb 100644 --- a/graphs/.$sensitivevms.drawio.bkp +++ b/graphs/.$sensitivevms.drawio.bkp @@ -1,6 +1,6 @@ - + - + @@ -460,7 +460,7 @@ - + @@ -1375,112 +1375,112 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + diff --git a/graphs/sensitivevms.drawio b/graphs/sensitivevms.drawio index 054e5ef..822bdbb 100644 --- a/graphs/sensitivevms.drawio +++ b/graphs/sensitivevms.drawio @@ -1,6 +1,6 @@ - + - + @@ -460,7 +460,7 @@ - + @@ -472,7 +472,7 @@ - + diff --git a/opsec/deniability/5.png b/opsec/deniability/5.png index c2a032f..51665db 100644 Binary files a/opsec/deniability/5.png and b/opsec/deniability/5.png differ diff --git a/opsec/livemode/3.png b/opsec/livemode/3.png index ea6fd67..ac72886 100644 Binary files a/opsec/livemode/3.png and b/opsec/livemode/3.png differ diff --git a/opsec/livemode/4.png b/opsec/livemode/4.png index e50ee98..7a69005 100644 Binary files a/opsec/livemode/4.png and b/opsec/livemode/4.png differ diff --git a/opsec/veracrypt/0.png b/opsec/veracrypt/0.png index 313735c..862866d 100644 Binary files a/opsec/veracrypt/0.png and b/opsec/veracrypt/0.png differ diff --git a/opsec/veracrypt/1.png b/opsec/veracrypt/1.png index 3913ecb..232f062 100644 Binary files a/opsec/veracrypt/1.png and b/opsec/veracrypt/1.png differ diff --git a/opsec/veracrypt/10.png b/opsec/veracrypt/10.png index 23397ca..cb9f5f6 100644 Binary files a/opsec/veracrypt/10.png and b/opsec/veracrypt/10.png differ diff --git a/opsec/veracrypt/11.png b/opsec/veracrypt/11.png index 4b63381..c69fc9d 100644 Binary files a/opsec/veracrypt/11.png and b/opsec/veracrypt/11.png differ diff --git a/opsec/veracrypt/12.png b/opsec/veracrypt/12.png index af78f4f..8f38fdc 100644 Binary files a/opsec/veracrypt/12.png and b/opsec/veracrypt/12.png differ diff --git a/opsec/veracrypt/13.png b/opsec/veracrypt/13.png index 277e45f..7e4db51 100644 Binary files a/opsec/veracrypt/13.png and b/opsec/veracrypt/13.png differ diff --git a/opsec/veracrypt/14.png b/opsec/veracrypt/14.png index 8f0d1b0..2b2a50f 100644 Binary files a/opsec/veracrypt/14.png and b/opsec/veracrypt/14.png differ diff --git a/opsec/veracrypt/15.png b/opsec/veracrypt/15.png index 7f0220c..8090bba 100644 Binary files a/opsec/veracrypt/15.png and b/opsec/veracrypt/15.png differ diff --git a/opsec/veracrypt/16.png b/opsec/veracrypt/16.png index fe3f11b..5f7515b 100644 Binary files a/opsec/veracrypt/16.png and b/opsec/veracrypt/16.png differ diff --git a/opsec/veracrypt/17.png b/opsec/veracrypt/17.png index f92bf3a..d10fd6a 100644 Binary files a/opsec/veracrypt/17.png and b/opsec/veracrypt/17.png differ diff --git a/opsec/veracrypt/18.png b/opsec/veracrypt/18.png index 9440edd..7c465fb 100644 Binary files a/opsec/veracrypt/18.png and b/opsec/veracrypt/18.png differ diff --git a/opsec/veracrypt/19.png b/opsec/veracrypt/19.png index 910ab72..bfbb9d4 100644 Binary files a/opsec/veracrypt/19.png and b/opsec/veracrypt/19.png differ diff --git a/opsec/veracrypt/2.png b/opsec/veracrypt/2.png index 309d47e..d2ae972 100644 Binary files a/opsec/veracrypt/2.png and b/opsec/veracrypt/2.png differ diff --git a/opsec/veracrypt/20.png b/opsec/veracrypt/20.png deleted file mode 100644 index 2f066f7..0000000 Binary files a/opsec/veracrypt/20.png and /dev/null differ diff --git a/opsec/veracrypt/21.png b/opsec/veracrypt/21.png deleted file mode 100644 index 73c1a7d..0000000 Binary files a/opsec/veracrypt/21.png and /dev/null differ diff --git a/opsec/veracrypt/22.png b/opsec/veracrypt/22.png deleted file mode 100644 index 0ec3664..0000000 Binary files a/opsec/veracrypt/22.png and /dev/null differ diff --git a/opsec/veracrypt/3.png b/opsec/veracrypt/3.png index ab81a17..747f682 100644 Binary files a/opsec/veracrypt/3.png and b/opsec/veracrypt/3.png differ diff --git a/opsec/veracrypt/4.png b/opsec/veracrypt/4.png index 847b132..9ac0020 100644 Binary files a/opsec/veracrypt/4.png and b/opsec/veracrypt/4.png differ diff --git a/opsec/veracrypt/5.png b/opsec/veracrypt/5.png index a73b2a6..c24840e 100644 Binary files a/opsec/veracrypt/5.png and b/opsec/veracrypt/5.png differ diff --git a/opsec/veracrypt/6.png b/opsec/veracrypt/6.png index 01a7140..a521277 100644 Binary files a/opsec/veracrypt/6.png and b/opsec/veracrypt/6.png differ diff --git a/opsec/veracrypt/7.png b/opsec/veracrypt/7.png index cc980b3..b5320cd 100644 Binary files a/opsec/veracrypt/7.png and b/opsec/veracrypt/7.png differ diff --git a/opsec/veracrypt/8.png b/opsec/veracrypt/8.png index 7a3717a..9a50b56 100644 Binary files a/opsec/veracrypt/8.png and b/opsec/veracrypt/8.png differ diff --git a/opsec/veracrypt/9.png b/opsec/veracrypt/9.png index e3cd1ae..3431304 100644 Binary files a/opsec/veracrypt/9.png and b/opsec/veracrypt/9.png differ diff --git a/opsec/veracrypt/index.html b/opsec/veracrypt/index.html index 98a1c09..e414580 100644 --- a/opsec/veracrypt/index.html +++ b/opsec/veracrypt/index.html @@ -63,8 +63,15 @@ Previous Page

