The Whonix route:
Picking your Host OS (the OS installed on your laptop):
This route will make extensive use of Virtual Machines, they will require a host OS to run the Virtualization software. You have 3 recommended choices in this part of the guide:
- Your Linux distribution of choice (excluding Qubes OS)
- Windows 10 (preferably Home edition due to the absence of Bitlocker)
- MacOS (Catalina or higher)
In addition, changes are high that your Mac is or has been tied to an Apple account (at the time or purchase or after signing-in) and therefore its unique hardware identifiers could lead back to you in case of hardware identifiers leak.
Linux is also not necessarily the best choice for anonymity depending on your threat model. This is because using Windows will allow us to conveniently use Plausible Deniability (aka Deniable Encryption) easily at the OS level. Windows is also unfortunately at the same time a privacy nightmare but is the only (convenient) option for using OS wide plausible deniability. Windows telemetry and telemetry blocking is also widely documented which should mitigate many issues.
So, what is Plausible Deniability? It is the ability for you to cooperate with an adversary requesting access to your device/data without revealing your true secret. All this using Deniable Encryption.
A soft lawful adversary could ask for your encrypted laptop password. At first you could refuse to give out any password (using your “right to remain silent”, “right not to incriminate yourself”) but some countries are implementing laws to exempt this from such rights (because terrorists and “think of the children”). In that case you might have to reveal the password or maybe face jail time in contempt of court. This is where plausible deniability will come into play.
You could then reveal a password but that password will only give access to “plausible data” (a decoy OS). The forensics will be well aware that it is possible for you to have hidden data but should not be able to prove this
(if you do this right). You will have cooperated and the investigators will have access to something but not what you actually want to hide. Since the burden of proof should lie on their side, they will have no options but to believe you unless they have a proof that you have hidden data.
This feature can be used at the OS level (a plausible OS and a hidden OS) or at the files level where you will have an encrypted file container (similar to a zip file) where different files will be shown depending on the encryption password you use.
This also means you could set-up your own advanced “plausible deniability” setup using any Host OS by storing for instance Virtual Machines on a Veracrypt hidden volume container (be careful for traces in the Host OS tho that would need to be cleaned if the host OS is persistent, see
Some additional measures against forensics section later). There is a project for achieving this within Tails (
https://github.com/aforensics/HiddenVM [Archive.org]) which would make your Host OS non persistent and use plausible deniability within Tails.
In the case of Windows, plausible deniability is also the reason you should ideally have Windows 10 Home (and not Pro). This is because Windows 10 Pro natively offers a full-disk encryption system (Bitlocker) where Windows 10 Home offers no full-disk encryption at all. We will later use a third-party open-source software for encryption that will allow full-disk encryption on Windows 10 Home. This will give you a good (plausible) excuse to use this software. While using this software on Windows 10 Pro would be suspicious.
Note about Linux: So, what about Linux and plausible deniability? Yes, it is kind of possible to achieve plausible deniability with Linux too. But it is complicated to set-up and IMHO requires a skill level high enough that you probably do not need this guide to help you try it.
Unfortunately, encryption is not magic and there are some risks involved:
Threats with encryption:
The 5$ Wrench:
Remember that encryption with or without plausible deniability is not a silver bullet and will be of little use in case of torture. As a matter a fact, depending on who your adversary would be (your threat model), it might be wise not to use Veracrypt (formerly TrueCrypt) at all as shown in this demonstration:
https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm [Archive.org]
Plausible deniability is only effective against soft lawful adversaries that will not resort to physical means.
Avoid, if possible, the use of plausible deniability capable software (such as Veracrypt) if your threat model includes hard adversaries. So, Windows users should in that case install Windows Pro as a Host OS and use Bitlocker instead.
