Perfectly Deniable Steganographic Disk Encryption

Conference:  BlackHat EU 2018



The presentation discusses a steganographic system that allows for hidden data to be stored on a computer without detection.
  • The system involves a kernel module that hides data in the slack space of a hard drive
  • The system also involves a utility that allows for access to the hidden data
  • The system is designed to provide plausible deniability and can be used for secure communication
  • The system runs quickly and efficiently on modern hardware
The speaker describes the challenges of writing a kernel module that can hide itself and the use of assembly language programming to create a small executable that can be used to access hidden data.


Deniable encryption and steganography nominally safeguard sensitive information against forced password disclosure by concealing its very existence. However, while the presence of sensitive information may be 'plausibly' denied, the possession of steganographic software (e.g. suspiciously configured VeraCrypt) is readily detected and regarded as a 'smoking gun' that invalidates such deniability. This weakness, which undermines protection against rubber-hose cryptoanalysis and aggressive password disclosure statutes, affects all known steganographic software and is especially problematic for deniable encryption suites such as VeraCrypt, which typically remain installed and visible on a user's hard drive.This talk will cover efforts to overcome this critical limitation through a novel form of steganography that is self concealing. In this new paradigm, steganographic tools hide themselves in a self-recursive manner that renders them forensically invisible. Moreover, upon cryptographic activation by an authorized user, these hidden tools can bootstrap themselves into existence without generating any incriminating forensic evidence. Provided that requisite cryptographic conditions are met, such steganography can be considered "perfectly deniable."The talk will cover the successful design and implementation of a self-concealing, perfectly deniable encryption/steganography suite that is similar in functionality to VeraCrypt's hidden volume/OS feature. However, unlike VeraCrypt, the decoy system employs Linux's customary disk encryption (cryptsetup/dm-crypt) and requires no additional binaries, peculiar partition schemes (or inexplicable unallocated disk space), restrictions on cover-system write operations, or modification to TRIM settings. In fact, the decoy system appears bit-for-bit as a normal Linux system that was configured with only default parameters (e.g. repeatedly clicking 'next' during Ubuntu installation). Conversely, a simple cryptographic operation by an authorized user will bootstrap a hidden, fully functional OS into existence in a process that generates no forensic evidence and requires no outside binaries. The talk will demonstrate such a working system, which testing has found to be fast, stable, and functional.