Deniable File System
Some years ago I did some design work on something I called a Deniable File System. The basic idea was the fact that the existence of ciphertext can in itself be incriminating, regardless of whether or not anyone can decrypt it. I wanted to create a file system that was deniable: where encrypted files looked like random noise, and where it was impossible to prove either the existence or non-existence of encrypted files.
This turns out to be a very hard problem for a whole lot of reasons, and I never pursued the project. But I just discovered a file system that seems to meet all of my design criteria—Rubberhose:
Rubberhose transparently and deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanims, such as U.K RIP legislation. Rubberhose differs from conventional disk encryption systems in that it has an advanced modular architecture, self-test suite, is more secure, portable, utilises information hiding (steganography / deniable cryptography), works with any file system and has source freely available.
The devil really is in the details with something like this, and I would hesitate to use this in places where it really matters without some extensive review. But I’m pleased to see that someone is working on this problem.
Next request: A deniable file system that fits on a USB token, and leaves no trace on the machine it’s plugged into.
Thomas Downing • April 18, 2006 7:35 AM
Using linux, putting a deniable file system on a USB memory device, leaving no trace in the host should not be tricky as an initial problem. FUSE (the user land file system) would seem to be a likely candidate.
The more difficult problem is the secondary one. How can I be sure that no traces of the data in the deniable filesystem remain in the host after I remove the USB device? There are a few obvious areas of concern – swap file, automatically written backups (generated by editors, etc.) that might be written in the users home directory in a resident file system, etc.
One way to start might be to chroot to a normal file system on the USB device, and then mount the deniable system also on that device. This would leave swap and possibly incriminating entries in log files. Swapping could be disabled as well as logging….
But the list is likely to go on.
Thomas Downing