rewritten the veracrypt tutorial

opsec/veracrypt/index.html

@@ -46,7 +46,7 @@
 
             <li><a  href="/about.html">About</a></li>
             <li><a  href="/blog.html">Categories</a></li>
-
+<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
             <li><a  href="/contact.html">Contact</a></li>
           </ul>
         </div><!--/.nav-collapse -->
@@ -60,14 +60,22 @@
 	    <div class="container">
 			<div class="row">
 				<div class="col-lg-8 col-lg-offset-2">
-  					<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-01-31</ba></p>
-<h1>The main source of Plausible Deniability: Deniable Encryption </h1>
+  					<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist & Oxeo0 - 2025-04-01</ba></p>
+<h1>The main source of Plausible Deniability: Deniable Encryption (April 2025 update)</h1>
 <img src="0.png" style="width:250px">
-<p>VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. It is based on Truecrypt, This tool will be used for Plausible Deniability. </p>
-<p>But why is Plausible Deniability important first of all ? From a legal perspective, depending on jurisdictions, you may be forced to type your password into an encrypted drive if requested. All it takes is for an adversary to be able to prove the existence of an encrypted drive to be able to force you to reveal the password to unlock it. Hence for example the regular LUKS encryption is not enough, <b>because you need to be able to deny the existence of the encrypted volume</b>. If that is the case, we have to use Veracrypt, which is an encryption tool used to provide protection (which is Plausible Deniability) against that scenario where you're forced to provide a password.</p>
-<img src="../deniability/5.png" class="imgRz">
+<p><a href="https://mhogomchungu.github.io/zuluCrypt/">zuluCrypt</a> is a free and open-source tool for encrypting files and volumes in a secure way. We already used it for <a href="../anonzulucrypt/index.html">hiding data in video files</a> using steganography.<br>
 
-<b>DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling</b>
+Today, we'll use it as a replacement for VeraCrypt - a free open source disk encryption software for Windows, Mac OSX and Linux. Being based on TrueCrypt, VeraCrypt offers a unique feature called <b>Hidden Volumes</b> which can give us <b>Plausible Deniability</b>.
+
+zuluCrypt supports both TrueCrypt and VeraCrypt volumes while being better integrated in Linux ecosystem. It also comes preinstalled with <a href="https://www.kicksecure.com/">kicksecure OS</a>.
+</p>
+
+<p>But why is Plausible Deniability important first of all?<br>
+From a legal perspective, depending on jurisdictions, you may be forced to type your password into an encrypted drive if requested. <b>All it takes is for an adversary to be able to prove the existence of an encrypted drive to be able to force you to reveal the password to unlock it</b>. Hence for example the regular LUKS encryption is not enough, <b>because you need to be able to deny the existence of the encrypted volume</b>. If that is the case, we have to use veracrypt encrypted volumes, which is an encryption tool used to provide deniable encryption (which is what gives you Plausible Deniability) against that scenario where you're forced to provide a password.</p>
+<img src="../deniability/5.png" class="imgRz">
+<p>Using Veracrypt encrypted volumes, you have a decoy volume which is there by default (that spans the entire encrypted volume) <b>and you CAN have a hidden volume if you choose to, which is hidden in the decoy volume</b>, it's also known as the "inner volume", and the only way to reveal that the hidden volume exists, is to use the correct secret password to both unlock it. If the encrypted volume doesn't exist, legally speaking you cannot be forced to unlock it, because it doesn't exist to begin with, as far as the adversary's concerned.</p>
+
+<p><b>DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling</b></p>
 <pre><code class="nim">
 source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
 
