poki

Ok, I’m still not clear on exactly what you’re trying to achieve as I can’t quite see the connection between somehow preventing certain files being duplicated when cloning the disk and preventing yourself from reinstalling the system.

Premises:

• Very important files on disk (somehow) protected from copy/mv/clone whatever.
• Reinstalling my OS wipes the disk.

Therefore, I would lose those very important files if I were to attempt a wipe. If said files are important enough for me to reconsider wiping, then the act of protecting them from copy/mv/clone has fulfilled its job of preventing me from reinstalling the OS.

Bear in mind that reinstalling the system would replace all of the OS, so there’s no way to leave counter-measures there, and the disk itself can’t do anything to your data, even if it could detect a clone operation.

I understand.

If what you’re trying to protect against is someone who knows everything you do accessing your data, you could look to use TPM to store the encryption key for your FDE. That way you don’t know the password, it’s stored encrypted with a secret key that is, in turn, stored and protected by your CPU. That way a disk clone couldn’t be used on any hardware except your specific machine.

Very interesting. A couple of questions:

• Is it possible to only protect a set of files through this? So not the entire disk?
• Does TPM get flushed/randomized on OS reinstall?

Very informative. I appreciate it!

Understood. Thank you!

Very informative post. Thank you!

It has been my pleasure!

and joined their discord in preparation.

That will definitely help out a lot. Well thought!

Welcome on board 😉.

Clear. Thank you!

Alright. Thank you for your input!

Will do.

If you could be a bit more specific about your threat model people may have better ideas to help.

Threat model is me protecting myself from myself.

Incoming XY problem.

I want to prevent myself from reinstalling my system. The trick I came up with involved the use of files that couldn't be disk cloned. However, if it's far far easier to accomplish it through other means, then please feel free to enlighten me on this.

Thank you!

I'll straight up pose the question I asked someone else:

It seems I wasn't clear as most people misunderstood me.

But, to give a very precise example; say

• I had a folder called ~/some/folder.
• It was on an encrypted drive.
• And I had done additional work to encrypt the folder again.
• And say, I used chattr, chmod or chown or similar utilities that remove access as long as one doesn't have elevated privileges.
• And say, I had done whatever (additional thing) mentioned in your comment.

Then, what prevents whosoever, to copy that file through cloning the complete disk?

Even if they're not able to get past the password, it will be found on the cloned disk. SO, basically, I ask for some method that prevents the file to even be copied through a disk clone. I don't care that it has three passwords protecting it. What I want is for the disk clone (or whatever sophisticated copy/mv/cut or whatsoever utility exists) to somehow fail while trying to attempt the action on the protected files.

Do you need it to be failing on every device or just on a device that you control?

Actually, I'm fine with a solution that only works on a device that I control. But, failing on every device is nice as well.