[tuxxy]

> everyone is in soup since encrypted data is easy enough to detect...

This is only half-true. Any secure encryption is going to result in ciphertext that is indistinguishable from random data.

In cases where the ciphertext is designated by a header or file format, then it's trivial to know that something is encrypted. Then there are cases where we can try to forensically determine that there's encrypted data via the existence of an encryption tool (e.g. VeraCrypt).

If you wipe a disk with random data, for example, then it would be relatively difficult to determine whether or not the disk is encrypted (implying that there are no headers on it). In fact, one method of wiping disks is to generate a random encryption key and encrypt a stream from /dev/zero to fill the disk (https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparat...).

This tool is making use of a VeraCrypt hidden volume which is a rather really interesting application of plausible deniability in cryptography. Essentially, this let's you have two volumes where both are encrypted, but each has a different key. In this setup, you'd put some files on one of the volumes to make it appear that it's your "used" volume. On the other "hidden" volume, you'd place the real files you want to keep safe.

In a case where the government is demanding that you release your encryption keys, you would give up the keys to the "fake" volume. Unless you divulge the keys to the "real" volume, the attackers wouldn't necessarily know that it exists.

Unless there's evidence of you using one (maybe chat logs or google searches asking for help on using it, for example), there's no reason for anyone to suspect you use it.

The VeraCrypt documentation explains the technical details (https://www.veracrypt.fr/en/Hidden%20Volume.html) well enough.

[ansible]

> This is only half-true. Any secure encryption is going to result in ciphertext that is indistinguishable from random data.

A new SSD with very little data in the filesystem isn't going to have many, many sectors filled with random bytes. They're going to be blank instead.

A used drive will have free sectors (not used by the filesystem) containing unencrypted contents of old files that have since been deleted or something. This is also not random data. Chunks of movies, pictures, applications and music will be identifiable, easily.

[Piskvorrr]

A previously-used disk, wiped to NIST standards, will be filled with random data - that's exactly the point of the wipe.

[ansible]

> A previously-used disk, wiped to NIST standards, will be filled with random data - that's exactly the point of the wipe.

Yes, and that is suspicious. Random data is suspicious.

[wpietri]

Exactly. Something being suspicious is about small differences from what's expected, differences that correlate with something bigger. Whether the disk is full of random data because it's encrypted or because it was securely wiped, either way it correlates with somebody having something they're working to hide.

[Piskvorrr]

Or a second-hand computer: I do not wish to carry previous owner's use history into my usage, and neither should anyone else. Do not conflate "unusual" with "therefore hiding stuff", and don't even try "hiding stuff, therefore bad".

There are legitimate reasons for wiping data...can't believe we're having this discussion, here of all places.

[wpietri]

I agree there are legitimate reasons for doing so. None of which will matter to some official busybody rummaging through your drive. To them, a drive filled with random noise (instead of, say, being zeroed out) is going to be unusual in a way that correlates with bigger things they worry about. Or, in short, suspicious.

[ansible]

In no way am I arguing that you shouldn't wipe your data, use encrypted filesystems, or anything like that. That is a totally legitimate thing to do.

We're just talking about drawing attention to yourself from governmental agencies that probably don't have your well-being as their highest concern.

Using state-of-the-art encryption to keep your files safe is good. But if it leaves any evidence that you are indeed using encryption, you are potentially drawing attention to yourself. And people should be aware of that.

[Piskvorrr]

Suspicious, true. But in such case, you could be in trouble for refusing to provide the password to a suspected hidden drive which doesn't exist. How does that even make sense? (Rhetorical question)

[ansible]

From your point of view, it doesn't of course. You know that you don't have an encrypted partition.

But from the authorities' point of view, they will beat you until they're convinced you don't have anything of interest you can give up. That could last quite a while...

[Piskvorrr]

Which means that you can rot away for life, based on a LEO's hunch. And that's not The Sovereign People's Republic of Elbonia: that's Australia and the UK.

[Turing_Machine]

Okay, so why not wipe to NIST standards (multiple random overwrites or whatever is the latest best practice) and then zero it out to an "unused" state afterward?

[ansible]

If all you're going to do is just securely delete data without drawing suspicion, that's a good plan.

If you wanted to hide data in an encrypted partition that looks like random data, that's not going to work.

[laumars]

> Any secure encryption is going to result in ciphertext that is indistinguishable from random data.

While that's technically true it feels a bit like a moot point because if you have random data that cannot be attributed to any other application (such as large volumes of randomness) then it's a reasonable conclusion that you've just detected an encrypted volume.

> In a case where the government is demanding that you release your encryption keys, you would give up the keys to the "fake" volume. Unless you divulge the keys to the "real" volume, the attackers wouldn't necessarily know that it exists.

Unless they inspect the storage properties (either physically or how it registers itself on the host) and see that it's a 1TB drive with only a 500GB mountable volume. Again, it wouldn't be a forgone conclusion that the individual has other hidden volumes but it would be suspicious enough to warrant further investigation / interrogation.

As always though, it really depends on the risk level you're trying to protect yourself against.

[ajphdiv]

I would also assume the ‘dummy’ operating system wouldn’t have much activity. Since the user would be using the hidden OS. So that coupled with the unaccounted for space would raise more flags.