nihilist@mainpc - 2024-01-31

The main source of Plausible Deniability: Deniable Encryption

-

VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. It is based on Truecrypt, This tool will be used for Plausible Deniability.

-

But why is Plausible Deniability important first of all ? From a legal perspective, depending on jurisdictions, you may be forced to type your password into an encrypted drive if requested. All it takes is for an adversary to be able to prove the existence of an encrypted drive to be able to force you to reveal the password to unlock it. Hence for example the regular LUKS encryption is not enough, because you need to be able to deny the existence of the encrypted volume. If that is the case, we have to use Veracrypt, which is an encryption tool used to provide protection (which is Plausible Deniability) against that scenario where you're forced to provide a password.

+

zuluCrypt is a free and open-source tool for encrypting files and volumes in a secure way. We already used it for hiding data in video files using steganography.
+ +Today, we'll use it as a replacement for VeraCrypt - a free open source disk encryption software for Windows, Mac OSX and Linux. Being based on TrueCrypt, VeraCrypt offers a unique feature called Hidden Volumes which can give us Plausible Deniability. + +zuluCrypt supports both TrueCrypt and VeraCrypt volumes while being better integrated in Linux ecosystem. It also comes preinstalled with kicksecure OS. +

+ +

But why is Plausible Deniability important first of all?
+From a legal perspective, depending on jurisdictions, you may be forced to type your password into an encrypted drive if requested. All it takes is for an adversary to be able to prove the existence of an encrypted drive to be able to force you to reveal the password to unlock it. Hence for example the regular LUKS encryption is not enough, because you need to be able to deny the existence of the encrypted volume. If that is the case, we have to use zuluCrypt, which is an encryption tool used to provide protection (which is Plausible Deniability) against that scenario where you're forced to provide a password.

DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling @@ -79,10 +86,10 @@ regarding wear leveling:

  1. Hardware : (Personal Computer / Laptop)

  2. System Harddrive: not LUKS encrypted [1]

    3. -

  3. Non-System Harddrive: 500Gb (used to contain our Veracrypt encrypted volumes)

    4. +

  4. Non-System Harddrive: 500Gb (used to contain our zuluCrypt encrypted volumes)

  5. Host OS: Linux

  6. Hypervisor: QEMU/KVM

    7. -

  7. Packages: grub-live and ram-wipe

    8. +

  8. Packages: grub-live and ram-wipe

@@ -98,117 +105,46 @@ regarding wear leveling:

