Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information

 Actions

Full Disk Encryption

About this Full Disk Encryption Page
Support Status stable
Difficulty easy
Maintainer HulaHoop
Support Support

Introduction[edit]

As outlined on the Warning page, Whonix ™ has not been designed as an amnesic operating system. Traces of the installation and user activities will be written to disk. [1]

Protection Against Powerful Adversaries[edit]

The reader is reminded that advanced attackers have virtually limitless possibilities to infect a computer under their physical control, such as flashing low-level firmware or adding physical implants.

It may be possible to get plausible deniability on Linux hosts using methods other than those listed below, but the topic is a rabbit hole (see footnotes). [2] Plausible deniability and Full Disk Encryption (FDE) are also useless if the user is subject to physical abuse by a captor. A safer option is to have not left any discoverable data traces on a personal machine in the first place. The Whonix ™ grub-live package provides an amnesic feature on both Debian hosts and the Whonix ™ virtual environment. When used solely within a VM, it may provide adequate anti-forensic protection if various precautions are taken.

To protect against theft of personal information or data, users should apply FDE on the host, and power off their computer when exposed to higher-risk situations like traveling. Laptop users should temporarily remove the laptop battery after powering off. This ensures that the RAM chips are completely powered down and that any encryption key(s) in memory are erased. Hibernation is also a safe alternative, as the swap partition is encrypted in the default FDE configuration for various platforms (like Debian), provided the user did not change anything.

Users should follow the standard advice for picking strong and unique passphrases, so they cannot be feasibly brute-forced. Computers should never be left unattended in untrusted venues.

Debian Hosts[edit]

Configuring FDE during system install is straightforward. The default cipher is AES-256 in XTS mode.

Removable Media[edit]

New Removable Media[edit]

Gnome Disks Utility creates LUKS partitions with AES-128 by default which is insufficient in event of quantum computers materializing. This has been successfully reported and fixed upstream as of February 2019, [3] [4] but until it lands in Debian, an appropriately secure container must be manually created. Afterwards, unlock the device and format the internal filesystem as EXT4 in Gnome Disks.

First enumerate the device. They will usually be called 'sdb1', as sdaX is reserved for the system on default installs. To avoid confusion, only connect one removable device at a time.

# ls /dev/

Create a LUKS container and change the device name as needed, then follow the prompts.

# cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --use-random luksFormat <device>

Legacy Device Encryption Upgrade[edit]

It is safer to re-encrypt the device with a stronger key rather than performing a quick format that will otherwise leave the old/weaker header intact.

First enumerate the device. They will usually be called 'sdb1', as sdaX is reserved for the system on default installs. To avoid confusion, only connect one removable device at a time.

# ls /dev/

To view the LUKS header data in order to make necessary adjustments, run.

# cryptsetup luksDump --debug <device>

LUKS header data legend:

  • 'MK' means 'Master Key'. [5]
  • AES in XTS mode uses a key size double its bit size (512 in this case) since in XTS the key is split in 2, resulting in AES with 256-bit keys. [6]
  • 'Payload offset' is 4096 for 256-bit keys and 2048 for 128-bit keys. [7]

Re-encrypt the device with stronger keys. [8] Fortunately, header resizing is usually unnecessary (otherwise it will abort the process).

# cryptsetup-reencrypt <device> -c aes-xts-plain64 -s 512 --use-directio

Abruptly disconnecting power can cause data loss. To safely pause the process (in case of system sleep/shutdown), cryptsetup can be suspended (e.g. by Ctrl+c) and it will automatically restart from where it left off if temporary header files are present in the home directory. [9]


If unauthorized access is strongly suspected or confirmed, the hardware should not be trusted or used after it is back in your possession. This scenario is only relevant to a smaller subset of users who are already targeted for physical surveillance. A sufficiently skilled adversary can infect it with spyware or sabotage it in a number of ways that are virtually undetectable. For example, malicious firmware could be installed to record all activities, or the machine rendered inoperable by bricking the hardware. In that eventuality, none of the measures outlined will help.

Encrypted Containers[edit]

Encrypted containers have the advantages of flexibility and mobility of folders, allowing users to add more files on the fly without needing re-compression and re-encryption as in the case of using GPG.

