MADDES Secret Lair for a GNU/Linux OS

Matt's Advanced Deniable Disk Encryption Setup (MADDES) Secret Lair allows for full disk encryption (FDE) with plausible deniability for a GNU/Linux OS with /boot on a computer. Thus creating a Secret Lair.


What makes it possible to finally have relatively easy to setup and utilize full disk encryption with plausible deniability? Simply put using VeraCrypt and non-standard GRUB, cryptsetup, systemd and such makes it possible to finally achieve plausibly deniable full disk encryption with /boot and auto generation support for unattended updates. To accomplish this feat MADDES replaces the OS distribution GRUB package, and depending on user requirements, cryptsetup and systemd packages and modifies other files. MADDES creates additional modules and modifies current modules in the GRUB package to allow for features including VeraCrypt support (cryptomount), auto generation of the GRUB bootloader (grub-install) and grub.cfg (grub-mkconfig), and the ability to auto locate detached (headerless) devices, along with numerous other enhancements. MADDES modifies cryptsetup/Debian derived scripts for both the creation and execution of the initramfs. This allows for other system updates to function as normal.*


MADDES allows for the following:

  • support for LUKS with detached header, plain dm-crypt, and VeraCrypt.
  • allows for VeraCrypt FDE on GNU/Linux (not only for Windows anymore).
  • grub-install and grub-mkconfig auto generation support
  • encrypted hibernate (hardware dependant)
  • multi-boot different operating systems
  • /boot is installed in the root / directory
  • GRUB bootloader can be installed on a USB which has additional benefits
    • after bootup can be safely removed
    • only needs to be inserted in the running OS for a limited number of reasons depending on user setup*
      1. When MADDES GRUB package has an update so the bootloader binary version can match the binary version inside of /boot/grub/.
      2. If the user changes the name/location of any detached header and/or key files if the bootloader is set to auto find/open devices storing them. This is so GRUB can find the files at boot and if encrypted prompt you for your passphrase to access and open the OS with them.*
  • VeraCrypt FDE standard features:
    • keyfile
    • cascading ciphers
    • PIM
    • hidden GNU/Linux OS
  • Current deb package support for:

Implenting FDE for a GNU/Linux OS is done by creating either a LUKS container with a detached header or a plain dm-crypt container or creating a VeraCrypt container. If creating a LUKS container with a detached header, the detached header can either be located on a plain unencrypted USB flash drive or in an encrypted (LUKS, plain dm-crypt or VeraCrypt) USB flash drive. If on an encrypted USB flash drive then a second password will need to be entered upon boot up to allow for automated access to the detached header. The same setup used for detached headers are allowed for keyfiles for both LUKS and VeraCrypt containers as well. If using a VeraCrypt container the entire Ubuntu installation will be installed inside it. One solution is to install it under LVM which allows for root, home and swap to all be inside a single partition. The GRUB bootloader image can be installed as either UEFI or BIOS and the image will be the only unencrypted data and is usually under 450KiB for UEFI and 130KiB for BIOS. The UEFI or BIOS GRUB bootloader can be installed on a removable USB flash drive so there is no bootloader directly installed on the pc/laptop hard drive. If this option is chosen then it is also possible if using the entire drive to not even need an MBR/GPT partition scheme for the Ubuntu OS. This will allow the entire drive to be encrypted.


MADDES Secret Lair can be implemented either with a fresh install or on an existing install. If an existing install is to be converted from either no disk encryption to LUKS/VeraCrypt or from LUKS to VeraCrypt a backup of the disk will need to be performed first. A complete guide will be available soon including screen shots and step by step instructions. Currently the easiest distribution to do a fresh install with is Ubuntu 18.04 LTS.


MADDES Secret Lair will be available in the near future with pre-built deb packages for easy installation for Ubuntu 18.04 LTS, PureOS, Debian and Kali.


This page is under construction.