See
https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis [Wikiless] [Archive.org]
Evil-Maid Attack:
Evil Maid Attacks are conducted when someone tampers with your laptop while you are away. For install to clone your hard drive, install malware or a key logger. If they can clone your hard drive, they can compare one image of your hard drive at the time they took it while you were away with the hard drive when they seize it from you. If you used the laptop again in between, forensics examiners might be able to prove the existence of the hidden data by looking at the variations between the two images in what should be an empty/unused space. This could lead to strong evidence of the existence of a hidden data. If they install a key logger or malware within your laptop (software or hardware), they will be able to simply get the password from you for later use when they seize it. Such attacks can be done at your home, your hotel, a border crossing or anywhere you leave your devices unattended.
You can mitigate this attack by doing the following (as recommended earlier):
- Have a basic tamper protection (as explained previously) to prevent physical access to the internals of the laptop without your knowing. This will prevent them from cloning your disks and installing a physical key logger without your knowledge.
- Disable all the USB ports (as explained previously) within a password protected BIOS/UEFI. Again, they will not be able to turn them on (without physically accessing the motherboard to reset the BIOS) to boot a USB device that could clone your hard drive or install a software-based malware that could act as a key logger.
- Set-up BIOS/UEFI/Firmware passwords to prevent any unauthorized boot of an unauthorized device.
- Some OSes and Encryption software have anti-EvilMaid protection that can be enabled. This is the case with Windows/Veracrypt and QubeOS.
Cold-Boot Attack:
Cold Boot attacks are trickier than the Evil Maid Attack but can be part of an Evil Maid attack as it requires an adversary to come into possession of your laptop while you are actively using your device or shortly afterward.
The idea is rather simple, as shown in this video, an adversary could theoretically quickly boot your device on a special USB key that would copy the content of the RAM (the memory) of the device after you shut it down. If the USB ports are disabled or if they feel like they need more time, they could open it and “cool down” the memory using a spray or other chemicals (liquid nitrogen for instance) preventing the memory decaying. They could then be able to copy its content for analysis. This memory dump could contain the key to decrypt your device. We will later apply a few principles to mitigate these.
In the case of Plausible Deniability, there have been some forensics studies about technically proving the presence of the hidden data with a simple forensic examination (without a Cold Boot/Evil Maid Attack) but these have been contested by other studies and by the maintainer of Veracrypt so I would not worry too much about those yet.
The same measures used to mitigate Evil Maid attacks should be in place for Cold Boot attacks with some added ones:
- If your OS or Encryption software allows it, you should consider encrypting the keys within RAM too (this is possible with Windows/Veracrypt and will be explained later)
- You should limit the use of Sleep stand-by and instead use Shutdown or Hibernate to prevent the encryption keys from staying in RAM when your computer goes to sleep. This is because sleep will maintain power to your memory for resuming your activity faster. Only hibernation and shutdown will actually clear the key from the memory.
See also
https://www.whonix.org/wiki/Cold_Boot_Attack_Defense [Archive.org] and
https://www.whonix.org/wiki/Protection_Against_Physical_Attacks [Archive.org]
Here are also some interesting tools to consider for Linux users to defend against these:
About Sleep, Hibernation and Shutdown:
If you want the better security, you should shut down your laptop completely every time you leave it unattended or close the lid. This should clean and/or release the RAM and provide mitigations against cold boot attacks. However, this can be a bit inconvenient as you will have to reboot completely and type in a ton of passwords into various apps. Restart various VMs and other apps. So instead, you could also use hibernation instead (not supported on Qubes OS). Since the whole disk is encrypted, hibernation in itself should not pose a large security risk but will still shutdown your laptop and clear the memory while allowing you to conveniently resume your work afterward.
What you should never do it use the standard sleep feature which will keep your computer on and the memory powered. This is an attack vector against evil-maid and cold-boot attacks discussed earlier. This is because your powered on memory holds the encryption keys to your disk (encrypted or not) and could then be accessed by a skilled adversary.
This guide will provide guidance later on how to enable hibernation on various host OSes (except Qubes OS) if you do not want to shut down every time.
Local Data Leaks (traces) and forensics examination:
As mentioned briefly earlier, these are data leaks and traces from your operating system and apps when you perform any activity on your computer. These mostly apply to encrypted file containers (with or without plausible deniability) than OS wide encryption. Such leaks are less “important” if your whole OS is encrypted (if you are not compelled to reveal the password).
