UK Government Wants Private Encryption Keys

An anonymous reader writes "Businesses and individuals in Britain may soon have to give their encryption keys to the police or face imprisonment. The UK government has said it will bring in the new powers to address a rise in the use of encryption by criminals and terrorists." From the article: "Some security experts are concerned that the plan could criminalise innocent people and drive businesses out of the UK. But the Home Office, which has just launched a consultation process, says the powers contained in Part 3 are needed to combat an increased use of encryption by criminals, paedophiles, and terrorists. 'The use of encryption is... proliferating,' Liam Byrne, Home Office minister of state told Parliament last week. 'Encryption products are more widely available and are integrated as security features in standard operating systems, so the Government has concluded that it is now right to implement the provisions of Part 3 of RIPA... which is not presently in force.'"

My God

I believe we are in need of a new Slashdot section: Horrifying

Re:My God

Or how about a new /. heading: Wake Up !

This is nasty. You can always tell when there are no reasons that would fly with the public when they have to invoke the paedophiles. US government has War on Terror, the UK has paedophiles.

E-mail was a god-send for the intelligence services. Automated scanning and copies of everything to look back on if they ever chose. Encryption means the free party is coming to an end. GPG is turning off the stereo and saying "GO HOME!"

They managed without it before. They can manage without it again. And if that means the Government can't achieve omniscience over the population... good!

Re:My God

Indeed, pedophiles are the debug mode for the Constitution

More like "Horribly Bad Joke."

Just an example of astoundingly ignorant politicians who don't realize they're effectively criminalizing the use of cellular phones, the constantly changing keys of which would amass petabytes of data within a year, in just the UK--and that's just the keys, not the data they encrypted...and that's just the cellphones.

What absolute morons.

Re:More like "Horribly Bad Joke."

..and you ipsec keys, which change every few minutes, your ssh key, which is per session, your kerberos key, etc.

Most people don't even realize how many keys they use. They could default on a law like this without even knowing it.

Re:More like "Horribly Bad Joke."

erm.
RTFA

Despite the poorly worded title, the UK govt. isn't about to ask you to submit every single key you ever generate.
It just wants the ability to 'force' you to hand over the keys if and when it asks for them.

Granted, this causes problems of it's own. I mean, I don't keep a list of every key i've used...

Re:More like "Horribly Bad Joke."

You're misunderstanding the technology or the law (I'm not sure which).

They're talking about private keys (as in the private half of the public/private key pair in public key cryptography), not private keys (as in the only key in private key cryptography).

This is a huge difference. Private key cryptography is used as the underlying scheme for protocols like SSH, SSL, etc, but public key cryptography is used to ensure the secure exchange of that key. of the private half of the key pair is known, that initial exchange is not secure, and thus there is no need to be TOLD the private key cryptosystem's key: it is handed to any listener who knows the private key that goes with the public key used to initiate the session.

Oh, and the cell phone companies almost certainly already hand over the key pairs for the phones (or are issued them).

Obligatory Ayn Rand

"There's no way to rule innocent men. The only power government has is the power to crack down on criminals. When there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws." -- Ayn Rand

Just wait.

Just wait until they finish decrypting all the data files on my PC.

"You mean we spent four days decrypting Gigs upon Gigs of vacation photos??"

"Well, they have an 8 Megapixel camera, lots of memory cards and use RAW format..."

"But that's all you found? There aren't even any racy photos in the bunch?"

"Should we start decrypting the second RAID array?"

"The one labeled 'Project Gutenberg text to speech files in WAV format'?'

"Yes, that one."

"Go for it. I don't know what this 'Project Gutenberg' is, but it's got to be seditious. Plebeians don;t label anything a 'Project' unless they have delusions of being all 'Cloak and Dagger.'"

Re:More like "Horribly Bad Joke."

The real question is not why you think these encryption laws are idiotic... of course they are idiotic. The real question is why you think the laws on education, civil planning, economy, enviornment, health care, or anything else are more reasonable that these laws on encryption.

You are probably an expert on computers/encryption, being a part of the Slashdot crowd, that you can understand how messed up these rules are. But if you were a doctor, you would probably think these rules are reasonable, and instead would think that the laws on health care are messed up. You are critical of these laws, because you have the knowledge to understand what is wrong with them... and you are probably don't really question the laws on subjects which you might not understand.

