Author: sajolida Date: To: The Tails public development discussion list Subject: Re: [Tails-dev] GUI for encrypted volumes from LUKS/TrueCrypt
container files
Jasper: > On Fri, 20 Mar 2015 12:40:07 +0000
> sajolida <sajolida@???> wrote:
>
>> intrigeri:
>>> Jasper wrote (19 Mar 2015 23:46:09 GMT) :
>>>> right now you only (graphically) support luks partitions, not
>>>> luks containers.
>>>
>>> I've not checked in Tails/Wheezy, but FYI Jessie's GNOME Disks has
>>> an "Attach disk image" function.
>>
>> Thanks for sharing your concerns regarding partitions vs containers. I
>> think that they make a lot of sense and I didn't think about that in
>> this way before.
>>
>> Still, I would need to mature that idea in my head before being sure
>> that this is a desirable feature in the context of Tails.
>>
>> Because, for example, using containers imply have other unencrypted
>> data on the same partition, right? So that would probably encourage
>> mixing up data from different identities on the same disk. Then this
>> data would be equally available to Tails (and its possible targeted
>> attacks) and could deanonymise you. Of course, you can also do that
>> with LUKS partitions... but what I want to say is that your idea that
>> containers makes it easier to manipulate encrypted files for the user
>> might actually make things more complicated conceptually in the
>> context of Tails.
>
> thank you for clarifying the conceptual approach of Tails in regard to
> persistence. I agree that providing the least possible amount of
> information in case of a successful attack is the only sane way if you
> consider the giant target that Tails paints on its back. as you said,
> the tradeoff is the same with partitions .. I read your instructions on
> using/creating encrypted volumes but should have also read the explicit
> warnings to be found in the instructions on persistence. what about
> having a link to those warnings from the using/creating encrypted
> volumes page as well?
Sure, the relevant parts would be:
* Storing sensitive documents
* Opening the persistent volume from other operating systems
I'll create a ticket for that.
> I have to admit, the only usecase I evaluated Tails for might be a bit
> specific: secure communication between a lawyer friend of mine and some
> of his clients. he thought about giving them Tails on a usb-stick
> preconfigured with pgp and otr messaging. obviously working with
> documents that will deanonymise you is needed in this case. probably a
> clean separation between the communication layer and the workspace
> using a preconfigured whonix environment will be a approach more suited
> for this usecase. thankfully computers are a lot less expensive these
> days..
I think that Tails with a preconfigured persistence would work fine in
the case as well. They can store their sensitive documents in the
persistent volume. The only thing they should be careful about is to not
mix other documents from other identities or facets of their lives in
there, and not open the persistent volume from another operating system.