@@ -79,11 +87,14 @@ regarding wear leveling:
 <ol>
     <li><p>Hardware : (Personal Computer / Laptop)</p></li>
     <li><p>System Harddrive: not LUKS encrypted <a href="https://www.kicksecure.com/wiki/Ram-wipe">[1]</a></p></li>
-    <li><p>Non-System Harddrive: 500Gb (used to contain our Veracrypt encrypted volumes)</p></li>
-    <li><p>Host OS: <a href="../linux/index.html">Linux</a> </p></li>
+    <li><p>Non-System Harddrive: 500Gb (used to contain our VeraCrypt encrypted volumes)</p></li>
+    <li><p>Host OS: <a href="../linux/index.html">KickSecure</a> </p></li>
     <li><p>Hypervisor: <a href="../hypervisorsetup/index.html">QEMU/KVM</a></p></li>
-    <li><p>Packages: <a href="../linux/livemode.html">grub-live and ram-wipe</a></p></li>
+    <li><p>Packages: <a href="../livemode/index.html">grub-live and ram-wipe</a></p></li>
 </ol>
+<p>In this tutorial requires you to have implemented the following setup:</p>
+<img src="20.png" class="imgRz">
+<p>As we have explained <a href="../livemode/index.html">previously</a> the Host OS being in live mode is a crucial requirement to be able to maintain deniability, on top of erasing the contents of the RAM upon rebooting the Host OS, because we need to make sure that the adversary is not able to see what we were doing on the computer before they manage to get their hands on it. <b>The Veracrypt encrypted volumes are now going to enable us to store sensitive data that can be accessed again after rebooting.</b> To do so, <u>we need to save the veracrypt encrypted volume on a non-system drive</u>, because if we were to store it on the system drive, it'd disappear when we reboot the computer to exit live mode !</p>
 
 <p><img src="../logos/daturagit.png" style="width:100px"> <u>Sidenote:</u> Help us improve this tutorial by letting us know if there's anything missing or incorrect on this <a href="http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/255">git issue</a> directly!</p>
  
@@ -98,118 +109,53 @@ regarding wear leveling:
 			<div class="row">
 				<div class="col-lg-8 col-lg-offset-2">
           <h2><b>Deniability Context </b></h2>
+<p>Since we are using Kicksecure as a Host OS, zulucrypt is installed by default, so we can open it:<br>
+<img src="1.png" class="imgRz"></p>
 
