"Kill"-word instead of Password for HDs?

Just a passing thought…

It seems you (I) hear more and more these days about people being required to give up their password to authority figures, to allow said figures access to the contents of their electronic devices, such as Hard Disk Drives and Cellphones and the like. Sometimes these are lawful requests, sometimes they are not. Regardless of the reason for the request, I have to wonder:

Is there currently any such protection system, that would, upon receiving a correct password unlock the data, but upon receiving a different password, automatically and permanently scramble, erase, or otherwise make unreadable the data on the device? A kill switch, in effect. Only the authorized user would know that this password isn’t going to open the device, but destroy it instead.

If so, where could I find such a device? If not, why not? And is this a potential untapped market, were I to develop such a thing? What kind of legal obstacles currently exist to such a thing, aside from the obvious ‘obstruction of justice’ angle if used in such a manner as to make such use illegal?

Do Not Need Answer Fast, not yet at least.

Generally, any competent recovery technician is going to clone your device before attempting to use anything on it. There are some hard drives that offer password support, but I think it’s only to activate the controller card - I don’t think the data itself is actually encrypted.

IIRC, in many jurisdictions you can be required to provide a password

In the ATM world there have been requests to have a second personal identification PIN number assigned to each card which the cardholder could use if he were being forced to make a withdrawal at gunpoint. The emergency PIN would cause the transaction to be completed and summon the police.

I think this is a similar concept to yours. I don’t think this has ever been implemented anywhere. You might want to investigate the reasons given for it.

Couldn’t you have an HDD automatically kill on any input except the password? No number of clones would be sufficient for this, right?

I haven’t seen that precise mechanism, but there are thumbdrives which do something similar.

It probably wouldn’t be too difficult to implement a destruct-on-demand passphrase as well.


Such a thing would have to run on the device itself - that is, the hard drive, USB key or memory card would have to execute code - in effect, the devices would have to act as file servers, rather than dumb storage.

Encryption works on these things without them executing their own code because support for it is coded on the host system. There’s no practical way to implement universal support for killwords on all hosts.

The ATA command set includes a Secure Erase command - this is hardware resident on the disk. There is not much driver support for it, but it can be done (particularly on Linux).

As noted above, drives are cloned at a low level before anything is done that may compromise the existing system. So data destruction using a password is pointless - they just restore the original data, and you have demonstrated value of the information on the disk by trying to destroy it.

Without the valid encryption key (password) the disk is just random data - indistinguishable from a randomly scrambled disk. So that is what you claim, denying the presence of any data, and refuse to supply a password. No-one can prove otherwise, that is one of the points of encryption.

If you want to be in a position to supply something, use TrueCrypt with plausible deniability - an encrypted container with safe data and a password that contains a second encrypted container with a second password. The inner container cannot be detected if the outer container is unlocked, so you can give an authority the outer password.


Sure, but getting this to operate as a self-destruct-on-killword would have to be implemented in the driver - and if anyone wanted to circumvent that, they could just write a driver that omits it.

That’s his PIPN number.

I’m interested in this idea, but can’t quite follow how it works - could you explain more? Particularly with examples of which parts of the disk are encrypted with which passwords?

Part of it depends on the level of determination of the people asking for the password.

At a US Customs check point they will ask you to start up your device and have you login. They might then look around. If they see something suspicious, i.e., something clearly password protected, they can then ask you to type in a password to unlock it.

Assuming that you have only encypyted a select directory/partition, it is at this point you could type in a “kill” password and have the OP’s dream operation executed.

If, OTOH, the Customs people are more suspicious, they can just take the device and hold it indefinitely. They can take out the HD/SD clone it (in many cases), and no kill operation can be executed.

Note that a few HDs come with hardcoded encryption done in such a way that just copying the encrypted data is not easily done without going thru a big hardware hack. (Replacing the controller board, for example.)

Also note that if set up right, erasure of the whole encrypted data is not necessary. The regular password can be combined with a random keyfile to compute another key to access the rest of the data. If the keyfile is overwritten, the rest of the data is unencryptable forever.

TrueCrypt can be set up to use such keyfiles, if the keyfile is kept separate from the rest of the system, recovery is impossible.

So, when crossing a border you email (encrypted of course) your keyfile to a secret email address you have. Delete the original. Overwrite the keyfile for a secure erase. (Make sure your secret email address isn’t on the device.) The customs people will then be unable to get anywhere.

OTOH, US Customs can just keep the device indefinitely. Even “losing” it after a while.

If you end up in a situation where the officials are of the “rubber hose” decryption bent, then they could force you to reveal the email address, its password, etc.

So you would need to email the keyfile to some trustworthy person who is not subject to the people who are good at asking questions the non-easy way.

Details on the Truecrypt website.

You create a Truecrypt container - this is a file containing a volume protected by a password. From the outside, it looks like a large file with randomised data. Truecrypt can mount this container as a disk once the password is supplied. In this container are added a few sensitive but innocuous files (bank passwords, maybe, and financial data). Then, the partition is used to create a Truecrypt Hidden Volume. This creates the internal data store, using a start sector somewhere partway through the disk after your exposable data. To mount this, you need to know the start sector and the password for the hidden volume. You can then mount this space to store your really secret material. Because the inner volume (which looks like random data) is hidden within another volume (which also looks like random data) there is no evidence of the inner volume. You can unlock the outer volume without exposing the inner one. However, without the inner password, the inner volume is not protected from the outer one, and the inner data can be overwritten by using the outer one, and if that happens, you have to restore from backup.


I was reading the instructions for my alarm system at work and stumbled across something like this. It mentioned that if you type in your password, add one to the third digit (so, 2543 would be 2553) it’ll shut off the system normally but set off trigger the silent alarm. It’s designed for exactly the situation you described.


I think using a second password to wipe the disk isn’t used because:

  1. as people said, the disk will be copied first
  2. wiping the disk takes time - quite a lot actually, more than a full format. To do a proper wipe, the entire disk must be randomly written, with several passes.
  3. encryption works better, and can be used with a decoy.

Encryption proprietary to Apple, I guess.

I have a few customers running full drive encryption via truecrypt. In this case it is obvious you are using an encrypted drive, windows will not boot without the password.

Just like with the encrypted container you can create a “fake” load in which you store copies of all but the sensitive data. Depending on what you tend to do with your computer the fake load could look quite convincing.

If you want to create an encrypted container, you bury it in the windows folder named something like cmdshell32.dll and keep them less than a couple MB in size.

All hardware encrypted drives have a processor on the device itself that executes code.

There was an episode of Sherlock where a woman had a phone with small explosives wired to detonate if the case were opened, or if she were coerced into typing in a password, she could put in the “killword” instead of the password and cause it to explode.

This would probably be the best way to achieve what you want. Good luck wiring up the explosives securely and reliably!

Does this happen at airports? What, and where, are these checkpoints?

I can’t imagine it happens very often, but regular border patrol (not customs, I’d think) must be entitled to access your computer to see if you’re not bringing illegal material into the country. When you hear, like one sometimes does, that someone was arrested at the border with kiddy porn on their computer, I imagine that’s how they found out.