Because the disk drive has a Windows-styled layout and EFI partition. The encrypted partition just looks like random data. Since the bootloader for my encrypted disk isn't on there, it is harder to determine that it even exists.
There is no requirement on what type of partition type you use for your LUKS2 encrypted partition, so ideally you'd use something that isn't going to be apparent.
Then, as long as knowledge of a tiny USB drive or micro SD card existing isn't known (which is a lot easier to hide) it is more difficult to discover that an encrypted partition even exists.
Since the bootloader for my encrypted disk isn't on there, it is harder to determine that it even exists.
How does make it harder to determine your encrypted partition exists? The usual way encryption aids plausible deniability is through multiple keys, e.g. when one key unlocks a seemingly innocuous-looking installation, while the other unlocks the nasty bits.
Having an encrypted partition in plain sight offers no plausible deniability at all to me, especially if it contains a default LUKS header. You might get away with arguing the disk is unused when the partition has a detached header, but even then you'd have to argue why a non-functioning machine is fully equipped with monitor, keyboard and network connections.
> How does make it harder to determine your encrypted partition exists?
Because it just looks like random data that hasn't been formatted.
> Having an encrypted partition in plain sight offers no plausible deniability at all to me, especially if it contains a default LUKS header.
First, I do use a detached LUKS header. The LUKS header is on the USB drive. The machine functions fine and appears to be a regular Windows PC without the USB drive, with an extra partition that doesn't have encrypted data in plain sight. It would look like random data, which to someone else wouldn't know if I did a secure wipe and that it is waiting to be partitioned or if it is just old data that has since repurposed after resizing. I'm sure they could find out if they pry hard enough, especially if trimming is enabled or if they really started to question why the supposed random data can't be recovered to produce files.
> Because it just looks like random data that hasn't been formatted.
I'm guessing that SSDs also give up the secret if an attacker has access to custom firmware to read the wear-levelling metadata and finds a bunch of recent writes in the random data.
At this point, unless speed or capacity are at a premium, it probably makes more sense to completely boot and run off of a fast USB drive. Linux + LUKS-header will be fairly obvious on the USB boot drive anyway, making plausible deniability pretty hard.
What's the threat model? State-level attackers (e.g. journalists working with Snowden) or the border police wanting you to provide a passphrase for stored data or to boot a system? For the latter a good solution is don't transport anything important across the border.
How so?