So you must understand, the vast majority of the population who doesn't understand encryption, will think these laws are reasonable and nessicary, the same way you probably think the laws on education, or enviornment, or whatever are reasonable and nessicary. The average person is not going to take you any more seriously complaining about this, than you take the complaints from factory owners about enviornmental laws.

At some point you are going to have to realize it isn't "idiotic" leaders who are making "idiotic" policies that are the problem... that our leaders are very very smart and competent... but that it is the idiotic concept that a handful of experts and technocrats can manage virtually every aspect of a huge diverse society. It is the concept that society can be centrally planned / regulated / and managed by lawmakers that is the problem, not with the specific "central planning".

Actually...

I'm a political scientist by education.

Where does that put me in your example?

Re:Actually...

I'm a political scientist by education. Where does that put me in your example?

It means that you have been fully indoctrinated to accept the political and social assumptions of your society, and you now indoctrinate others into those assumptions... in such a way that it perpetuates the current political system. You are to the modern state what a priest is in Catholisism.

An example of a political assumption in a society would be something like the debate over government's role in health care in Europe. There are those who argue that equality of care (everyone is entitled to equal care) is why health care should be provided and controled by the government... and those that disagree. There are those who argue that no-one should be without health care, and therefore the state should provide it to everyone... and there are those that disagree. BUT, no one questions the idea that the government can or will provide truly equal care, or that the government can or will provide the care to everyone. The political assumption is that government never fails to provide people with services, and that government always provides those services in a manner that is equal to everyone. Even the people who are against the state's intervention into health care don't question that government will provide health care, and they don't question that the government will do it with absolute equality.

In a reasonable debate, you would hear people argue that states have engaged in terrible acts of inequality... in fact the worst acts of inequality, such as mass genocide, have been commited by the state. In a reasonable debate one would argue that states have often commited horrible failures in providing services to it's citizens, in some cases resulting in millions of deaths. Yet, in modern mainstream political debate, it is unheard of and inconceivable that someone could support universal and equal health care for everyone, and also not support state control of health care. In mainstream politics, if you support equal and universal health care, YOU MUST SUPPORT STATE RUN HEALTHCARE. Through political "scientists" such as yourself, and many years of indoctrination and government controlled education, you have been able to control people's thoughs as such that THE STATE = EQUALITY, and THE STATE = PROVIDING FOR THE NEEDS OF SOCIETY... and to be against the state is to be against equality and providing for the needs of everyone. As a "scientist", you should be able to step out of your views for a second and see that is a very powerful form of brainwashing!

Your job, as a political scientist, is to maintain a faith in the state and political process. You may question a specific government policy (but that is like questioning what type of sandwich I should eat for dinner... there is a big assumption that I should be eating dinner, and that my dinner should be a sandwich), but your job is to make sure all debate about the political sytem preserves the political system.

Now, I will admit I am stereotyping political science people. I suppose there are few token anarchists or libertarians or classical liberals in the political science field. But I think that you would probably agree, that anarchists or libertarians or classical liberals are probably few and far between in the field of political science. You wouldn't expect a political scientists to be against the political system, any more than you would expect a carpenter to be against wood.

Re:More like "Horribly Bad Joke."

Hmmm...

I'm not a food scientist, but I think labeling laws and food safety inspection regulations are very necessary. Who doesn't think that? The food industry that doesn't want me to know that their product contains transfats and which would be happy to sell me contaminated meat.

I'm not a chemical engineer, but I support regulation of gasoline additives. Who doesn't support that? The oil companies who understand that lead is a very cheap way to increase octane levels.

The real question is why you think the laws on education, civil planning, economy, enviornment, health care, or anything else are more reasonable that these laws on encryption.

Because most regulations are designed to establish the bounderies of various property rights. Who owns the air -- you or the oil companies? In this case, the regs define the limits of what an individual or company can do with a common resource. Should a food company have the property right to sell unlabled food? Here, the regs are designed to put buyer and seller on more even terms -- they reduce the transaction costs of buying and selling food.

But mandatory government access to private keys does nothing except make it easier for governments to invade personal privacy. In no way do such regs reduce the costs of transacting commerce or establish property rights boundries on common resources. These regs are fundamentally different from food, health, and environmental regulations.