Zulucrypt[edit]


Zulucrypt is the Linux answer to encrypted containers, making use of the reliable LUKS disk encryption specification. It is compatible with encrypted tomb files and also capable of reading and creating Truecrypt / VeraCrypt containers. Note that Veracrypt containers only support a maximum password length of 64 characters, but LUKS has a maximum value of 32,767 (although a recently fixed bug had limited it to only 100 characters). [10] Until it is possible to use 20-word diceware passphrases to lock LUKS containers, it is recommended to use makepasswd to generate 43 character strings. These can then be pasted into a text file that is encrypted with GPG -- which does not have low character limits -- essentially creating a makeshift key file.

Containers grow dynamically as more data is added. Opened containers are mounted under /run/media/private/user. More than one password may be added for access, making use of LUKS' key slots feature behind the scenes. [11]

Recommended Security Settings[edit]

Important Note: In order to have post-quantum resistance, the aes.xts-plain64.512.sha512 option is recommended for 256-bit encryption (the encryption key-size is split in two with XTS mode).

To view the container header, run.

sudo cryptsetup luksDump --debug /home/user/<file_name>

With LUKS it is possible to nest containers of different encryption ciphers; for example, by placing a Serpent and Twofish container inside each other, wrapped in an outer AES one. Be sure to select the .xts-plain64.512.sha512 variants in all cases. Each inner layer should be 1 MB less than the outer layer to allow space for each container's respective encryption header.

The plausible deniability feature is available with volume types Normal+Hidden Truecrypt/Veracrypt. Veracrypt volumes support crypto-cascades as a feature, so manual nesting is unnecessary. However, be warned that Truecrypt/Veracrypt volume types only support AES-128.

Additional Measures[edit]

Killer[edit]

Killer[12] is a newer project that supports a range of trigger actions to shutdown a system in the case of tampering (disallowed changes) with USB, Bluetooth, AC, Battery, Disk Tray, and Ethernet. In the future, custom commands will be supported besides shutdown. [13] Once the program is packaged, it is intended to provide this software in the Whonix repositories for Debian hosts.

LUKS Suspend Scripts[edit]

On Linux hosts, there is one interesting solution for the risks posed by a computer in a suspended state; luks-suspend scripts. [14] This approach has some limitations because it is not yet packaged for Debian, and it has only been tested in the Ubuntu and Arch distributions. As of 2018, luks-suspend and keyslot nuking (mentioned below) is being merged upstream. [15]

Magic Key Feature[edit]

In an emergency, Non-Qubes-Whonix ™ users can power-off the computer immediately with the Magic SysRq key feature. This is invoked by pressing the key combination: Alt + PrintScreen + o (lower-case letter). On bare-metal linux systems, the FDE passphrase is prompted after rebooting.[16] [17] [18] The magic key feature does not work on Qubes hosts because the Xen hypervisor does not recognize these commands. [19]

USBKill[edit]

USBKill is an anti-forensics script written in the aftermath of the SilkRoad trial. Its purpose is to trigger protection events that prevent adversaries from siphoning files, installing malware, or running a mouse jiggler. The script creates a white-list of allowable USB devices. If anything else is plugged into the machine, the RAM is erased and the computer is immediately shutdown.

USBKill can also be configured to exclude all devices from being attached. In another high-security configuration, a white-listed flash drive serves as a key, and must be in the USB port at all times. If the flash drive is forcibly removed, the program will initiate the desired routines. [20] [21]

Advice for Solid-state Drives and USB Storage[edit]


Unlike hard-disk drives (HDDs), overwriting data on SSDs is no longer effective in wiping the disk. [22] [23] For instance, it is insecure to rely upon a fast erase mechanism by overwriting the header and key-slot area. [24]

The most dire potential consequence is that old passwords are not erased, and for a significant period. Consider the following concrete example: a user changes their computer password because they noticed it was exposed to shoulder-surfing or CCTV. On a SSD, the old password is still retrievable and can be used to decrypt the master key and all data. The reason is that secure overwriting is only guaranteed with magnetic disks.

Wear-leveling mechanisms like TRIM also leak information about the filesystem that can aid forensics. [25] [26] [27] [28] [29] It is strongly recommended to keep TRIM disabled (the default) during Linux LUKS-encrypted installations.

