»pam_panic - A Linux authentication module for people in distress«
2018-12-29, 11:30–11:50, Chaos West Stage
pam_panic is an authentication module made for people who think they might get into a distressing situation where they are forced to type in or even tell the password to bad people. The idea is to use a password or a media device at a login screen which issues a destruction of the LUKS keyslots. There will be a little crash course on what LUKS is to be more clear how and why it works.
- Make a LUKS encrypted filesystem inaccessible when in distress
What is the idea?
- Have an encrypted system done by LUKS
- Have two passwords or two media devices (One of the passwords/media devices is used for regular authentication, the other one is used for issuing a destruction of the LUKS key material slots and have a reboot/shutdown)
- Ask for a password/media device before your regular user password
Crash course: LUKS
- What do we need to know to get this to work?
- How does the LUKS header look like?
Making my data inaccessible
Scenarios where it can help:
- Being forced to type/tell your password
Scenarios where it doesn't help:
- Letting them make a clone of your hard drive, then having your password/media device forced from you
Demonstration of pam_panic
- Show authentication password and media device
- Show panic password/media device and show the result of inaccessibility
..if there's enough time.