Re:My God

If you know something about cryptography it isn't that horrifying.

There are current encryption technologies already deployed in the market that allow for two sets of data to be encrypted with two keys into a single file. This allows a user to encrypt a sensitive file with an innocuous one, so that when required to disclose a private key the user can just give the one that decrypts the innocent data.

Again, these new laws will only deteriorate the right to privacy of innocent people, while the real criminals will be allowed to roam free doing their dirty deeds with little more trouble then a software upgrade.

Re:My God

Again, these new laws will only deteriorate the right to privacy of innocent people, while the real criminals will be allowed to roam free doing their dirty deeds with little more trouble then a software upgrade.

v'z fher v'yy trg zbqqrq qbja sbe guvf fvapr v'z rkcerffvat n ceb-crefbany-svernezf ivrjcbvag, ohg naljnl...

Indeed, there is a very strong parallel between this and gun control schemes. The honest people give up their guns/keys to the government, the people who are already criminals have no reason to do so. The bad guys simply get smarter at hiding what they do. Who gets screwed in the end? It's always the honest, law-abiding citizens.

Oh yeah, dear UK government, you can pry the encryption key for this post from my cold, dead hands, along with my firearm... (Although in this particular case I think it will be more difficult to get the gun than the key.)

Doesn't seem like Orwell and friends really accomplished much, does it? They showed us the future but we're just walking right smack into it anyway, eyes wide shut.

Re:My God

It's not in YRO because in the UK we don't have rights, enshrined in a constitutional document, as do the people in the US.

Oh... wait a minute. This just in: Neither do the people in the United States, apparently. This appears to have expired somtime between Nov 2000 and Sept 2001.

Re:My God

I'm pretty sure that idea died a Horrifying death

Wishful thinking, they extended it to 28 days without trial/evidence instead. Blair was still spouting on that the country's security had been compromised. Because police and security services had some power removed, right? ...

One of Blair's favourite lines went something like this,

"I don't understand why people seem to think that the rights of terrorist suspects should be more important than those of innocent people."

Re:What the hell?

> Some douchebag swithces a few words around in a famous bit of prose and suddenly it's +5 interesting?

Switching a few words around in a famous bit of prose: (-1, Douchebag)
Knowing which words to switch: (+5, Interesting)
Some things (+1, Funny) can't buy. For everything else, there's metamod.

Simple solution.

Just stick a computer in the corner churning out encryption keys and mailing them to the UK government all day every day untill you break their database.

Re:Simple solution.

You do know that with the way SSL/SSH works, that's EXACTLY what you would be forced to do to comply with this law, right?

Methinks the UK government doesn't know that what it wants is technologically infeasible....

Re:Simple solution.

"Methinks the UK government doesn't know that what it wants is technologically infeasible...."

Methinks you didn't RTFA.

They are not asking that all keys be submitted. They are simply asking to give the police the power to force you to submit keys on request. In other words, after they've already confiscated your computer and discovered that there are encrypted files, they demand that you hand over the key, and if you don't, then they can throw you in jail.

I'm not saying I agree with it, just trying to clarify the misconception that everyone in this thread seems to be having about this.

Re:On the other hand

Catching up? That's so unfair. Its not like the British are newcomers at this -- if they hadn't done it first, there likely wouldn't be a US.

key turning point in government relations

Encryption keys don't kill people, people kill people.

If owning (not divulging) encryption keys is criminalized, only criminals will own encryption keys.

These "rules" will only push the envelope of how and what criminals (or terrorists, etc.) use to hide their activities. And at the same time, they will add one more burden to the general population to manage and ensure the government is informed of their encryption infrastructure. Nuts.

The most effective infiltration into terrorist infrastructure is still social engineering. I'd rather the money spent creating and managing something like this spent training and hiring translators, covert agents, etc.

A convincing point about the futility of this proposed rule comes from the article:

Clayton, on the other hand, argues that terrorist cells do not use master keys in the same way as governments and businesses. "Terrorist cells use master keys on a one-to-one basis, rather than using them to generate pass keys for a series of communications. With a one-to-one key, you may as well just force the terrorist suspect to decrypt that communication, or use other methods of decryption," said Clayton.

