summaryrefslogtreecommitdiffstats
path: root/wiki/src/blueprint/veracrypt.mdwn
diff options
context:
space:
mode:
Diffstat (limited to 'wiki/src/blueprint/veracrypt.mdwn')
-rw-r--r--wiki/src/blueprint/veracrypt.mdwn510
1 files changed, 510 insertions, 0 deletions
diff --git a/wiki/src/blueprint/veracrypt.mdwn b/wiki/src/blueprint/veracrypt.mdwn
new file mode 100644
index 0000000..276562c
--- /dev/null
+++ b/wiki/src/blueprint/veracrypt.mdwn
@@ -0,0 +1,510 @@
+[[!meta title="VeraCrypt support in GNOME"]]
+
+[[!toc levels=2]]
+
+User research
+=============
+
+Research questions
+------------------
+
+### Success
+
+1. How many people use VeraCrypt in Tails after our work in
+ comparison with before?
+2. How many people who were using VeraCrypt outside of Tails but
+ couldn't use it in Tails use it after our work?
+
+### Scope
+
+1. Which fraction of VeraCrypt volume are encrypted file containers?
+ encrypted partitions?
+2. Are people encrypting their full operating system with VeraCrypt?
+3. Which fraction of users are using hidden volumes?
+4. Which fraction of users are using keyfiles? Why? How?
+5. Which fraction of users are using the old TrueCrypt format?
+ - In VeraCrypt this requires checking the "TrueCrypt mode" check box.
+6. Can we rely on file containers having a .tc or .hc extension?
+
+### Behaviors
+
+1. How do people share files with other people who don't use Tails?
+
+### Technical knowledge
+
+1. How technical are VeraCrypt users? Tails+VeraCrypt users?
+ - For example: Are they used to GNOME Disks?
+
+<a id="survey"></a>
+
+Results of the online survey on *file storage encryption*
+---------------------------------------------------------
+
+### Summary
+
+- Justification of our work:
+
+ - 40% of Tails users are also VeraCrypt users, both inside and outside
+ Tails.
+
+ - 60% of Tails+VeraCrypt users only use VeraCrypt outside of Tails.
+
+ - Most of Tails+VeraCrypt users are regular users of VeraCrypt.
+
+ - VeraCrypt is of more interest to people who are not using Linux as
+ their primary operating system.
+
+ - VeraCrypt is still a reference when people think about encrypting
+ files.
+
+ - Integrating VeraCrypt in Tails will prevent dangerous behaviors:
+
+ *« I need to be able to open TrueCrypt file containers in Tails in
+ order to move files securely between Tails and Windows. Right now, I
+ have to copy my files unencrypted between Tails and Windows and this
+ is quite dangerous. »*
+
+- Definition of the scope of our work:
+
+ - 85% of Tails+VeraCrypt users mostly don't use the .TC or .HC file extension.
+ - 76% of Tails+VeraCrypt users use file containers.
+ - 65% of Tails+VeraCrypt users use partitions.
+ - 65% of Tails+VeraCrypt users use hidden volumes.
+ - 55% of Tails+VeraCrypt users have legacy TrueCrypt volumes.
+ - 42% of Tails+VeraCrypt users use keyfiles.
+
+- Technical knowledge of Tails users:
+
+ - Tails is still quite complicated for Windows users but not *that*
+ hard either.
+ - A majority of our user base is "*basic*".
+
+### Methodology
+
+We advertised an online survey on the homepage of *Tor Browser* in Tails
+between October 17 and December 1.
+
+The survey was not advertised as being about VeraCrypt but as being
+about file storage encryption in general.
+
+The following banner was displayed on *https://tails.boum.org/home* once
+every 20 views:
+
+[[!img contribute/reports/SponsorW/2017_10/survey.png link="no"]]
+
+We got 1011 complete answers (and zero spam!) for a participation rate
+of 1.97% (51431 views in total). We think this is a great success!
+
+The structure of our survey is available as a LimeSurvey Survey
+Structure file: [[survey.lss]].
