I have a feeling that "Is pam_duress.so configured in any file in /etc/pam.d, and if so turn on a big red light" is a pretty trivial thing to add to those "plug the person's computer in here and have them log in to their machine to decrypt everything, otherwise they won't go through customs/leave our dingy bunker" solutions.
These duress passwords seem to be for kind of contrived scenarios, to me. Either your threat model is "someone breaks into my hotel room and steals my laptop", in which case it's useless, or "The $OpposingSideSecretService got me and hits me until I give them my password" in which case it seems to be equally useless.
Sadly (2) is a legal requirement in Australia now, too.
If asked you MUST unlock your phone and computer. So if you’re travelling here or leaving — citizen or not — you best be prepared to have your data searched for arbitrary reasons.
The best defence I have seen for this is to keep all your data on cloud storage and do a base install whenever you are crossing questionable borders. Rather than a cloud provider, host your own Nextcloud instance.
I have advised similar things. Backup, factory reset while going through the border and restore once done. The fact that they can legally seize without any justification and no transparency over what is taken is still an issue though.
Maybe this shouldn't be branded purely as a security feature. There are plenty of uses for it beyond the whole duress aspect. It could be an elegant way to toggle desktop themes when you log in. Or it could give a bit of peace of mind by killing all open browser windows as you're about to log into your laptop that's hooked up to a projector.
Lol, the ven diagram of people who can move your computer while the os is running and and people who can figure out of you also have a duress password is basically a circle.
No home theif is going to take the time to move your machine while it's running so having all the drives locked should be good.
If you're using pam, some section of the drive is unlocked.
The question is does it matter if they know you have a duress module running?
You're not really obligated to give your password in the US. (Not a lawyer but that's how I understand it)
And in situations where they know are they going to beat you after youve erased your data?
If you're worried about a machine being moved while on, you're probably best to check a canary that tells it about it's environment. ARP for a specific MAC, or DNS entry that only resolves on your LAN, SSID scan, maybe just lock all drives if the LAN interface flaps.
I suppose this would be good for airport travel and more mobile situations.
These duress passwords seem to be for kind of contrived scenarios, to me. Either your threat model is "someone breaks into my hotel room and steals my laptop", in which case it's useless, or "The $OpposingSideSecretService got me and hits me until I give them my password" in which case it seems to be equally useless.