Re:key turning point in government relations

Just as all criminals turned in their guns when they were outlawed, I'm sure they'll all turn over their encryption keys and keep using them to communicate so law enforcement can observe. Right. What would someone have to be smoking in order to think this is a good idea? Its nothing more than a blatant power grab that will ONLY affect law abiding people and have no effect whatsoever on "terrorists" or whatever other boogeyman will be used to justify more overreaching laws.

Re:key turning point in government relations

What happens if some blob of data on the computer is deemed "encrypted" by the Glorious Defenders from Assorted Boogeymen?

Well, they go to court, and they have to try and convince a jury of your peers that they are correct, beyond a reasonable doubt. The same way every single other law operates. If they can support their assertions with sufficient convincing evidence you go to prison, if not, you don't.

Besides, there are already horribly injust mechanisms for detaining people in Britain without the need for a trial. Thats what we should be getting worked up about (although the Human Rights Act is doing for them, fortunately).

But this far more measured Act (which involves warrants, Section 49 orders, actual trials, and the need for evidence and all that) is what slashdotters choose to get worked up about. And why? Because it involves computers.

Frankly, thats pretty pathetic.

Stop giving the US gov't ideas

It's a good thing that, as an American citizen, I don't have to worry about these violations of my privacy.

Re:Stop giving the US gov't ideas

although obtaining a warrant would force one to give up encryption keys

Even with a warrant they can not force you to give up your encryption keys. There is this thing called the 5th amendment to the constitution.

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

You can take the 5th when questioned about your keys. No matter what they do they can not compell you to give them that information.

Spaceballs:

My encryption key is:

1.....2.....3.....4.....5

I RTFA, but I don't get it...

So is it that they want the criminals to hand over their passwords before they commit a crime? This should go well with the anti bank-robbery legislation requiring all would-be robbers to call in a schedule before they pull off a heist.

Warning

If this goes into effect it would make it a very dangerous thing to have files of random characters .... you'd have a lot of trouble explaining them.

What about global corporations?

Most major companies have offices all around the world, presumably. So now they'll have to have a separate (pretty much disposable) encryption method just for the UK?

What about communication between offices on the internet? A japanese analyst creates some research, but due to technical problems the only Compliance office up is in Europe. So every program or service that can comminicate with Britain has to check if a request is going to/through the UK before applying the "approved" encryption.

To quote, "this is madness"

This is bizarre

It's like some sick competition between the US administration and the UK one.

"Oh, yeah, you think that telephone call database is slick, check this sh*t out. We're gonna make our subjects give up their crypto keys or go to jail"
"Oooh, good one!" (high five)

Steganography

Time for steganographic file systems where your private data can be hidden inside innocent looking files. They can't force you to disclose your key if they don't know and/or can't prove that you have one.

http://en.wikipedia.org/wiki/Steganography [wikipedia.org]

In other news...

increased use of encryption by criminals, paedophiles, and terrorists.

...it has been found that:

- cameras are used by criminals, paedophiles, and terrorists - we need access to your negatives/memory disks.
- houses are used by criminals, paedophiles, and terrorists - we need access to your house keys.
- cars are used by criminals, paedophiles, and terrorists - we need copies of your car keys.
- ATM machines are used by criminals, paedophiles, and terrorists - we need to know your PINs.
- Online email services are used by criminals, paedophiles, and terrorists - we need to know your username/passwords.
- Computers are used by criminals, paedophiles, and terrorists - we need to install a backdoor on your computer.

1984 news

- cars are used by criminals, paedophiles, and terrorists - we need copies of your car keys.

You're behind the times.
The UK is already (planning) installing a system of automatic licence plate recognising camera's throughout the country. The resulting database will allow a very comprehensive following of cars and thus persons.

The next step is of course that you have to report to the police whenever you've driven an other car but your own...

England Prevails

"England Prevails"

Parliment better watch out... hear there's a train heading there loaded with fireworks and other things that go boom.

New encryption scheme

Simple solution: You have a new encryption scheme where there are 2 private keys. The first one allows decryption, the second wipes the drive. Guess which one you give to the police?

In Soviet Russia...

