Adding FDE/plausible deniability method on Qubes
Created by: pterocles
Plausible deniability on Qubes OS
Warning: This can corrupt or destroy critical data by altering /boot and other important areas. It's only tested personally in two separate OS and isn't proven in every use case. It's not recommended unless you know what you're doing and your threat model calls for it. You've been warned.
Updating the detached headers way
You can accomplish detached headers using both Linux Debian 11.3 (Arch Linux in my case) and the Qubes method (Qubes 4.1.0) outlined in the guide. If integrated, maybe adding the exact method outlined in the posts is not so bad. I have tested on Qubes 4.1 and it works fine with the addition of having a separate USB (3 total). One for Qubes to boot live, one for /boot and one for the detached header. It takes about 30 minutes to setup. It took nameless hours testing because it fails if you don't regenerate initramfs. Please make a separate backup (encrypted, obvs.) of the header.img. This file is a form of 2FA and if you lose the header.img you lose everything and start over.
Verification
Do not copy and paste, these are not complete commands, only the outline
-
Start Qubes using the live system on the USB -
Confirm disk(s) -
Randomize data/prepare disk and use gdisk /dev/sda
-
Create 3 partitions (EFI, boot and header) -
Run cryptsetup
-
Everything else, etc.
Changes
-
FDE/plausible deniability on Linux: include Qubes forum to show how to -
Final warning that this is not extensively tested across anything exc… -
Update CHANGELOG.md
+-----------------------------------------------------------------------+ +----------------+
| Logical volume 1 | Logical volume 2 | Logical volume 3 | | Boot partition |
| | | | | |
| [SWAP] | / | /home | | /boot |
| | | | | |
| /dev/volumeGroup/swap | /dev/volumeGroup/root | /dev/volumeGroup/home | | |
|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _| | (may be on |
| | | other device) |
| LUKS2 encrypted partition | | |
| /dev/sda1 | | /dev/sdb1 |
+-----------------------------------------------------------------------+ +----------------+
+---------------------------+
| Encrypted USB |
| |
| [HEADER] |
| |
| ./nameOfHeaderFile.img |
| |
| /dev/sdb2 |
+---------------------------+
It's far too much to put into a single post but this method is tried and tested on Qubes, both 4.1.0 and 4.0.0.
References
https://anonymousplanet-ng.org/guide.html#the-detached-headers-way (what we've changed) https://forum.qubes-os.org/t/qubes-os-installation-detached-encrypted-boot-and-header/6205 https://wiki.archlinux.org/title/Dm-crypt/Specialties#Encrypted_system_using_a_detached_LUKS_header