-<p>⚠️ <u>Deniability Disclaimer:</u> <b>If the adversary cannot be told that you are using veracrypt, do not install Veracrypt on the host OS outside of live mode, but rather install it manually each time you boot into live mode</b> That way everytime you reboot, there is no veracrypt program to be found at all. ⚠️</p>
-<p>Let's install the .deb package for veracrypt (you can install it safely from non-live mode), so that the software is available whenever you want to use it while the host OS is in live mode: </p>
-<img src="1.png" class="imgRz">
-<pre><code class="nim">
-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ wget https://launchpad.net/veracrypt/trunk/1.26.7/+download/veracrypt-1.26.7-Debian-12-amd64.deb -O vc.deb
-
-</code></pre>
-<p>If you are using a VPS to help speed up the initial setup everytime you boot into live mode like we have <a href="../livemode/index.html">showcased previously</a>, you can also use it to store the veracrypt .deb file for you, to make it easier to retrieve each time:</p>
-<pre><code class="nim">
-[ mainpc ] [ /dev/pts/4 ] [/tmp]
-→ ssh root@65.109.30.253
-root@65.109.30.253's password:
-Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
-
-The programs included with the Debian GNU/Linux system are free software;
-the exact distribution terms for each program are described in the
-individual files in /usr/share/doc/*/copyright.
-
-Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
-permitted by applicable law.
-Web console: https://localhost.localdomain:9090/ or https://65.109.30.253:9090/
-
-You have mail.
-Last login: Sat Nov 30 14:42:15 2024 from 91.90.40.175
-
-[ Datura ] [ /dev/pts/0 ] [~]
-→ cd sensitive_scripts
-
-[ Datura ] [ /dev/pts/0 ] [~/sensitive_scripts]
-→ wget https://launchpad.net/veracrypt/trunk/1.26.7/+download/veracrypt-1.26.7-Debian-12-amd64.deb -O vc.deb
-
-2024-11-30 16:43:58 (20.1 MB/s) - ‘vc.deb’ saved [9211094/9211094]
-
-[ Datura ] [ /dev/pts/0 ] [~/sensitive_scripts]
-→ exit
-Connection to 65.109.30.253 closed.
-
-</pre></code>
-<p>That way, everytime you boot into live mode, all you need is to download the vc.deb file from the VPS:</p>
-
-<pre><code class="nim">
-[ mainpc ] [ /dev/pts/4 ] [/tmp]
-→ scp root@65.109.30.253:/root/sensitive_scripts/vc.deb .
-root@65.109.30.253's password:
-vc.deb                                                                                                                                                                                                        100% 8995KB   1.9MB/s   00:04
-
-[ mainpc ] [ /dev/pts/4 ] [/tmp]
-→ file vc.deb
-vc.deb: Debian binary package (format 2.0), with control.tar.gz, data compression gz
-
-</pre></code>
-<p>And then to install it you can do it like so:</p>
-<pre><code class="nim">
-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ sudo dpkg -i vc.deb
-
-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ sudo apt install -f
-
-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ sudo dpkg -i vc.deb
-	
-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ which veracrypt
-/usr/bin/veracrypt
-
-[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
-→ veracrypt
-
-</pre></code>
-
-
-<p>So now that you have veracrypt installed, before you start to use it, you need to be aware of the lack of deniability you have when using the Host OS in regular mode:</p>
+<p>So now you have zuluCrypt on your system. <b>However before you start to use it, make sure that your Host OS is in live mode, as otherwise you wouldn't be able to maintain your deniability regarding the existence of the veracrypt hidden volume</b></p>
 <img src="../livemode/3.png" class="imgRz">
-<p>By default, your host OS directly writes into the system drive all sorts of potential forensic evidence that an adversary may use against you, such as system logs, kernel logs, non-standard logs, etc, and unless if you remove each of those manually, you're never sure of wether or not the Host OS saved proof of the existence of the hidden volume onto the system drive. <b>That's why you need to use the Host OS in <a href="../livemode/index.html">live mode</a>, to be able to use veracrypt</b>, and <b>to install it aswell if you cannot tell the adversary that you are using veracrypt.</b></p>
+<p>By default, your host OS directly writes into the system drive all sorts of potential forensic evidence that an adversary may use against you, such as system logs, kernel logs, non-standard logs, etc, and unless if you remove each of those manually, you're never sure of wether or not the Host OS saved proof of the existence of the hidden volume onto the system drive. <b>That's why when you use zulucrypt to handle veracrypt hidden volumes (creating them or opening them) you absolutely need to use the Host OS in <a href="../livemode/index.html">live mode</a> ONLY! </b></p>
 <img src="../livemode/4.png" class="imgRz">
-<p>That way, as you're loading the entire host OS in the RAM due to being in live mode, you are not writing anything on the system drive anymore, <b>but rather only writing all that potential forensic evidence of the veracrypt hidden volume <u>in RAM alone</u>, which can be easily erased with a simple shutdown</b>.</p>
-<p>So now that we have installed veracrypt, let's reboot the Host OS into live mode:</p>
-<img src="../deniability/7.png" class="imgRz">
+<p>When the Host OS is in live mode, you're loading the entire host OS in the RAM, meaning that you are not writing anything on the system drive anymore, <b>but rather you are only writing all that potential forensic evidence of the veracrypt hidden volume <u>in RAM alone</u>, which can be easily erased with a simple shutdown thanks to both live mode and ram-wipe</b>.</p>
+<p>So if you didn't do it already, reboot the Host OS into live mode:</p>
+<img src="../livemode/12.png" class="imgRz">
 