Deniability Context

-

⚠️ Deniability Disclaimer: If the adversary cannot be told that you are using veracrypt, do not install Veracrypt on the host OS outside of live mode, but rather install it manually each time you boot into live mode That way everytime you reboot, there is no veracrypt program to be found at all. ⚠️

-

Let's install the .deb package for veracrypt (you can install it safely from non-live mode), so that the software is available whenever you want to use it while the host OS is in live mode:

- -

-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ wget https://launchpad.net/veracrypt/trunk/1.26.7/+download/veracrypt-1.26.7-Debian-12-amd64.deb -O vc.deb
+
⚠️ Deniability Disclaimer: If the adversary cannot be told that you are using zuluCrypt, do not install zuluCrypt on the host OS outside of live mode, but rather install it manually each time you boot into live mode That way everytime you reboot, there is no zuluCrypt program to be found at all. ⚠️

 
-
-

If you are using a VPS to help speed up the initial setup everytime you boot into live mode like we have showcased previously, you can also use it to store the veracrypt .deb file for you, to make it easier to retrieve each time:

-

-[ mainpc ] [ /dev/pts/4 ] [/tmp]
-→ ssh root@65.109.30.253
-root@65.109.30.253's password:
-Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
+
Let's install zuluCrypt (you can install it safely from non-live mode), so that the software is available whenever you want to use it while the host OS is in live mode:

+
oxeo@milkyway:~$ sudo apt install zulucrypt-gui zulucrypt-cli
+

 
-The programs included with the Debian GNU/Linux system are free software;
-the exact distribution terms for each program are described in the
-individual files in /usr/share/doc/*/copyright.
+
Open the GUI to see if it got installed correctly:

+

 
-Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
-permitted by applicable law.
-Web console: https://localhost.localdomain:9090/ or https://65.109.30.253:9090/
-
-You have mail.
-Last login: Sat Nov 30 14:42:15 2024 from 91.90.40.175
-
-[ Datura ] [ /dev/pts/0 ] [~]
-→ cd sensitive_scripts
-
-[ Datura ] [ /dev/pts/0 ] [~/sensitive_scripts]
-→ wget https://launchpad.net/veracrypt/trunk/1.26.7/+download/veracrypt-1.26.7-Debian-12-amd64.deb -O vc.deb
-
-2024-11-30 16:43:58 (20.1 MB/s) - ‘vc.deb’ saved [9211094/9211094]
-
-[ Datura ] [ /dev/pts/0 ] [~/sensitive_scripts]
-→ exit
-Connection to 65.109.30.253 closed.
-
-
-

That way, everytime you boot into live mode, all you need is to download the vc.deb file from the VPS:

- -

-[ mainpc ] [ /dev/pts/4 ] [/tmp]
-→ scp root@65.109.30.253:/root/sensitive_scripts/vc.deb .
-root@65.109.30.253's password:
-vc.deb                                                                                                                                                                                                        100% 8995KB   1.9MB/s   00:04
-
-[ mainpc ] [ /dev/pts/4 ] [/tmp]
-→ file vc.deb
-vc.deb: Debian binary package (format 2.0), with control.tar.gz, data compression gz
-
-
-

And then to install it you can do it like so:

-

-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ sudo dpkg -i vc.deb
-
-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ sudo apt install -f
-
-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ sudo dpkg -i vc.deb
-	
-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ which veracrypt
-/usr/bin/veracrypt
-
-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ veracrypt
-
-
- - -

So now that you have veracrypt installed, before you start to use it, you need to be aware of the lack of deniability you have when using the Host OS in regular mode:

+

So now you have zuluCrypt on your system. Before you start to use it, you need to be aware of the lack of deniability you have when using the Host OS in regular mode:

-

By default, your host OS directly writes into the system drive all sorts of potential forensic evidence that an adversary may use against you, such as system logs, kernel logs, non-standard logs, etc, and unless if you remove each of those manually, you're never sure of wether or not the Host OS saved proof of the existence of the hidden volume onto the system drive. That's why you need to use the Host OS in live mode, to be able to use veracrypt, and to install it aswell if you cannot tell the adversary that you are using veracrypt.

+

By default, your host OS directly writes into the system drive all sorts of potential forensic evidence that an adversary may use against you, such as system logs, kernel logs, non-standard logs, etc, and unless if you remove each of those manually, you're never sure of wether or not the Host OS saved proof of the existence of the hidden volume onto the system drive. That's why you need to use the Host OS in live mode, to be able to use zuluCrypt, and to install it aswell if you cannot tell the adversary that you are using zuluCrypt.