+
+We limited the mandatory questions to the bare minimum. Except for one
+open-ended question, we used only closed questions with multiple choices
+to maximize the answer rate and make it easier to analyze the results.
+Still, we allowed comments on many of the closed questions.
+
+It was the first time that we asked our users to answer an online survey
+and seeing the high participation it seems to be a very good way of
+learning about our users and their needs. People seem eager to
+contribute to Tails by sharing information about themselves if done with
+their consent.
+
+Here is a summary of our results.
+
+### How many people use VeraCrypt in Tails before our work?
+
+*Q: Do you use VeraCrypt?*
+
+| Question | Answers | Fraction |
+|--|--|--|
+| No | 418 | 41% |
+| Yes, but only outside of Tails | 238 | 24% |
+| I don't know what VeraCrypt is | 193 | 19% |
+| Yes, both inside and outside of Tails | 162 | 16% |
+| *Total answers* | | 1011 |
+
+- **60% of Tails+VeraCrypt users only use VeraCrypt outside of Tails.**
+
+ These people are a first target of our work.
+
+ Unfortunately, our survey didn't allow us to know if they don't use
+ VeraCrypt in Tails because it's too complicated at the moment (it
+ requires using the command line) or because they don't have a use for
+ it. We should have added a another question about this in particular.
+
+- **40% of Tails users are also VeraCrypt users, both inside and outside Tails.**
+
+ This is a big overlap which proves that a lot of people who use Tails
+ also have a need for VeraCrypt.
+
+ After our work:
+
+ - If this number increases, it could mean that integrating VeraCrypt
+ in Tails made Tails useful for more people.
+
+ These people are a second target of our work.
+
+ - If this number decreases, it could mean that our user base expanded
+ to include a bigger fraction of users who don't have a need for
+ VeraCrypt. For example if they only use Tails to browser the
+ Internet anonymously and not to exchange sensitive documents from
+ Tails with other operating systems.
+
+*Q: How many VeraCrypt volumes do you have (not counting the hidden volumes inside them)?*
+
+| Question | Answers | Fraction |
+|--|--|--|
+| 2-5 | 183 | 52% |
+| 1 | 83 | 24% |
+| 6-10 | 45 | 13% |
+| More than 10 | 39 | 11% |
+| *Total answers* | 350 | |
+
+- **Most of Tails+VeraCrypt users are serious and regular users of VeraCrypt**.
+
+ They have more than one VeraCrypt volume and not only curious about
+ VeraCrypt or tried it once.
+
+### Comments on the questions
+
+Our survey allowed people to add comments to some questions. Some people
+described the lack of VeraCrypt support in Tails as part of a workflow
+including Windows, often leading to dangerous practices. The comments
+were rewritten to prevent stylometry.
+
+- *« **When I move files between Windows and Tails, I have to remove the
+ TrueCrypt encryption and copy the files unencrypted to another USB
+ stick. Then I have to securely delete the files from the USB stick and
+ that takes a lot of time. This is dangerous as an attacker could
+ access my files during the process.** »*
+
+- *« **I need to be able to open TrueCrypt file containers in Tails in
+ order to move files securely between Tails and Windows. Right now, I
+ have to copy my files unencrypted between Tails and Windows and this
+ is quite dangerous.** »*
+
+### Which fraction of VeraCrypt volume are encrypted file containers? Encrypted partitions?
+
+*Q: What type of VeraCrypt volumes are you using?*
+
+| Question | Answers | Fraction |
+|--|--|--|
+| Only encrypted file containers | 117 | 32% |
+| Mostly encrypted file containers, some encrypted partitions | 89 | 24% |
+| Mostly encrypted partitions, some encrypted file containers | 75 | 20% |
+| Only encrypted partitions | 74 | 20% |
+| I don't know the difference between encrypted partitions and encrypted file containers | 13 | 4% |
+| *Total answers* | 368 |
+
+- The difference between encrypted file containers and partition is well
+ understood.
+
+- **76% of Tails+VeraCrypt users use file containers.**
+
+- **65% of Tails+VeraCrypt users use partitions.**
+
+### Are people encrypting their full operating system with VeraCrypt?