Gnome Disks Utility[edit]

Gnome Disks utility provides a convenient way to manipulate LUKS container passphrases (including the host's) and the overlying filesystems. However, it should not be relied upon for encryption because it uses AES-128 as a hardcoded default [30] [31] (as of Debian Stretch), which does not provide adequate post-quantum security. For encrypting removable media refer to this guide.

To install it, run:

sudo apt-get install gnome-disk-utility

Nuke Patch for cryptsetup[edit]

The Kali penetration testing distro team has written a nuke patch for cryptsetup, which adds the option to nuke all keyslots after a certain passphrase is entered. [32]


Supplying the dead-man switch as the "real passphrase" to the interceptors of the machine is unlikely to be an effective strategy. It is standard forensics procedure to create multiple images of the drive beforehand.

Separate /boot Partition[edit]

When FDE is used on the host, it is inadvisable to keep any unencrypted files on that same physical media. High-risk users are recommended to move the /boot partition to a separate USB media. The bootloader (Grub) should then also be installed on the separate USB. To read more on this subject, see Pwning Past Whole Disk Encryption.

TRESOR Kernel Patch[edit]

Another useful protection is the TRESOR kernel patch, which keeps the disk encryption key outside of RAM by storing it inside the CPU. TRESOR does have several limitations. It is only available for the x86 architecture, and it complicates software debugging by disabling DR registers for security reasons. [33] Moreover, a specialized attacker who can reverse engineer hardware designs is also capable of extracting secrets held in processor caches or specialized chips like TPMs.

Footnotes[edit]

  1. Until in-RAM execution of disposableVMs is implemented in Qubes-Whonix ™, this threat is not easily mitigated.
  2. https://evilzone.org/operating-system/plausible-deniability-in-qubes-os/msg86174
  3. https://github.com/storaged-project/libblockdev/issues/416
  4. https://github.com/vpodzime/libblockdev/commit/9dc4e2463860810cac5a1dbfb7064c47200260f6
  5. https://security.stackexchange.com/questions/109981/how-can-i-extract-the-encrypted-master-key-from-luks-header
  6. https://unix.stackexchange.com/questions/254017/how-to-interpret-cryptsetup-benchmark-results
  7. https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption#Re-encrypting_an_existing_LUKS_partition
  8. https://jlk.fjfi.cvut.cz/arch/manpages/man/cryptsetup-reencrypt.8
  9. https://asalor.blogspot.com/2012/08/re-encryption-of-luks-device-cryptsetup.html
  10. https://github.com/mhogomchungu/zuluCrypt/issues/113
  11. https://crypto.stackexchange.com/questions/24022/luks-multiple-key-slots-whats-the-intuition
  12. https://github.com/Lvl4Sword/Killer
  13. https://github.com/Lvl4Sword/Killer/issues/48
  14. https://github.com/vianney/arch-luks-suspend/issues/7
  15. https://blog.freesources.org/posts/2018/06/debian_cryptsetup_sprint_report/
  16. https://en.wikipedia.org/wiki/Magic_SysRq_key
  17. https://www.thegeekstuff.com/2008/12/safe-reboot-of-linux-using-magic-sysrq-key/
  18. https://phabricator.whonix.org/T553
  19. https://forums.whonix.org/t/fde-emergency-feature-testing-requested
  20. For example, this can be done quickly if the flash drive is attached to the user's wrist via a lanyard.
  21. http://www.infosecisland.com/blogview/12153-Data-Remains-on-USB-and-SSDs-After-Secure-Erase.html
  22. https://www.theregister.co.uk/2011/02/21/flash_drive_erasing_peril/
  23. cryptsetup FAQ - Section: 5.19 What about SSDs, Flash and Hybrid Drives?
  24. https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html
  25. https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29
  26. https://wiki.archlinux.org/index.php/Solid_State_Drives#dm-crypt
  27. https://www.saout.de/pipermail/dm-crypt/2011-September/002019.html
  28. https://www.saout.de/pipermail/dm-crypt/2012-April/002420.html
  29. As tested by Whonix ™ developer HulaHoop.
  30. https://github.com/offensive-security/cryptsetup-nuke-keys
  31. https://security.stackexchange.com/a/119835

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Love Whonix and want to help spread the word? You can start by telling your friends or posting news about Whonix on your website, blog or social media.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.