-

That way, as you're loading the entire host OS in the RAM due to being in live mode, you are not writing anything on the system drive anymore, but rather only writing all that potential forensic evidence of the veracrypt hidden volume in RAM alone, which can be easily erased with a simple shutdown.

-

So now that we have installed veracrypt, let's reboot the Host OS into live mode:

+

That way, as you're loading the entire host OS in the RAM due to being in live mode, you are not writing anything on the system drive anymore, but rather only writing all that potential forensic evidence of the zuluCrypt hidden volume in RAM alone, which can be easily erased with a simple shutdown.

+

So now that we have installed zuluCrypt, let's reboot the Host OS into live mode:

-

And only now once we are in live mode, we can use veracrypt to create hidden encrypted volumes and unlock them. But be aware that everything you write into the system drive will be wiped upon shutting down, if you want to store something persistent accross reboots from live mode, you need to save it in a non-system drive.

-

So now from there we can create the encrypted volumes (either as files or as entire drives). In this example we'll create an encrypted file:

- -

Here we select that we want a Hidden veracrypt volume as well (which will be able to deny it's existence).

- -

Then we want it to be a simple file in my home directory for testing purposes (so be aware that upon rebooting it will be erased due to being in the system drive). If you want it to not be erased upon rebooting, you'll need to put it in a non-system drive like in this tutorial.

- -

Leave the default settings for the encryption

- -

As a test we'll make a 1Gb volume, can be smaller or as big as all the available space.

- -

Now here we want to remember our first password A, for the decoy volume, This is the password you'll type when you're forced to give out your password.

- -

Here we can select the FAT filesystem

- -

Then move your mouse to make sure the randomness of the encryption is best, then let it complete the formatting. If you are creating a large encrypted volume, it will take time to overwrite all the data. DO NOT SELECT QUICK FORMAT, or you risk having the hidden volume being discoverable by an adversary.

- - -

Now that's completed, we then create the Hidden Volume, which we'll open only when we are all alone, the existence of this volume must never be revealed to anyone, only you should know about it. then we repeat the previous steps:

- - -

Here we select the size we need for the hidden volume.

- -

And here we use the second password, this is the one you must remember in order to access the data you want to hide from an adversary. Then we repeat the previous steps to create the volume:

- - - - - +

And only now once we are in live mode, we can use zuluCrypt to create hidden encrypted volumes and unlock them. But be aware that everything you write into the system drive will be wiped upon shutting down, if you want to store something persistent accross reboots from live mode, you need to save it in a non-system drive.

+

So now from there we can create the encrypted volumes (either as files or as entire drives). In this example we'll create an encrypted file:
+

+ +

Select the volume name, size and location.
+We want the location to be a simple file in my home directory for testing purposes (so be aware that upon rebooting it will be erased due to being in the system drive). If you want it to not be erased upon rebooting, you'll need to put it in a non-system drive like in this tutorial:
+

+ +

Once you click Create, it will write random data to the file. This can take a while:
+

+ +

Here select the volume type (Normal+Hidden VeraCrypt), password for decoy and secret part and the size of hidden volume (has to be smaller than the size of outer volume).
+We set the filesystem as exfat. This is recommended since journaling filesystems can leave data which reveals the existence of hidden volume:
+

+ +

Now just click Create and wait a bit:
+ +

+ +

After that's done, you'll get a popup:
+

+
@@ -219,15 +155,38 @@ vc.deb: Debian binary package (format 2.0), with control.tar.gz, data compressio

Mounting the Volumes



-

Now let's mount both volumes to see the difference:

- -

Here when we type the first password we see that the volume is mounted as normal type:

- -

Then dismount the volume, and mount the hidden volume next with the second password:

- -

And here you see that the volume mounted is now of the "hidden" type

- -

And that's it! We now have setup a test veracrypt volume with a hidden volume, into which we can store some sensitive files.

+

Now let's mount volume using both decoy and secret password to see the difference. To do that, click on Open > Volume Hosted In A File:
+

+ +

Select the volume file:
+ +

+ +

We'll then type the decoy password and click Open:
+

+ +

After a while a file manager should open in the directory where the volume got mounted:
+

+ +

In the zuluCrypt GUI, we can see the mount path:
+

+ +

We can put some decoy files there so that it makes sense why you hide it:
+

+ +

Now let's unmount the volume using zuluCrypt GUI:
+

+ +

Unlock the same volume but this time using the secret password:
+

+ +

As you can see, it's empty and the free space is just around 1024 MB as we set before:
+

+ +

You can put stuff that you actually care about in there:
+

+ +

And that's it! Now you have a fully working volume with hidden data inside achieving Plausible Deniability.