There was no crime, because the secret police would carry you off and shoot you in the head if you were even suspected of a crime. Wiretaps were the norm and the government could do whatever it wanted. Privacy didn't exist. And they were safer from criminals for it. Well, safer if we define criminals as ones that weren't in the KGB.

Yeah, no "In Soviet Russia" Joke here.

This is frightening. It's like we're becoming the very thing we fought in the cold war. A totalitarian government.

But at least we have 37 types of cereal.

Actions are criminal, not tools

A criminal that rapes someone may have talked during the rape -- it is the rape that was evil.

A criminal that shoots someone in the head used a gun -- it is the shooting that is evil. He could have used a baseball bat.

A criminal that blows up a building might use a cell phone -- it is the building exploding that is evil. He could have used e-mail or writing a big X on a tree.

We have to stop government from criminalizing actions that are part of our right to speech. This right is not something Constitutional or created out of any government document -- it is a natural right that all humans share, no matter what the laws say.

I'll continue to encrypt, and I'll dare the government to try to restrict me. If I have to, I'll encrypt by using an encryption program that hides my real text to make it look like readable language. Let them try to stop that. Or I'll use my own spoken code. Will they find a way to criminalize it?

Don't criminalize tools, criminalize criminal actions.

Summary is not complete

I'm as opposed to section 3 of RIPA as the next man, but I have the benefit of having read it in detail. What is proposed is that, following a lawful search with a warrant issued by a judge, the police or judiciary can demand the keys to any encrypted material that is seized. Refusal to produce keys can be treated as a crime in its own right. Since in America your government, it would appear, doesn't bother with the ``lawful search with a warrant'' part, I think we can safely tone down the ``UK sucks'' tone.

The basic argument is that the purpose of a search warrant is defeated by encryption. Now I think that's wrong, or at least part wrong, and I think an alternative would be to make material held by the defendant which he does not choose to decrypt something that the jury can take account of, just as refusal to testify is now, under limited circumstances, something the judge can point to during summing up. And the alternative of forcing decryption isn't offered (although quite how someone would demonstrate that plain text they offered really _was_ the decryption is a whole other question).

The is bad, illiberal law, and those of us involved in campaigning against it have been in correspondance with our MPs for some years. But it's not just Britain that is tearing up its freedoms in the face of minor terrorism: the USA collectively shat its pants and ripped up a century of jurisprudence on the 12th of September. It makes far more sense for people with a desire for freedom to work together, rather than to assume that we're a bunch of proto-fascists while Bush Jr defends your constituional rights.

ian

Implementation

People; don't say "This can't be done."

This is referred to as a "catch-all" type of law. Beware the wonders of selective enforcement.

The idea here is that if you find a suspected terrorist, and they use encryption, you don't even need to bust them for terrorism OR for not providing their encryption keys when demanded. You can just go to step A, look up their name in the government encryption key database, find out that no, they did not provide their encryption key to , and take them directly to jail.

Regardless of whether or not the are a terrorist, regardless of whether or not they are willing to turn over their encryption keys when asked, you can find them guilty.

This is not about collecting everyone's encryption keys (at least not at first). Initially, this will be used as a blunt stick to smack anyone the government doesn't like. Think of the way seat belt laws are enforced; cops won't stop you for not wearing your seat belt, but they'll sure as hell issue a ticket for it even if you aren't speed, have all your paperwork in order, and have done nothing else wrong. It's a sort of standby crime they can get you on.

I'd like to see some stats...

...I know that's like asking to be lied to, but I would like to know how often criminal investigations are hampered or even prevented because communications or information had been encrypted.

Like so many others, I see this as nothing more than an attack on privacy and not as an aid to criminal investigations. Criminals are not going to turn over their keys. People who turn over their keys aren't likely engaged in criminal acts. "honest" people who believe in the right to privacy will become criminals, however.

I'm not sure "police state" is the right word, but we're certainly talking about criminalizing the general population to the point that only people "in office" can have the right to privacy under the guise of "national security." And a funny thing happens to your rights when you become "a criminal." You lose them along with your ability to run for public office and all manner of other things.

Cat. Mouse. Cat. Mouse. Cat. Mouse.

"The use of encryption is... proliferating..."

The use of illegal government spying on innocent citizens is proliferating.

Your move now.

