> I imagine authorities will start making images of devices before demanding login, so they can check that the act of logging in hasn't substantially changed the system.
I think that’s standard procedure already.
Also, note that destructing or concealing evidence that is relevant to a court case or legal investigation is a criminal offense in many jurisdictions. For sure you will face charges just for trying even if you are not successful (e.g. because they’ve imaged the system).
It can still be useful when they don't have physical access to make an image, for instance when the system in question is being remotely accessed via ssh.
> Also, note that destructing or concealing evidence that is relevant to a court case or legal investigation is a criminal offense in many jurisdictions.
It can still be useful when there's no court case or legal investigation. For instance, when you're being illegally threatened to reveal your password.
> It can still be useful when they don't have physical access to make an image, for instance when the system in question is being remotely accessed via ssh.
Bear in mind that law enforcement generally has the ability to go get those too.
> It can still be useful when there's no court case or legal investigation. For instance, when you're being illegally threatened to reveal your password.
You're absolutely right! One caveat worth considering is that this might not be a typical security threat that most people are likely to face.
How does having an image of the encrypted drive allow them to determine whether the system has 'significantly' changed? Just generating a login in the event log should make the image completely different.
i think the idea is that their(govt/shady entity - what's the difference?) forensic scientists would be able to tell whether the very act of entering a password started changing a system significantly which would count as refusing to comply
I'm rehashing your parent's comment, but: Unless the command wiped the entire disk or the entity gained access to the unencrypted versions of the disk before/after the duress command, an outsider wouldn't be able to tell if a log had been updated or if an entire partition had been wiped.
Disk encryption prevents revealing the plaintext of files on disk, but you can still observe their ciphertext changing when the file changes. If the duress command causes different files to be modified compared to a normal login, then that can be detected by comparing to the original disk image, even though the actual modifications performed are hidden by the encryption.
On the other hand, it's possible to delete an encrypted partition by only overwriting the encryption key, which might be a small-enough change to go undetected.
There's a little bit of subtlety here, but in general GP was correct in that it can be made hard for authorities two tell exactly what changed.
Disk encryption, unlike other forms, does not have a terribly high avalanche factor when small changes are made--because it's expensive to write lots of things to disk.
However, it is possible to make a small change (as small as, say, writing the audit log file on a real successful login) that renders data completely inaccessible. Consider an encrypted disk on which you can tell the magnitude of changes on the filesystem, but not which data has changed. Let's say you have a lot (many gigabytes) of sensitive data on that disk. If a successful login triggers the encrypted filesystem to decrypt the contents of the disk using an encryption key (of, say, a 4kb length) that is stored only on that disk, then a duress code could simply destroy (or corrupt by randomizing a few bytes) that key, rendering the contents of the disk inaccessible, without writing more than a very small amount of data.
This fundamentally trades off deniability for data security: the disk would still contain all of the encrypted data and could be brute-forced, but that would be the case anyway if an image had been taken previously.
Of course, situations in which that deniability would be legally well-received are, as others here have pointed out, vanishingly rare.
If you have an encrypted volume, you can use the command 'diskutil apfs eraseVolume' to make data inaccessible instantly by deleting the encryption key. (Note that the disk passphrase is not the same as the encryption key, so even if you use a weak password for your disk, you can't brute force the key)
> Disk encryption prevents revealing the plaintext of files on disk, but you can still observe their ciphertext changing when the file changes. If the duress command causes different files to be modified compared to a normal login, then that can be detected by comparing to the original disk image, even though the actual modifications performed are hidden by the encryption.
How would they even be able to determine which files are modified? If we're talking full disk encryption here, you can't tell which files are being accessed/modified, just locations on disk. Without metadata to map blocks to objects they're flying blind.
E.g., If every block on the device changes, that's a pretty big flag. If only a few change, that's expected. So the magnitude of change is both observable and conveys information to the attacker.
> Disk encryption prevents revealing the plaintext of files on disk, but you can still observe their ciphertext changing when the file changes.
File encryption does that. Disk encryption means that you don't even know how many files there are, much less which ones were changed. The whole disk is just a blob of random data until the right password is entered.
> If the duress command causes different files to be modified compared to a normal login, then that can be detected by comparing to the original disk image, even though the actual modifications performed are hidden by the encryption
Don't they also need to know what files are changed by a normal login, so that they can see that the changed set in this login was different from that set?
Comparing an image after a login to an image from before the login gives you a set of changed files, but it doesn't tell you if that is the normal login change set or the duress login change set.
Anyway, if I were setting up a duress login I'd make it so normal and duress login change the same set of files.
If the root drive is encrypted then what good does this software do? By the time login_duress has a chance to run, you've already had to type in a decryption password.
I can absolutely confirm that standard procedure is to seize storage media as evidence, send them to a lab and clone the images as the very first step.
Another thing I came to think of as well is that they often employ write-blockers, don’t they? Pieces of hardware that go between the computer and the storage media. So by the time decryption is demanded, it will be done with the system in a read-only state right?
The 5th and 4th have a rather weird status at border crossings. You can be denied entry to the country if you refuse to share passwords, for instance. Or have your equipment be confiscated. Some of this has even been upheld in court.
While everyone, including U.S. citizens and permanent residents, can have their electronics confiscated (stolen) for refusal to cooperate...
Citizens and permanent residents cannot generally be refused entry for flexing their rights. There are a few ways permanent residents can be denied entry, but the main one is having been out of the country for over 180 days.
Temporary residents and visitors are the ones who can be denied entry for looking at an immigration agent wrong, or trying to flex their right against absurd digital searches.
However much we might wish for things to be different. Europe and Oceana may have a less intrusive policy about digital searches, but everywhere else is either worse than the USA, or isn't developed enough to have paranoid security services that want to search everything.
I think that’s standard procedure already.
Also, note that destructing or concealing evidence that is relevant to a court case or legal investigation is a criminal offense in many jurisdictions. For sure you will face charges just for trying even if you are not successful (e.g. because they’ve imaged the system).