+
+*Q: Is your Windows operating system encrypted using VeraCrypt?*
+
+| Question | Answers | Fraction of Tails+Windows users | Fraction of Tails users |
+|--|--|--|--|
+| No | 135 | 72% | 35% |
+| Yes | 49 | 26% | 13% |
+| I don't know | 3 | 2% | 1% |
+| *Total answers* | 187 |
+
+### Which fraction of users are using hidden volumes?
+
+*Q: How often do you create a hidden volume in your VeraCrypt volumes?*
+
+| Question | Answers | Fraction |
+|--|--|--|--|
+| Sometimes | 159 | 44% |
+| Never | 119 | 33% |
+| Always or almost always | 50 | 14% |
+| Most of the time | 27 | 7% |
+| I don't know what a hidden volume is | 7 | 2% |
+| *Total answers* | 362 |
+
+- **65% of Tails+VeraCrypt users use hidden volumes.**
+
+### Which fraction of users are using keyfiles?
+
+*Q: What do you use to protect your VeraCrypt volumes?*
+
+| Question | Answers | Fraction |
+|--|--|--|--|
+| Only passwords | 211 | 58% |
+| Mostly passwords, sometimes keyfiles | 130 | 36% |
+| Mostly keyfiles, sometimes passwords | 18 | 5% |
+| Only keyfiles | 6 | 2% |
+| *Total answers* | 365 |
+
+- **42% of Tails+VeraCrypt users use keyfiles.**
+
+### Which fraction of users are using the old TrueCrypt format?
+
+*Q: How many of your volumes are TrueCrypt volumes and how many are VeraCrypt volumes?*
+
+| Question | Answers | Fraction |
+|--|--|--|--|
+| All my volumes are VeraCrypt volumes | 151 | 45% |
+| All my volumes are TrueCrypt volumes | 92 | 27% |
+| Most of my volumes are VeraCrypt volumes, some are TrueCrypt volumes | 49 | 14% |
+| Most of my volumes are TrueCrypt volumes | 47 | 14% |
+| *Total answers* | 339 |
+
+- **55% of Tails+VeraCrypt users have legacy TrueCrypt volumes.**
+
+ The reasons given for that in the comments to this question include:
+
+ - Not having done the effort of migrating.
+ - Having to migrate too much data to be practical (1TB!).
+ - Not trusting VeraCrypt has it hasn't been audited.
+
+### Can we rely on file containers having a .tc or .hc extension?
+
+*Q: Does the name of your file containers include the .TC or .HC extension?*
+
+| Question | Answers | Fraction |
+|--|--|--|--|
+| Never | 91 | 39% |
+| I don't know what the extension of my file containers is | 72 | 31% |
+| Sometimes | 33 | 14% |
+| Always or almost always | 27 | 12% |
+| Most of the time | 8 | 3% |
+| | 231 |
+
+- **85% of Tails+VeraCrypt users mostly don't use the .TC or .HC file extension.**
+
+### How technical are Tails users? Tails+VeraCrypt users?
+
+*Q: Which operating system other than Tails do you use the most?*
+
+| Question | Tails users | Fraction | Tails+VeraCrypt users | Fraction |
+|--|--|--|--|
+| Windows | 456 | 45% | 201 | 52% |
+| Debian or Ubuntu | 355 | 35% | 129 | 34% |
+| macOS | 69 | 7% | 26 | 7% |
+| Arch Linux | 21 | 2% | 9 | 2% |
+| Linux Mint | 16 | 2% | 4 | 1% |
+| openSUSE | 12 | 1% | 6 | 2% |
+| Fedora | 12 | 1% | 3 | 1% |
+| Qubes OS | 10 | 1% | 6 | 2% |
+| *Total answers > 10* | 951 | | 384 | |
+
+By OS families:
+
+| Question | Tails users | | [Global market share](https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Desktop_and_laptop_computers) | Different in VeraCrypt usage among Tails users |
+|--|--|--|--|--|
+| Windows | 456 | 48% | 91% | +4% |
+| Linux | 426 | 45% | 3% | &minus;4% |
+| macOS | 69 | 7% | 6% | |
+| Total answers | 951 | | | |
+
+- We suppose that people choose Linux over Windows or macOS because of
+ technical reasons, ethical reasons, or both. Both are also good
+ reasons to use Tails, either because their technical skills make it
+ easier to get started or use Tails or because their ethical motivation
+ aligns with the values of Tails.