Let us say for example you have a Veracrypt encrypted USB key with plausible deniability enabled. Depending on the password you use when mounting the USB key, it will open a decoy folder or the sensitive folder. Within those folders, you will have decoy documents/data within the decoy folder and sensitive documents/data within the sensitive folder.
In all cases, you will (most likely) open these folders with Windows Explorer, MacOS Finder or any other utility and do whatever you planned to do. Maybe you will edit a document within the sensitive folder. Maybe you will search a document within the folder. Maybe you will delete one or watch a sensitive video using VLC.
Well, all those Apps and your Operating System might keep logs and traces of that usage. This might include the full path of the folder/files/drives, the time those were accessed, temporary caches of those files, the “recent” lists in each apps, the file indexing system that could index the drive and even thumbnails that could be generated
Here are some examples of such leaks:
Windows:
- Windows ShellBags that are stored within the Windows Registry silently storing various histories of accessed volumes/files/folders.
- Windows Indexing keeping traces of the files present in your user folder by default.
- Recent lists (aka Jump Lists) in Windows and various apps keeping traces of recently accessed documents.
- Many more traces in various logs, please see this convenient interesting poster for more insight: https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download [Archive.org]
MacOS:
- Gatekeeper290 and XProtect keeping track of your download history in a local database and file attributes.
- Spotlight Indexing
- Recent lists in various apps keeping traces of recently accessed documents.
- Temporary folders keeping various traces of App usage and Document usage.
- MacOS Logs
- …
Linux:
- Tracker Indexing
- Bash History
- USB logs
- Recent lists in various apps keeping traces of recently accessed documents.
- Linux Logs
- …
Forensics could use all those leaks (see
Local Data Leaks and Forensics) to prove the existence of hidden data and defeat your attempts at using plausible deniability and to find out about your various sensitive activities.
It will be therefore important to apply various steps to prevent forensics from doing this by preventing and cleaning these leaks/traces and more importantly by using whole disk encryption, virtualization, and compartmentalization.
Forensics cannot extract local data leaks from an OS they cannot access. And you will be able to clean most of those traces by wiping the drive or by securely erasing your virtual machines (which is not as easy as you think on SSD drives).
Some cleaning techniques will nevertheless be covered in the “Cover your Tracks” part of this guide at the very end.
Online Data Leaks:
Whether you are using simple encryption or plausible deniability encryption. Even if you covered your tracks on the computer itself. There is still a risk of online data leaks that could reveal the presence of hidden data.
Telemetry is your enemy. As explained earlier in this guide, the telemetry of Operating Systems but also from Apps can send staggering amounts of private information online.
In the case of Windows, this data could for instance be used to prove the existence of a hidden OS / Volume on a computer and would be readily available at Microsoft. Therefore, it is critically important that you disable and block telemetry with all the means at your disposal. No matter what OS you are using.
Conclusion:
You should never conduct sensitive activities from a non-encrypted system. And even if it is encrypted, you should probably never conduct sensitive activities from the Host OS itself. Instead, you should use a VM to be able to efficiently isolate and compartmentalize your activities and prevent local data leaks.
If you have little to no knowledge of Linux or if you want to use OS wide plausible deniability, I would recommend going for Windows (or back to the Tails route) for convenience. This guide will help you hardening it as much as possible to prevent leaks. This guide will also help you hardening MacOS and Linux as much as possible to prevent similar leaks.
If you have no interest for OS wide plausible deniability and want to learn to use Linux, I would strongly recommend going for Linux or the Qubes route if your hardware allows it.
In all cases, the host OS should never be used to conduct sensitive activities directly. The host OS will only be used to connect to a public Wi-Fi Access Point. It will be left unused while you conduct sensitive activities and should ideally not be used for any of your day-to-day activities.
Consider also reading
https://www.whonix.org/wiki/Full_Disk_Encryption#Encrypting_Whonix_VMs [Archive.org]