There's a little bit of subtlety here, but in general GP was correct in that it can be made hard for authorities two tell exactly what changed.

Disk encryption, unlike other forms, does not have a terribly high avalanche factor when small changes are made--because it's expensive to write lots of things to disk.

However, it is possible to make a small change (as small as, say, writing the audit log file on a real successful login) that renders data completely inaccessible. Consider an encrypted disk on which you can tell the magnitude of changes on the filesystem, but not which data has changed. Let's say you have a lot (many gigabytes) of sensitive data on that disk. If a successful login triggers the encrypted filesystem to decrypt the contents of the disk using an encryption key (of, say, a 4kb length) that is stored only on that disk, then a duress code could simply destroy (or corrupt by randomizing a few bytes) that key, rendering the contents of the disk inaccessible, without writing more than a very small amount of data.

This fundamentally trades off deniability for data security: the disk would still contain all of the encrypted data and could be brute-forced, but that would be the case anyway if an image had been taken previously.

Of course, situations in which that deniability would be legally well-received are, as others here have pointed out, vanishingly rare.

You don't need a 4kb key. 128bits is more than enough for AES. And there's no way you are going to brute force a random 128bit key.

Where does one find such disk encryption software?

APFS, the new macOS file system, works like this.

If you have an encrypted volume, you can use the command 'diskutil apfs eraseVolume' to make data inaccessible instantly by deleting the encryption key. (Note that the disk passphrase is not the same as the encryption key, so even if you use a weak password for your disk, you can't brute force the key)

> Disk encryption prevents revealing the plaintext of files on disk, but you can still observe their ciphertext changing when the file changes. If the duress command causes different files to be modified compared to a normal login, then that can be detected by comparing to the original disk image, even though the actual modifications performed are hidden by the encryption.

How would they even be able to determine which files are modified? If we're talking full disk encryption here, you can't tell which files are being accessed/modified, just locations on disk. Without metadata to map blocks to objects they're flying blind.

E.g., If every block on the device changes, that's a pretty big flag. If only a few change, that's expected. So the magnitude of change is both observable and conveys information to the attacker.

> Disk encryption prevents revealing the plaintext of files on disk, but you can still observe their ciphertext changing when the file changes.

File encryption does that. Disk encryption means that you don't even know how many files there are, much less which ones were changed. The whole disk is just a blob of random data until the right password is entered.

> If the duress command causes different files to be modified compared to a normal login, then that can be detected by comparing to the original disk image, even though the actual modifications performed are hidden by the encryption

Don't they also need to know what files are changed by a normal login, so that they can see that the changed set in this login was different from that set?

Comparing an image after a login to an image from before the login gives you a set of changed files, but it doesn't tell you if that is the normal login change set or the duress login change set.

Anyway, if I were setting up a duress login I'd make it so normal and duress login change the same set of files.

If at least 98% of your drive isn't partitioned out its going to cause some questions by a curious observer.