+
+ There is a huge difference between the fraction of Tails users and the
+ global market share for Windows (in negative) and Linux (in positive)
+ but at the same time, almost half of Tails users are otherwise mostly
+ Windows users. So it seems like **Tails is still quite complicated for
+ Windows users but not *that* hard either**.
+
+- Tails+Windows users are using VeraCrypt more than Tails users in
+ general (+4%). This confirms that **VeraCrypt is of more interest to
+ people who are not using Linux as their primary operating system**.
+
+ This aligns with our objective of making Tails easier to integrate in
+ workflows involving other operating systems.
+
+*Q: How familiar are you with GNOME Disks?*
+
+| Question | Answers | Fraction |
+|--|--|--|
+| I can use GNOME Disks to do advanced operations | 438 | 43% |
+| I don't know what GNOME Disks is | 410 | 41% |
+| I can use GNOME Disks to do basic operations | 163 | 16% |
+| *Total answers* | 1011 | |
+
+This seems to mean that:
+
+- **A majority of our user base is "*basic*"**: not well-versed in Linux
+ and GNOME, not skilled enough to manipulate partitions, or not using
+ Tails to manipulate sensitive documents outside of the persistent
+ volume.
+
+- A good share of the rest of our user base is "*advanced*" and more
+ technically skilled and knowledgeable about Linux and GNOME.
+
+*Q: Imagine that you want to share a big video footage with someone else
+who doesn't use Tails. You can meet in person or communicate online. For
+security reasons, you want the exchange to be encrypted. How would you
+do that?*
+
+Due to the huge numbers of answers (626) to this question which was very
+open-ended, it is challenging and very time consuming to extract
+insights from all the answers.
+
+We manually flagged the encryption techniques mentioned in the first 472
+answers (75%) to get an overview of what Tails users would do to
+exchange sensitive information between Tails and another operating
+system.
+
+While flagging the answers, we flagged some techniques that were only
+mentioned implicitly. For example, some people implicitly referred to:
+
+ - LUKS when they proposed to store the footage in the persistent
+ volume of a Tails USB stick and exchange this USB stick in person.
+ - OpenPGP when they proposed to encrypt the file doing
+ *right-click*&nbsp;▸*Encrypt&hellip;* from the file browser.
+
+The answers often included mixed strategies to either:
+
+ - Design both online and offline strategies, as the question made it
+ possible to either meet in person or communicate online.
+ - Combine several encryption techniques, for example to encrypt and
+ send the footage using some techniques and to exchange a password or
+ other credential information using other techniques.
+ - Design several strategies depending on the threat model or technical
+ knowledge of the person they were sharing the footage with.
+
+We cannot know from if people would know how to apply the strategies
+they described. For example, if they already know how to use the
+techniques that they mentioned or if they only heard of them.
+
+| Encryption technique | Mentions | Fraction |
+|--|--|--|
+| OpenPGP | 134 | 28% |
+| - OpenPGP (unspecified) | 79 | 17% |
+| - OpenPGP (asymmetric) | 39 | 8% |
+| - OpenPGP (symmetric) | 16 | 3% |
+| VeraCrypt | 107 | 23% |
+| I don't know | 78 | 17% |
+| LUKS | 49 | 10% |
+| ZIP with password | 49 | 10% |
+| OnionShare | 46 | 10% |
+| Signal, WhatsApp, Telegram | 25 | 5% |
+| *Total answers analyzed* | 472 | |
+
+- VeraCrypt was the second most frequently mentioned encryption
+ technique.
+
+ **VeraCrypt is still a reference when people think about encrypting
+ files**.
