I did the hidden OS on windows long ago and it was NICE! But No UEFI support and also … windows. I recently went to endeavor OS and like it but, I keep wondering if I can do a hidden OS on Linux or at least FDE with palosable deniability (I can’t spell it). I have seen shufflecake but the hidden OS is not here yet, but I have seen a few photo types. Does anyone know any or best alternatives?
1 Like
If your willing to expand on it, what’s your purpose for needing plausible deniability? I am wondering if maybe there is a simpler solution .
1 Like
I just like the veracrypt hidden OS. Also it would be useful at checkpoint or in the country of travel. I like that you have 1 password for normal OS, and 1 for super secret OS
1 Like
Also I do VMs in hidden partitions but its just not the same.
1 Like
I was wondering if anyone had updates?
1 Like
Technically, Qubes OS is a Xen-based distribution using Linux VMs, so this is not a Linux distribution-agnostic solution, but nonetheless, this information may prove useful for your use case(s).
Thanks! But not what I am looking for. I have a custom Linux pacman distro iso (yha, I know, super nerd) and my threat model is way below qubes (but it is still awesome). So it would have to work on something like arch. Any idea?
1 Like
I remember looking into this for additional safety at border crossings but a friend told me that this may be considered concealment and could be illegal (although no way the border grunts would realize this) and the setup looked complex so I decided against it.
What I do currently is that I make an additional user using systemd-homed. I have basically a totally clean wiped account with username of my first name. I use SDDM as my login screen and make sure to choose a theme that supports not showing additional users so I have to type in my username every time. So what border control sees is a login screen with blank field for username and password. Once I am logged into the clean user, the only evidence the other user exists is an encrypted folder in /home. You can obscure this a little further by naming the private user something like “backup” so there’s a folder in /home called backup or something like that which is not especially suspicious. Again obviously they can look at /home and see this (not that they would or understand what that folder is) but that folder is locked and encrypted, so even if they force you to unlock your main LUKS partition and grab the password for that, your sensitive data is still within the other user in systemd-homed.
If you want to take this up a step further, systemd-homed allows you to port the home folder to different devices such as a USB drive or SD card. I’ve seen USB drives that are somewhat concealed like hidden in a pen, and other things that are kind of cool like a real coin that hides an SD card inside. So if you really wanted there to be no data on the laptop, you could just transfer out the systemd-homed user’s home to the concealed USB drive or card, and then transfer it back after getting over the border. That way even if the border control completely searches your computer there is no sensitive data there.
I feel like this is a reasonable setup for me currently. For certain people their threat model probably involves having no electronic devices or drives and shipping them instead of using the cloud but that’s not me.
1 Like
Only Shufflecake alone comes to mind, but we are already aware of its limitations.
Hello! Shufflecake will be presented at the Crypto Applications Workshop (CAW) in Rome, Italy (co-located with EUROCRYPT 2026 and many other crypto events), on May 10th, 2026. This talk is going to be an update of the latest news and status of the project in 2026, including juicy news on the Hidden OS!
wait this
it will be soon
1 Like
I will wait. But they have said this for a while now. I would like it to be out now. It’s so cool I just wish it was 
.
1 Like
When I think about it a bit more … FDE with deniability sounds like all I need. Any ideas?
1 Like
Been down that path myself, back when it was still TrueCrypt. If I recall correctly, you have to supply both passwords when accessing the outer volume to protect the hidden volume from corruption which makes it easy to leave unintended traces. And I’m sure you’re familiar with rubber hose decryption 
Not sure if it meets your needs but I find a LUKS partition with a detached header pretty indistinguishable from random data and plausibly deniable.
1 Like
Yes, LUKS with detached header looks like random noise
1 Like
Good, but also you need the USB so … yha. I don’t wanna have to care to send it out in the mail (not that I wouldn’t, but would not want to). Its cool, but not like hidden OS. Shuffle cake was at CAW today on their blog. I can’t find it online, but they would have had news on hidden OS. Does anyone know where that is at?
1 Like