If you're held under gunpoint, that script that wipes your entire hard drive will only make your day worse.
AFAIK if you actually get detained and questioned at airports, your drive will already get imaged before any password is even tried. You may be able to get away with this on a mobile device where this feature isn't generally expected (because who uses Linux on a smartphone in the first place).
I always wonder at what scenarios like these are supposed to be about. If saying no is not an option, pissing off your captors by giving them fake info probably isn't either.
I don't know what law enforcement would be looking for on my work drive, but if saying no is no longer an option, my encryption password isn't worth getting shot over.
The “real” problem is either: (a) You know the authorities want access to your data because <x>, and you travel across a border with it. (b) You possess sensitive information and are not aware of law enforcement’s desire to get it; (c) You’re swept up at random; (d) You’re a criminal, or carry a paper trail of potential illegal activity.
Solutions:
(a) Means you are stupid. The only way to win is not to play.
(b) Means you either didn’t follow your employer’s security guidelines or aren’t aware of the risks associated with whatever is on your device. You can’t solve that problem without understanding that.
(c) You should use discretion re: what you cross a border with and either accept the risk or do something else.
Which is the same as (a). Either have an USB stick with plausibly-deniable encryption or, better yet, store the data somewhere online (in encrypted form, of course) and download it once you crossed the border. There is no reason to have it readily available on your laptop.
I think the focus on Law Enforcement as the sole source of duress is no longer correct. Just as one example, we now live in an era where any entry point to a corporate network can equal millions or billions in eventual ransom payouts, right? As endpoint security mitigations improve, duress will not just be a silly nerd porn, and will probably not be limited to "high level" people, either.
The duress login shouldn't reveal that anything is happening, so they have no reason to suspect you're using such a feature at all. Thus there would be no reason to ask you to log in again, and even if they do, you can simply use the duress credentials a second time.
You don't need to make it take any network actions, but even if you wanted to do that you could just use TLS. It would easily blend in with all the other services that use TLS as part of their normal operation.
If the attack is in hot the data is unencrypted, so getting the login password will (usually) also give access to the unencrypted disk (already mounted)
The duress credentials are exactly how you avoid the "pipe wrench" scenario. The point of the FDE in that case is simply to prevent them from looking on the disk without your supervision.
If the pipe wrench is getting applied regardless, that's a much different situation. In that case you could simply not comply at all.
The duress credentials are meant to create plausible deniability of non-compliance, by giving the appearance of a genuine login which just reveals nothing.
Keep in mind that the duress credentials serve several purposes.
1. Give the appearance of compliance. It's possible that the investigator will be satisfied and abandon further search attempts. Wrench averted.
2. Provide the opportunity to perform a duress action, without the immediate appearance of doing so. This has a wide range of possibilities, including removing or disabling access to information, triggering warnings or notices to allies or supporters, revealing innocuous content, enabling a set of additional countermeasures (e.g., attacks from within the investigator's own space or network, or against the investigator's own tools, see Signal's response to Celebrite: https://signal.org/blog/cellebrite-vulnerabilities/). Note that a protocol which denies the investigation subject access to a device would prevent this. The presumption that a subject would provide an access password provides opportunity for defences.
Whether or not the pipe wrench (or any analogous or equivalent means of coercion) is applied is almost a moot point. With a duress password, you're largely assuming it will be. The objective isn't to prevent the wrench. It's to render it ineffective.
Understood and agreed. This depends heavily on what the investigator expects to find. If the duress key removes information known to be present ... out comes the wrench.
Or you could just be dealing with someone who DGAF. This ultimately seems to be a chief characteristic of many situations in which strong crypto is proposed. It's the breakdown of civil liberties, rights, and rule of law which might be the true ur-problem here.
Why not honeypot into a docker with fake data? Everyone would be happy (during a first moment). Sure if the attacks t is well informed then they will double check whether the target they got in is real or not.
AFAIK if you actually get detained and questioned at airports, your drive will already get imaged before any password is even tried. You may be able to get away with this on a mobile device where this feature isn't generally expected (because who uses Linux on a smartphone in the first place).
I always wonder at what scenarios like these are supposed to be about. If saying no is not an option, pissing off your captors by giving them fake info probably isn't either.
I don't know what law enforcement would be looking for on my work drive, but if saying no is no longer an option, my encryption password isn't worth getting shot over.