Seeking Assistance to Install Fedora 38 with Detached LUKS Header

I am in need of assistance with installing Fedora 38 while utilizing a detached LUKS header. Recently, I came across an article that shed light on a concerning case in France. It appears that individuals are being detained based on their usage of encrypted devices and software such as Signal, Tor, Tails, LineageOS, FDroid, etc., which are being deemed as evidence of involvement in clandestine activities associated with terrorism.

This case prompted me to contemplate my own situation, as I reside in a country where the legal landscape can be described as quite flexible, to say the least. Nevertheless, I refuse to surrender my right to privacy and secure communication. In light of these circumstances, I believe that Fedora with a detached LUKS header might offer a potential solution. The primary advantage of this approach is that the encrypted drive could appear as if it contains random data, thus mitigating some suspicion.

Unfortunately, anaconda, the Fedora installer, does not readily accommodate this requirement. When I attempt to prepare the drive with the necessary options, specifically “–header” to prevent the header from being written on the disk initially, anaconda refuses to proceed with the installation. Consequently, I devised an alternative method:

  1. Installed Fedora with custom partitioning.
  2. Created separate partitions for /boot/efi and /boot on a USB stick.
  3. Generated an encrypted LUKS volume on the drive.
  4. Completed the installation and rebooted the system.
  5. Backed up the LUKS header and saved the file to the /boot partition on the USB stick.
  6. Edited the /etc/crypttab file and added the header’s location: “luks,header=/luks.img:/dev/sdb2”.
  7. Regenerated the initramfs by executing the command “dracut --regenerate-all --force”.
  8. Erased the old header from the disk using the command “dd if=/dev/urandom of=/dev/sda1 bs=16777216 count=1”.
  9. Rebooted the system successfully.
  10. Installed system upgrades using the package manager, dnf.
  11. Encountered a failure upon rebooting.

These are the steps I followed, but unfortunately, being a regular user who recently transitioned from Windows due to concerns about telemetry, I find myself at a loss. I have been unable to locate any guides or tutorials that provide effective solutions. I am reaching out to this community in the hope that someone may have attempted a similar installation and can offer me some helpful insights and guidance.

While I understand your concern, I wonder how anyone would know your device is encrypted. They would need to have direct access and attempt to boot it for that to become apparent. This leads to the question of why they would be investigating enough to desire direct access.

With that said, one could create a small partition to contain questionable information and encrypt only that small partition which would only be accessed when needed so as to not be quite so obvious as a fully encrypted drive.

Alternatively one could use a flash drive and encrypt that device to store information to remain private, which would not be connected for normal use.

Just some thoughts.

Full disk encryption is a standard requirement for many businesses.
Any laptop with encrypted disk is should not be suspect.
Windows does full disk encryption so officials should not find this situation odd.

But there is no logic in bureaucracy.

True. I was basing that on personal computer and not one in a business environment. The OP did not specify, but it seemed to be implied that it was for personal use.

I don’t believe that relying solely on storing information on an encrypted device is sufficient. The problem lies in the lack of control over what type of information gets saved on the disk if it isn’t fully encrypted. For instance, it’s unclear whether an office application saves file versions for recovery purposes, how a clipboard manager handles its history, or what information each browser writes. Moreover, SSD and Nvme drives present significant challenges. Consequently, I don’t consider this option to be suitable.

Moreover, it’s crucial to consider the differing standards and motivations among countries when it comes to seeking access to data. In some cases, factors like skin color or religion alone can trigger an investigation. In other countries, simply being an expatriate and residing there might be enough. Even if it may not be sufficient currently, governments and their desires can change over time. Additionally, there’s the possibility of simple espionage disguised as a fabricated legal investigation, which can be quite effective.

Given these factors, I perceive myself to be at risk. As long as there is a functional Windows installation, I believe that having another drive without a LUKS header could withstand a brief inspection by investigators from less-developed nations.

For a drive have only random data itself is suspicous enough for further investigation.

From what you descripted, I will try to do:

  • Boot the basic normal installation by default. So when there is a need to power up your device and display to someone, everything will be normal.
  • Boot a second partition doing the “real” work, by pressing some hotkey
  • From that second partition, do the important work inside a VM, with another layer of device file encryption