 
-<p><b>And only now once we are in live mode, we can use veracrypt to create hidden encrypted volumes and unlock them.</b> But be aware that everything you write into the system drive will be wiped upon shutting down, <b>if you want to store something persistent accross reboots from live mode, you need to save it in a non-system drive.</b></p>
-<p> So now from there we can create the encrypted volumes (either as files or as entire drives). In this example we'll create an encrypted file: </p>
-<img src="2.png" class="imgRz">
-<p>Here we select that we want a Hidden veracrypt volume as well (which will be able to deny it's existence).</p>
-<img src="3.png" class="imgRz">
-<p>Then we want it to be a simple file in my home directory for testing purposes (so be aware that <u>upon rebooting it will be erased due to being in the system drive</u>). If you want it to not be erased upon rebooting, you'll need to put it in a non-system drive like in <a href="../sensitivevm/index.html">this tutorial.</a></p>
-<img src="4.png" class="imgRz">
-<p>Leave the default settings for the encryption</p>
-<img src="5.png" class="imgRz">
-<p>As a test we'll make a 1Gb volume, can be smaller or as big as all the available space.</p>
-<img src="6.png" class="imgRz">
-<p>Now here we want to remember our first password A, for the decoy volume, <b>This is the password you'll type when you're forced to give out your password</b>.</p>
-<img src="7.png" class="imgRz">
-<p>Here we can select the FAT filesystem</p>
-<img src="8.png" class="imgRz">
-<p>Then move your mouse to make sure the randomness of the encryption is best, then let it complete the formatting. If you are creating a large encrypted volume, it will take time to overwrite all the data. <b>DO NOT SELECT QUICK FORMAT, or you risk having the hidden volume being discoverable by an adversary.</b> </p>
-<img src="9.png" class="imgRz">
-<img src="10.png" class="imgRz">
-<p>Now that's completed, we then create the Hidden Volume, which we'll open only when we are all alone, <b>the existence of this volume must never be revealed to anyone, only you should know about it</b>. then we repeat the previous steps:</p>
-<img src="11.png" class="imgRz">
-<img src="12.png" class="imgRz">
-<p>Here we select the size we need for the hidden volume. </p>
-<img src="13.png" class="imgRz">
-<p>And here we use the second password, this is the one you must remember in order to access the data you want to hide from an adversary. Then we repeat the previous steps to create the volume:</p>
-<img src="14.png" class="imgRz">
-<img src="15.png" class="imgRz">
-<img src="16.png" class="imgRz">
-<img src="17.png" class="imgRz">
-<img src="18.png" class="imgRz">
+<p><b>And only now once we are in live mode, we can use zuluCrypt to create hidden encrypted volumes and unlock them.</b> But be aware that everything you write into the system drive will be wiped upon shutting down, <b>if you want to store something persistent accross reboots from live mode, you need to save it in a non-system drive.</b></p>
+<pre><code class="nim">
+[user /run/media/private/user]% lsblk
+NAME                                          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
+sr0                                            11:0    1 1024M  0 rom   
+vda                                           253:0    0  200G  0 disk  
+├─vda1                                        253:1    0    4G  0 part  /boot
+└─vda2                                        253:2    0  196G  0 part  
+  └─luks-24351c83-3657-4142-82d2-8f8a5787f406 254:0    0  196G  0 crypt /live/image
+vdb                                           253:16   0   20G  0 disk  
+└─vdb1                                        253:17   0   20G  0 part  
+
+</pre></code>
+<p>Here as you can see we have a non-system drive called /dev/vdb1, which, for our current testing purposes is only 20 GB big. Before we start encrypting it, let's format the harddrive using gparted to make sure the vdb1 partition is available for us to use:</p>
+
+<img src="31.png" class="imgRz">
+<img src="32.png" class="imgRz">
+<img src="33.png" class="imgRz">
+<img src="34.png" class="imgRz">
+<img src="35.png" class="imgRz">
+<img src="36.png" class="imgRz">
+
+<p> Now that the /dev/vdb1 partition is available for us to use, let's create the veracrypt encrypted volume which will span the entire non-system drive:<br>
+<img src="2.png">
+<img src="37.png" class="imgRz">
+<img src="38.png" class="imgRz">
+<img src="39.png" class="imgRz">
+<img src="40.png" class="imgRz">
+<p>Here is the important part: you need to mention <b>Password A for the decoy volume</b> (which is the outer volume, it will span the entire disk), and you need to mention <b>Password B for the hidden volume</b> (which is the hidden veracrypt volume where we'll be able to store our sensitive files)</p>
+<img src="41.png" class="imgRz">
+<p>Here you may need to click create twice as zulucrypt recommends you to use another format that it can't use, so click create a second time and then wait for it to create the volume:</p>
+<img src="42.png" class="imgRz">
+<img src="43.png" class="imgRz">
+<p>And that's it! We have successfully created the veracrypt volume, so now let's mount each one:</p>
+
 				</div>
 			</div><!-- /row -->
 	    </div> <!-- /container -->
@@ -219,16 +165,24 @@ vc.deb: Debian binary package (format 2.0), with control.tar.gz, data compressio
 	    <div class="container">
 			<div class="row">
 				<div class="col-lg-8 col-lg-offset-2">
-          <h2><b>Mounting the Volumes</b></h2> </br> </br>
-<p>Now let's mount both volumes to see the difference:</p>
-<img src="19.png" class="imgRz">
-<p>Here when we type the first password we see that the volume is mounted as normal type:</p>
-<img src="20.png" class="imgRz">
-<p>Then dismount the volume, and mount the hidden volume next with the second password:</p>
-<img src="21.png" class="imgRz">
-<p>And here you see that the volume mounted is now of the "hidden" type</p>
-<img src="22.png" class="imgRz">
-<p>And that's it! We now have setup a test veracrypt volume with a hidden volume, into which we can store some sensitive files.</p>
+          <h2><b>Mounting the Decoy and Hidden Volumes</b></h2> </br> </br>
+<p>First let's mount the decoy volume (which we'll later use to store non-sensitive files, that would make sense for an adversary to keep in an encrypted drive):</p>
+<img src="44.png" class="imgRz">
+<img src="45.png" class="imgRz">
+<img src="46.png" class="imgRz">
+<img src="47.png" class="imgRz">
+<img src="52.png" class="imgRz">
+<p>Here as you can see, the decoy volume once mounted spans the entire non-system drive (in this case 20GB). <b>So if you were forced to open it for an adversary, they would only find non-sensitive files</b> (for example pirated movies or adult content) that are stored in it. And since the volume spans the entire drive, <b>you can deny the existance of any other encrypted volume in there, and the adversary would be unable to prove otherwise.</b> This means that our deniability is maintained.</p>
+<img src="48.png" class="imgRz">
+<p>Next we'll unmount the decoy volume to mount the hidden volume instead:</p>
+<img src="49.png" class="imgRz">
+<p>At this step you need to make sure that noone is watching you type this second password, <b>as this second volume needs to remain a secret at all costs, it's existance is only to be known by you.</b></p>
+<img src="50.png" class="imgRz">
+<img src="51.png" class="imgRz">
+<p>And now after unlocking the hidden volume (and revealing it at the same time), we see that it is 10GB big, as intended. <b>And it is only in that hidden volume, that you can safely store your sensitive files which are meant to remain secret at all costs.</b></p>
+<img src="53.png" class="imgRz">
+
+<p>if there were to be any emergency where someone would be close to discovering that there is a hidden volume (meaning the adversary is busting down your door and is almost next to your monitor) <b>all you need is to press Right Control to immediately reboot the host OS, to be able to erase all forensic proof that the hidden volume exists.</b></p>
 