...(and no, you may not have my encryption keys [gnu-designs.com]).

Plausible Deniability

I think this will increase the proliferation of encryption technologies which provide a certain level of plausible deniability. Things like TrueCrypt (http://truecrypt.org/) provide an encrypted container which has a basic access and a secondary access. The container cannot be detected as being an encrypted anything - it is just a bunch of random data. If you use the basic access mechanism, you get your data. If you use the secondary access, you get an alternate contents, which can be seemingly important, but relatively benign data you put there to look like soemone got something important. However, you cannot tell which one is which, or even that the alternate access isn't the primary one.

TrueCrypt lets you mount the container as a filesystem, which is a convenient way to go. This sort of thing allows you to:

a) Deny that there is anything encrypted for which you have not proffered a key. "Oh yeah, show me what I have encrypted and I'll show you the key."

b) If that's not enough, proffer the false key that gives them the alternative access. "Ok, here you go. Let me know if you find anything incriminating. (tee hee)"

Lastly, if you use things like encrypted swap on a unix device, you can plausably say that what is there is just an encrypted swap file, and you don't have a key because the key is never saved to the disk. Why isn't it mounted now? You only set it up temporarily and forgot to delete the file when it was done. (for 1Gb files or larger...) If you have a 20Gb file, you're probably going to have to explain it... and go for option (b) above.

Of course, if your 20Gb file is not a file, but is just an "empty" partition... well there you go.

Please note - I'm not advocating breaking any law here - just outlining what this will drive people who care enough to do.

Nothing compared to Tuesday's Dictatorship Bill

Or the human cattle ID cards Act [no2id.net], which creates by far the world's most intrusive Big Brother database on citizens by linking up 5+ previously unconnected databases...

The Dictatorship Bill, also called the Abolition of Parliament Bill [timesonline.co.uk], Totalitarianism Bill [impactnottingham.com] or (by the Govt) the Legislative and Regulatory Reform Bill is nothing less than a naked grab for power. After being amended 3x, the Bill was passed in the form described here [thebusinessonline.com].

LRRB [parliament.uk] enables ministers to rewrite our constitution with only rudimentary scrutiny. Consider the extraordinary mass surveillance / coersion [bristol-no2id.org.uk] implications of the ID Cards Act. Even the well-organised opposition [no2id.net] could not stop this legislation.

What chance then of:
1. Spotting obscure but deeply damaging clauses hidden in the boring legislation?
2. Motivating the Tories, LibDems and enough New Labour drones to subsequently block it?

LRRB is then carte blanche for Blair to do what he will with this country. What can we deduce of his plans?

New Labour already rejected [libertycentral.org.uk] an amendment to stop LRRB re-writing our most important constitutional laws. They then promised to introduce new amendments fulfilling the same thing. Our skepticism was once again justified [spy.org.uk]. This is more than enough evidence that Blair wants dictatorial powers.

LRRB is obviously a precursor to passing laws which Parliament wouldn't otherwise pass.

Considering the deeply scary laws he's got through Parliament, the likelihood is that he wants something so badly, and so unpalatable that he won't even risk presenting it for proper Parliamentary scrutiny.

- He does not need Parliamentary approval to invade Iran
- He already has Hitler's Enabling Act [blogspot.com].
- He has already passed RIPA [magnacartaplus.org] and the ID Cards Act for more Big Brother snooping than anything China or North Korea have.
- He already has locked up people for 3 years without trial or even being questioned - although he has been twice been 'told off' for breaching the Human Rights Act in this way.

I did not believe that he needs LRRB to repeal the HRA - indeed one welcome amendment [spy.org.uk] was to exclude the HRA from being amended. When every other explanation has been ruled out, whatever remains, however unlikely, must be considered. I think something much worse is coming although I dread to think what.

Re:Brilliant idea...

I'm sure the criminals, paedophiles, and terrorists will just be lining up to hand over their keys, too.

That's the odd thing about this. You can get up to 2 or 5 years in the can (depending on if they think you're a terrorist). So if you have gigs of terrorist info that could get you sent away for life, just say you lost your keys and go away for 5 years max.

Re:odd request

Enter TrueCrypt and hidden volumes made for exactly that reason: http://www.truecrypt.org/hiddenvolume.php [truecrypt.org]