The duress login shouldn't reveal that anything is happening, so they have no reason to suspect you're using such a feature at all. Thus there would be no reason to ask you to log in again, and even if they do, you can simply use the duress credentials a second time.
You don't need to make it take any network actions, but even if you wanted to do that you could just use TLS. It would easily blend in with all the other services that use TLS as part of their normal operation.
If the attack is in hot the data is unencrypted, so getting the login password will (usually) also give access to the unencrypted disk (already mounted)
The duress credentials are exactly how you avoid the "pipe wrench" scenario. The point of the FDE in that case is simply to prevent them from looking on the disk without your supervision.
If the pipe wrench is getting applied regardless, that's a much different situation. In that case you could simply not comply at all.
The duress credentials are meant to create plausible deniability of non-compliance, by giving the appearance of a genuine login which just reveals nothing.
Keep in mind that the duress credentials serve several purposes.
1. Give the appearance of compliance. It's possible that the investigator will be satisfied and abandon further search attempts. Wrench averted.
2. Provide the opportunity to perform a duress action, without the immediate appearance of doing so. This has a wide range of possibilities, including removing or disabling access to information, triggering warnings or notices to allies or supporters, revealing innocuous content, enabling a set of additional countermeasures (e.g., attacks from within the investigator's own space or network, or against the investigator's own tools, see Signal's response to Celebrite: https://signal.org/blog/cellebrite-vulnerabilities/). Note that a protocol which denies the investigation subject access to a device would prevent this. The presumption that a subject would provide an access password provides opportunity for defences.
Whether or not the pipe wrench (or any analogous or equivalent means of coercion) is applied is almost a moot point. With a duress password, you're largely assuming it will be. The objective isn't to prevent the wrench. It's to render it ineffective.
Understood and agreed. This depends heavily on what the investigator expects to find. If the duress key removes information known to be present ... out comes the wrench.
Or you could just be dealing with someone who DGAF. This ultimately seems to be a chief characteristic of many situations in which strong crypto is proposed. It's the breakdown of civil liberties, rights, and rule of law which might be the true ur-problem here.
