Hi,
I'd like to propose adding a new, advanced deniable storage system,
Artifice, into Tails.
Artifice is still being actively developed and is not yet widely available,
but it is complete enough to begin the process of integrating it into
Tails. More information about Artifice can be found here:
https://www.ssrc.ucsc.edu/proj/Artifice.html. Artifice is being written by
Austen Barker (cc'd) and his team at UC Santa Cruz. The NSF has sponsored
their work.
I understand that VeraCrypt is already available, but there are a few
reasons why I think including Artifice may be an overall benefit for Tails
users:
1) Users will be able to create deniable storage volumes from within Tails.
2) Artifice can be used to create a deniable storage volume inside of a
Persistent Storage volume.
3) Artifice can recover from partial overwrites to the deniable region. (I
believe this feature does not exist for VeraCrypt's hidden volumes, but I
may be wrong.)
Inclusion into Tails also benefits Artifice itself:
1) Artifice must be bundled with an operating system or a large software
package by default to maintain deniability. If it's not installed by
default, the mere existence of the software can compromise deniability.
2) Tails may be able to provide additional resistance to multi-snapshot
attacks.** One idea: constantly, but in a way that is transparent to the
user and without significantly reducing performance or flash cell lifetime,
fragment data stored in the outer filesystem (i.e. the non-deniable
filesystem in which the deniable filesystem lives). This would be used
whether or not Artifice is being used.
My plan is to have Artifice, an accompanying GTK GUI, and any potential
wrapper libraries be made available in Debian official repositories and
then subsequently included in Tails. However, there will likely need to be
changes made to the Tails Greeter to support Artifice within Persistent
Storage, and those changes will not be upstreamable.
I hope this project sounds as exciting to you all as it does to me. I'd
love to hear your thoughts and ideas.
Thanks,
James Houghton
** A basic multi-snapshot attack may look like this: an adversary takes
snapshots of the state of a device, including all data and metadata stored
on the device. If, for example, there are inexplicable changes to regions
of the disk that are not and were not being used by the installed
filesystem, it can be inferred that a deniable storage system is being
used.