+
+- We were surprised to see OpenPGP as the most frequently mentioned
+ encryption technique. This could either mean that:
+
+ - Tails users are especially knowledgeable about OpenPGP or only heard
+ of it as an encryption technique.
+
+ - Tails users rely a lot <span class="command">seahorse-nautilus</span>
+ which allows to encrypt files from the file browser
+ (*right-click*&nbsp;▸*Encrypt&hellip;*). This allows to use
+ symmetric encryption ("*password encryption*") without the need to
+ master the complex key management of OpenPGP.
+
+- We were also surprised to see OnionShare mentioned almost as
+ frequently as LUKS or ZIP with password. Good news for Micah Lee!
+
+<a id="scope"></a>
+
+Scope of our work
+=================
+
+We defined the scope of our work based the preliminary research work
+that we did, both in terms of user needs and technical feasibility.
+
+<img src="https://labs.riseup.net/code/attachments/download/1837/scope.png">
+
+Goals
+-----
+
+- The **opening of file containers** is a must as 76% of Tails+VeraCrypt
+ users use file containers.
+
+ It's also interesting because using a single file to store a file
+ system is a possibility that is not offered by the other encryption
+ techniques in Tails.
+
+ This goal is the most challenging in terms of interactions, because:
+
+ - It's a new concept ("*mounting a file*").
+ - We cannot rely on file containers having a .TC or .HC extension.
+ - GNOME Files cannot automatically identify and flag file containers
+ as such.
+
+- The **opening of partitions** will be much easier to implement and
+ integrate than file containers and relevant for 65% of Tails+VeraCrypt
+ users.
+
+- The **opening of hidden volumes** has a very good cost/benefit ratio
+ and will please the users of this very popular feature.
+
+- The **opening of legacy TrueCrypt volumes** will come with almost no
+ UX or backend cost.
+
+- The **opening with keyfiles** and **opening of system partitions**
+ will also be very cheap to add to the custom dialogs that we will
+ already have to implement for the opening of hidden volumes.
+
+- The **integration in the sidebar of GNOME Files** of opened file
+ containers will require to patch the GTK library which was not
+ expected initially. But we will have to patch GTK anyway to customize
+ the unlocking dialog of partition with hidden volumes anyway. The UX
+ cost of not integrating unlocked file containers in the sidebar would
+ also be quite high.
+
+Optional goals
+--------------
+
+- We have a solid UX design for the **creation of new partitions**. The
+ **creation of new file containers** will be harder to discover for the
+ user but will almost come for free once we support creating new
+ partitions.
+
+- The **modification of existing volumes** will be very similar to the
+ creation of new volumes.
+
+- **VeraCrypt Mounter** is a very simple application wrapper that we
+ designed and tested. It makes it easier for users to learn how to use
+ VeraCrypt in Tails and makes it faster to open file containers.
+ *VeraCrypt Mounter* would only be available in Tails.
+
+ If we cannot create *VeraCrypt Mounter* in time we will replace it
+ with a link to our documentation which should lead to similar success
+ rates but a bit less comfort for first time users.
+
+Non goals
+---------
+
+- **Opening of loop-AES and dm-crypt volumes**: Loop-AES and dm-crypt
+ volumes are other encryption formats that are indistinguishable from
+ VeraCrypt volumes while they are locked (both look like random data).
+ Even if some of our work could be make it easier to support Loop-AES
+ and dm-crypt, we won't do that because these formats are not popular
+ enough.
+
+<a id="ui"></a>
+
+User interface
+==============
+
+### Changes to GNOME Disks
+
+<img src="https://labs.riseup.net/code/attachments/download/1833/disks-format-partition.png">
+
+<img src="https://labs.riseup.net/code/attachments/download/1834/disks-format-partition-password.png">
+
+### Unlock dialog in gvfs
+
+<img src="https://labs.riseup.net/code/attachments/download/1843/gvfs-monitor-unlock-veracrypt-volume.png">
+
+### *VeraCrypt Mounter* (optional)
+
+<img src="https://labs.riseup.net/code/attachments/download/1842/veracrypt-mounter.png">