DISCLAIMER: WE ARE NOT RESPONSIBLE FOR ANY ABSTRUCTION OF LAW. THIS IS JUST A PROFF OF CONCEPT.
Also if you are not careful you can install the iso on your main drive delete everything so we are not responsible for any data loss. Please get help before using dd
Laptops and computers are everywhere. As a security researcher who travels a lot, it would be more convenient to carry around a usb than a laptop, just because size and weight.
You have to keep in mind this feature doesn’t completely destroys the data, it only removes the luks headers that makes the data on the usb useless. The intender purpose that the creators of the feature had in mind was to save the data on the usb, email or send the lux header via trusted partner to a safe location. Nuke the device and not worry about getting intercepted with sensitive data.
Kali linux is really flexible and it gives your multiples options
- live boot: like any other linux distro, all the data will be lost after a reboot
- have a partition that doesn’t get deleted after a reboot (aka persistance)
- have an encrypted persistence partition
- nuke option where by using where you specify a second password and whenever you use that, everything on the drive would be deleted
dd if=kali.iso of/dev/sdb bs=1M
will write the iso on the usb with 2 partitions, boot and the main kali iso.
We will create 2 more, one for persistence not encrypted and a forth one with encryption and nuke option.
The numbers shown on the commands below are where the partitions start and finish, it will vary depending on the iso size and the usb drive size.
parted /dev/sdb print mkpart primary 901 5000 mkpart primary 5000 100% q
fdisk –l /dev/sdb will show your new and updated partitions
we will format and label the partitions 3 (the not encrypted one)
mkfs.ext3 /dev/sdb3 e2lable /dev/sdb3 persistence
we will mount the partition 3 add a file to it called persistence.conf with the value / union to say everything under root will be persistent and the unmount it
mkdir –p /mnt/usb mount /dev/sdb3 /mnt/usb echo “/ union” > /mnt/usb/persistence.conf unmount /mnt/usb
Now for the encrypted partition with nuke:
First we will format it
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb4 cryptsetup luksOpen /dev/sdb4 my_usb
like before we will format the drive, label it, add persistence.conf file and close the encrypted drive
mkfs.ext3 /dev/mapper/my_usb e2lable /dev/mapper/my_usb persistence mkdir –p /mnt/my_usb mount /dev/mapper/myusb /mnt/my_usb echo “/ union” > /mnt/my_usb/persistence.conf unmount /dev/mapper/my_usb cryptsetup lukksClose /dev/mapper/my_usb ls –l /dev/disk/by-label (just to see what’s up)
for adding the nuke capability
cryptsetup luksAddNuke /dev/sdb4
first you have to enter your main password then the password you would like to use for nuke capability
cryptsetup luksDump /dev/sdb4
will give you’re your header. Use it before and after luksAddNuke to see the change
you can back it up with this command
cryptsetup luksHeaderBackup --header-backup-file luksheader.back /dev/sdb4
now we can encrypt the backup luks header
openssl enc -aes-256-cbc -salt -in luksheader.back -out luksheader.back.enc
In this case, we would like to place the header somewhere that it is easily accessible. This could be as simple as on a USB thumb drive that is kept in a safe location.
Now you can nuke your kali live
With this command you will see the keyslot was remove
cryptsetup luksDump /dev/sdb
To restore the header back in place, it’s a simple matter of retrieving the encrypted header from your USB drive. Once we have that, we can decrypt it.
openssl enc -d -aes-256-cbc -in luksheader.back.enc -out luksheader.back cryptsetup luksHeaderRestore --header-backup-file luksheader.back /dev/sdb4
All we have to do is simply reboot and provide our normal LUKS password and the system is back to its original state.