Author: Jasper Date: To: tails-dev Subject: Re: [Tails-dev] GUI for encrypted volumes from LUKS/TrueCrypt
container files
On Fri, 20 Mar 2015 12:40:07 +0000
sajolida <sajolida@???> wrote:
> intrigeri:
> > Jasper wrote (19 Mar 2015 23:46:09 GMT) :
> >> right now you only (graphically) support luks partitions, not
> >> luks containers.
> >
> > I've not checked in Tails/Wheezy, but FYI Jessie's GNOME Disks has
> > an "Attach disk image" function.
>
> Thanks for sharing your concerns regarding partitions vs containers. I
> think that they make a lot of sense and I didn't think about that in
> this way before.
>
> Still, I would need to mature that idea in my head before being sure
> that this is a desirable feature in the context of Tails.
>
> Because, for example, using containers imply have other unencrypted
> data on the same partition, right? So that would probably encourage
> mixing up data from different identities on the same disk. Then this
> data would be equally available to Tails (and its possible targeted
> attacks) and could deanonymise you. Of course, you can also do that
> with LUKS partitions... but what I want to say is that your idea that
> containers makes it easier to manipulate encrypted files for the user
> might actually make things more complicated conceptually in the
> context of Tails.
thank you for clarifying the conceptual approach of Tails in regard to
persistence. I agree that providing the least possible amount of
information in case of a successful attack is the only sane way if you
consider the giant target that Tails paints on its back. as you said,
the tradeoff is the same with partitions .. I read your instructions on
using/creating encrypted volumes but should have also read the explicit
warnings to be found in the instructions on persistence. what about
having a link to those warnings from the using/creating encrypted
volumes page as well?
I have to admit, the only usecase I evaluated Tails for might be a bit
specific: secure communication between a lawyer friend of mine and some
of his clients. he thought about giving them Tails on a usb-stick
preconfigured with pgp and otr messaging. obviously working with
documents that will deanonymise you is needed in this case. probably a
clean separation between the communication layer and the workspace
using a preconfigured whonix environment will be a approach more suited
for this usecase. thankfully computers are a lot less expensive these
days..
anyways, thanks for clarification and the effort you put into Tails -
very much appreciated!