Today, we will go over creating a bootable USB with Kali, and an encrypted persitence that is also nukable. What this means, is that the USB itself will be bootable, but all the data will be encrypted. The encryption will not only have a decryption password, but it will also have a Nuke password; put in the Nuke password, and even the correct password will not be able to decrypt it. Read on for the complete how-to.

Before anyone starts griping about the fact that Kali has these steps available, they do. Thing is, there is no COMPLETE, start-to-finish document or page or anything... You have to peice it together from a few diffrerent places. My goal here is to have a COMPLETE, start-to-finish document, all in one spot. So here goes.

This is all being done on a basic Debian Linux host (CrunchBangPlusPlus if you're that curious).

UPDATE Jan. 26 2017: I am using Linux Mint 18 XFCE; it has Kali's cryptsetup and luksAddNuke, so this can all be done an that host.

Before starting, ensure you have the following:

  • Kali Linux ISO file (available here)
    • These steps have been personally verified to work with (though it should work for all others):
      • kali-linux-2.0-amd64.iso
      • kali-linux-2016.2-amd64.iso
      • kali-linux-xfce-2016.2-amd64.iso
  • USB Drive at least 8GB in size (theoretically I suppose you MIGHT be able to get away with 4GB, but if it works, it would leave you with essentially no storage room)

Now, on to the good stuff:

  1. We will need to run everything as root, so change to the root user:
    • sudo su -
  2. Before plugging in your USB, open a terminal and run the following command:
    • watch -d -n 1 ls -al /dev/sd*
    • This will start with showing your EXISTING storage devices.
    • Leave this terminal running, we will reference it later on
  3. Plug in your USB, you will see the output in the terminal change: you will see a/some new storage devices. Be sure to note what the new one is, you don't need to worry about the individual partitions (if there are any), just the base device.
    • So, for example, let us say you plug in your USB, you get more than 1 new device:
      /dev/sdb
      /dev/sdb1
      /dev/sdb2
      /dev/sdb3
    • In this example, we only need to worry about /dev/sdb, we don't need to worry about the sdb1-2-3-etc...
  4. Next in a new terminal, image the ISO on to the USB:
    • dd if=kali.iso of=/dev/sdb bs=64M
      • This is a basic dd command, no progress indication. Personally, I don't like just sitting there, waiting on the command to complete, not knowing whether or not progrerss is actually being made. So I run the following command instead:
    • pv -tpreb kali.iso | dd of=/dev/sdb bs=64M
      • As mentioned in a previous article, this will give us a nice progress bar, time elapsed, ETA, and a few other details.
  5. Enter the followinfg commands to create a new partition on the USB:
    • end=8gb
      • If your USB is larger (or smaller) than 8gb, use that total, upper size here.
      • For a 32gb device, use 30gb
    • read start _ < <(du -bcm kali.iso | tail -1); echo $start
    • parted /dev/sdb mkpart primary $start $end
      • You will likely get a warning about "You requested a partition from..." and "The closest we can magae is...". You want to accept this.
      • You will also likely get another warning:
        • Warning: The resulting partition is not properly aligned for best performance.
        • You can just Ignore this as well
  6. Next, we will make this new partition encrypted:
    • cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb3
    • Note the sdb3. Assuming your device was sdb all along, it SHOULD be sdb3. Verify against the first terminal we got going in Step 2
    • Here is where you will be asked for your decryption password.
  7. Open the encrypted partition so we can make it our persistence partition for Kali:
    • cryptsetup luksOpen /dev/sdb3 my_usb
    • You will be asked for your decryption password again
  8. Format the encrypted partition to ext3 filesystem, and label it "persistence"
    • mkfs.ext3 -L persistence /dev/mapper/my_usb
      • Note: This will likely be THE longest command to run in creating the USB. This is a nice time to grab a coffee, or other beverage of choice.
        • A 32gb USB3 took a little under 7.5 minutes
    • e2label /dev/mapper/my_usb persistence
  9. Create a mount point, mount our new encrypted partition there, set up the persistence.conf file, and unmount the partition.
    • mkdir -p /mnt/my_usb
    • mount /dev/mapper/my_usb /mnt/my_usb
    • echo "/ union" > /mnt/my_usb/persistence.conf
    • umount /dev/mapper/my_usb
  10. Close the encrypted partition:
    • cryptsetup luksClose /dev/mapper/my_usb
  11. At this point, you have a bootable Kali USB with an encrypted data partition. For the next part, adding the Nuke password, you will need to do this from a device that has Kali's LUKS Nuke Patch. This can be done by the following:
    • Install the Kali Tools as described in an earlier article
    • Boot the Kali USB, and use Kali to do this
      • Myself, since I have installed the Kali tools on my regular Linux machine, I can just carry on from here.
    • Either way, run the following command:
    • cryptsetup luksAddNuke /dev/sdb3
  12. First, you will be asked for the EXISTING password, enter that. After this, you will now be asked for the Nuke password. I suggest using something much simpler (and maybe a little more obvious) than your "real" password. In this event, should someone try brute-forcing your password, they are more like to use the "obvious" nuke password (and nuke the passwords), and afterwards, even IF they use the actual password, it still won't decrypt. Another possibility (which I always imagine in my mind), is that if someone were to ever take the USB key, and try to force the password out of me, I can just give them the nuke password. Once the password's been nuked, even if I'm tortured and really DO give up the actual password, it's too late, the decryption password has been nuked.
    • You can backup the LUKS encryption header, and use this to later RESTORE the encyption keys. Kali has more details here.
  13. You are DONE!

Next up, we'll do a few post-install customizations to Kali.