Hi,
I’d like to share a project I developed 
TL;DR
NAILS mounts a declarative NixOS environment as an OverlayFS layer over a decoy NixOS system, redirecting all writes from the hidden session (shell history, logs, browser state, caches, thumbnails) into user-provided encrypted storage. The important part is the threat model: encryption protects file contents, but a running OS constantly leaks context and NAILS targets exactly that gap. Use your own VeraCrypt volume, LUKS container or network mount, activate the overlay, work, then deactivate and the base system is untouched. This is alpha software built as a master’s thesis, so treat it accordingly.
ELI5
Encrypting your sensitive files is a good start, but your computer quietly records everything you do in plain text on the side: which files you opened, what you searched, commands you ran, browser history, thumbnail caches. Someone examining your machine doesn’t need to crack your encrypted files to learn that sensitive work happened because the footprints are sitting right there in the open. NAILS is a NixOS tool that intercepts those footprints while you work and redirects them into an encrypted volume you control, so your visible system never sees them. When you deactivate, your decoy system looks exactly as it did before (boring, ordinary and unremarkable). NixOS makes this unusually reliable because its declarative design means the environment can be switched cleanly and consistently, without loose ends. If you need your computer to hold secrets that go beyond just locking files away, (like installing software) NAILS might be useful to you.
NAILS (NixOS Anti-forensics Isolation & Layering System) is a NixOS CLI that uses OverlayFS in combination with a mounted volume that can be anything from a VeraCrypt hidden volume to a network share to a hidden drive in something like a coin. All that matters is that it provides a mount. This was done in order to be independent from the volume. Combined with a declarative NixOS configuration, this makes it possible to layer a hidden environment on top of a normal-looking “decoy” NixOS install.
While the hidden session is active, the kinds of artifacts an OS leaves behind (shell history, files, browser usage, SSH entries, thumbnails, logs) get redirected into a storage location you prepared and mounted. After running nails deactivate, the decoy returns to its previous state.
The threat model targets journalists or people in oppressive regimes which might need to hide sensible data or the use of certain software when they get controlled by police/border control etc. It is not a defense against a live, privileged attacker on a running system, an attacker with memory access, network-level observation, hardware implants, or coercion (depending on the volume type you might be relatively safe though).
I developed NAILS as part of my master’s thesis. The evaluation was done in a VirtualBox VM with a VeraCrypt hidden volume, where no evaluated artifacts weren’t recoverable from the decoy after deactivation. That’s a promising result inside a narrow, well-defined scope BUT it’s not a general claim of deniability. I (or the tools I used) might have missed something so take that info with a grain of salt.
GitHub Repo: github.com/WitteShadovv/nails
Site: nails.run
I’d really value feedback.
Thanks for reading!