 				</div>
 			</div><!-- /row -->
@@ -250,7 +204,7 @@ vc.deb: Debian binary package (format 2.0), with control.tar.gz, data compressio
 					<h4>My Links</h4>
 					<p>
 
-						<a target="_blank" rel="noopener noreferrer" href="http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="http://nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/simplex.html">SimpleX Chatrooms</a><br/>
+						<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2FdXQ3FLM5ufTNQxgXU6jm07fRXSq9Ujkt%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAzABUDXe4g0bjXyPcNOU0QzWxMYMMGgR3kcOQacoEaQ0%253D&data=%7B%22groupLinkId%22%3A%22G3yklv9753AcNA7lGV3FBw%3D%3D%22%7D">SimpleX Chat</a><br/>
 
 					</p>
 				</div><!-- /col-lg-4 -->
@@ -258,6 +212,9 @@ vc.deb: Debian binary package (format 2.0), with control.tar.gz, data compressio
 				<div class="col-lg-4">
 					<h4>About nihilist</h4>
 					<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br>
+
+					<h4>About oxeo0</h4>
+					<p style="word-wrap: break-word;"><u>Donate XMR:</u> 862Sp3N5Y8NByFmPVLTPrJYzwdiiVxkhQgAdt65mpYKJLdVDHyYQ8swLgnVr8D3jKphDUcWUCVK1vZv9u8cvtRJCUBFb8MQ</p></br>
 				</div><!-- /col-lg-4 -->
 
 			</div>