Regardless of ACTA, I have already established a personal policy to:
1) encrypt my partitions (other than root, to make upgrades and reinstalls easier; I use LUKS)
2) copy the essential first megabytes of each LUKS partition to my server or shell account somewhere, encrypted with GPG
3) fill that space with random data
4) travel and go through customs
5) access the GPG encrypted LUKS blocks over internet, decrypt and copy them over
6) boot back into my system
If at 4) "they" require me to decrypt the partitions, I can honestly say I can't: for security reasons I don't have the decryption keys with me. If my equipment gets confiscated when they hear I won't and can't decrypt the partitions, I will have to clean the physical laptop to remove any keyloggers, or just replace it before proceeding to restore my encrypted setup. If "they" find out about my encrypted LUKS blocks, I can also ask my friend to provide half of the GPG passphrase, so that I can honestly claim I don't have the passphrase to unlock the blocks.
To be fair, when they bring out the wrench, you know (at least for a few moments before the impending brain trauma) someone is trying to get your data. If your disk is encrypted, you can be fairly certain that no one will get at your data while your laptop is out of your hands (back room bag searches, etc.)
Unfortunately, if the goal of the exercise is to extract information then they won't hit you on the head and they certainly won't want you going unconscious. :-(
- I don't find it reasonable for "them" to grill me too much. I don't need to hide my encrypted partitions or use hidden partitions. I'm not a target of any interest to any three-letter agencies or customs officials. But I don't want to start discussing unlocking my laptop with anyone, I want to make it a matter of "can't" instead of "won't".
- The friend scheme might not be necessary or a good choice. I could just say I have the decryption keys at home which is entirely true. I can still use the machine: I have just deselected a few partitions out of use permanently until I return home
A shadow partition would be more effective at bypassing customs. For real boots, you use a copy of grub on a usb dongle. When grub is missing, you boot into a honeypot Windows XP partition that was installed only for that purpose.
No. "Only for that purpose" means that you never use it. This is trivially detected: the OS event logs will report that it hasn't been booted in 6 months, and no files have changed in that time. It's obvious that you haven't been using that system in the time you were out of the country; why did you have it with you?
For this to work, you need to actually use the dummy partition for non-sensitive matters -- and be absolutely religious about separating the sensitive tasks from non-sensitive, which is much more difficult than it first sounds.
I actually carry a lighter computer when travelling than the one I use most often. So yes, it may have gone months unused and it may have just a few tools on it, and little to no content.
> If "they" find out about my encrypted LUKS blocks, I can also ask my friend to provide half of the GPG passphrase, so that I can honestly claim I don't have the passphrase to unlock the blocks.
This won't help you legally. You may honestly claim that you don't have the passphrase, but you cannot honestly claim that you cannot decrypt the contents. You just have to call and ask your friend while you're detained at customs.
If they want the key from you, they're going to get the key. That's what will happen.
Ask the inverse: they decide to detain you, indefinitely, until you produce the encryption key or admit that there's some base level of contraband on your computer that you're responsible for. What happens in that case?
Maybe as a Canadian I see this differently. At least as an American you will have certain rights that you can hope to depend on in your own country. But I forfeit all those rights when I cross the border. What's to stop these guys from detaining me as an international terrorist?
That's NOT a solution. Be aware that this is explicitly discouraged by EFF:
Although TrueCrypt hidden volumes may have some practical applications, we think they are unlikely to be useful in the border search context because they are most helpful when lying to someone about whether there is additional hidden data on a disk. Lying to border agents is not advisable, because it can be a serious crime. [PDF: https://www.eff.org/sites/default/files/filenode/EFF-border-...]
If an authority is convinced there's a hidden volume with information they want and that you are not providing access, having arbitrary hidden volumes is not doing you any good legally in the US and likely elsewhere. There are technical and non-technical ways to determine the probable presence of hidden volumes. Hidden volumes do not provide plausible deniability.
Might hidden volumes help you pass a cursory check? Sure. But if someone really wants your data it's not likely going to keep you out of a contempt of court charge.
wonderful thing about encrypted information, with the right key it can be decrypted to say whatever you want. So if government has decided that you have plans for the al Qaeda attack on your laptop... well, you do.
Now all that you have to do is prove that you either don't know or have forgotten the key that decrypts your random bits into a plan they will accept. How hard do you think it will be to convince an aggressive prosecutor/judge that you are innocent when you have no evidence (can't prove a negative) and the government has reasonable suspicion?
You should never lie to a border agent about whether you or your friend can decrypt a device. You can decline to answer any question, and you do NOT have to provide passwords or keys. Only a judge can compell you to decrypt your drive. That said, border agents can make your life miserable so it's advisable to avoid confrontation.
Not a lawyer here, but I've heard some BS laws about encryption. In some cases if you refuse to decrypt or are unable, you can be at fault and still be detained. Needs citation though.
They are definitely going after full-disk encryption hard, claiming it makes it impossible to prosecute child pornographers and should therefore be illegal.
I think you are overstating the problems with hidden volumes.
The EFF advice is as follows:
Although TrueCrypt hidden volumes may have some practical applications, we think they are unlikely to be useful in the border search context because they are most helpful when lying to someone about whether there is additional hidden data on a disk. Lying to border agents is not advisable, because it can be a serious crime.
Lying to border agents clearly is a serious offence, but as far as I can see that is the "only" major problem with hidden volumes. Given many of the suggestions so far involve lying to border agents along with weird schemes that are less technically secure than hidden volumes it would appear hidden volumes have two things going for them:
1) No worse than other options (assuming you have to carry data with you somehow)
2) Give you a higher possibility that you won't need to lie to border agents (failing to tell them about your additional layer of security will get you in trouble, but is more defensible in court than outright lying)
If this becomes a reality and the powers that be actually care about doing things more or less right then I imagine they would write an easy to use piece of software that border agents can run which automates checks for all those things and many more.
>How many border protection agents look into your /etc/fstab and know fdisk, mount and cryptsetup?
They don't need to. Microsoft and other companies have been providing software on bootable CDs and USB keys to do quick 'security' audits of PCs for years to various police forces. I'd be extremely surprised if detecting encrypted/hidden partitions wasn't a common feature.
it would be very useful to know exactly what tools and techniques the border agents are using.
Is there software that detect HDDs that are disabled via BIOS? Do the border agents reset the BIOS? Are they looking at individual files and encrypted archives?
It's underkill, almost. My partitions are already encrypted, all I need is to save + trash + restore the physical LUKS blocks. I don't need to reconfigure my system or do anything differently when I'm not travelling. It's a low-mod hack that I can even explain to the customs people: I'm afraid someone might try to steal my online banking or financial credentials or something, so I chose to disable my personal partitions temporarily instead of being vulnerable to being threatened. I can't be made to move my money to some criminal's account if I can't access mine.
1) encrypt my partitions (other than root, to make upgrades and reinstalls easier; I use LUKS)
2) copy the essential first megabytes of each LUKS partition to my server or shell account somewhere, encrypted with GPG
3) fill that space with random data
4) travel and go through customs
5) access the GPG encrypted LUKS blocks over internet, decrypt and copy them over
6) boot back into my system
If at 4) "they" require me to decrypt the partitions, I can honestly say I can't: for security reasons I don't have the decryption keys with me. If my equipment gets confiscated when they hear I won't and can't decrypt the partitions, I will have to clean the physical laptop to remove any keyloggers, or just replace it before proceeding to restore my encrypted setup. If "they" find out about my encrypted LUKS blocks, I can also ask my friend to provide half of the GPG passphrase, so that I can honestly claim I don't have the passphrase to unlock the blocks.