Article Index

Today, we will go over creating a bootable USB with Kali, and an encrypted persitence that is also nukable. What this means, is that the USB itself will be bootable, but all the data will be encrypted. The encryption will not only have a decryption password, but it will also have a Nuke password; put in the Nuke password, and even the correct password will not be able to decrypt it. Read on for the complete how-to.

Before anyone starts griping about the fact that Kali has these steps available, they do. Thing is, there is no COMPLETE, start-to-finish document or page or anything... You have to peice it together from a few diffrerent places. My goal here is to have a COMPLETE, start-to-finish document, all in one spot. So here goes.

This is all being done on a basic Debian Linux host (CrunchBangPlusPlus if you're that curious).

UPDATE Jan. 26 2017: I am using Linux Mint 18 XFCE; it has Kali's cryptsetup and luksAddNuke, so this can all be done an that host.

Before starting, ensure you have the following:

  • Kali Linux ISO file (available here)
    • These steps have been personally verified to work with (though it should work for all others):
      • kali-linux-2.0-amd64.iso
      • kali-linux-2016.2-amd64.iso
      • kali-linux-xfce-2016.2-amd64.iso
  • USB Drive at least 8GB in size (theoretically I suppose you MIGHT be able to get away with 4GB, but if it works, it would leave you with essentially no storage room)

Now, on to the good stuff:

  1. We will need to run everything as root, so change to the root user:
    • sudo su -
  2. Before plugging in your USB, open a terminal and run the following command:
    • watch -d -n 1 ls -al /dev/sd*
    • This will start with showing your EXISTING storage devices.
    • Leave this terminal running, we will reference it later on
  3. Plug in your USB, you will see the output in the terminal change: you will see a/some new storage devices. Be sure to note what the new one is, you don't need to worry about the individual partitions (if there are any), just the base device.
    • So, for example, let us say you plug in your USB, you get more than 1 new device:
    • In this example, we only need to worry about /dev/sdb, we don't need to worry about the sdb1-2-3-etc...
  4. Next in a new terminal, image the ISO on to the USB:
    • dd if=kali.iso of=/dev/sdb bs=64M
      • This is a basic dd command, no progress indication. Personally, I don't like just sitting there, waiting on the command to complete, not knowing whether or not progrerss is actually being made. So I run the following command instead:
    • pv -tpreb kali.iso | dd of=/dev/sdb bs=64M
      • As mentioned in a previous article, this will give us a nice progress bar, time elapsed, ETA, and a few other details.
  5. Enter the followinfg commands to create a new partition on the USB:
    • end=8gb
      • If your USB is larger (or smaller) than 8gb, use that total, upper size here.
      • For a 32gb device, use 30gb
    • read start _ < <(du -bcm kali.iso | tail -1); echo $start
    • parted /dev/sdb mkpart primary $start $end
      • You will likely get a warning about "You requested a partition from..." and "The closest we can magae is...". You want to accept this.
      • You will also likely get another warning:
        • Warning: The resulting partition is not properly aligned for best performance.
        • You can just Ignore this as well
  6. Next, we will make this new partition encrypted:
    • cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb3
    • Note the sdb3. Assuming your device was sdb all along, it SHOULD be sdb3. Verify against the first terminal we got going in Step 2
    • Here is where you will be asked for your decryption password.
  7. Open the encrypted partition so we can make it our persistence partition for Kali:
    • cryptsetup luksOpen /dev/sdb3 my_usb
    • You will be asked for your decryption password again
  8. Format the encrypted partition to ext3 filesystem, and label it "persistence"
    • mkfs.ext3 -L persistence /dev/mapper/my_usb
      • Note: This will likely be THE longest command to run in creating the USB. This is a nice time to grab a coffee, or other beverage of choice.
        • A 32gb USB3 took a little under 7.5 minutes
    • e2label /dev/mapper/my_usb persistence
  9. Create a mount point, mount our new encrypted partition there, set up the persistence.conf file, and unmount the partition.
    • mkdir -p /mnt/my_usb
    • mount /dev/mapper/my_usb /mnt/my_usb
    • echo "/ union" > /mnt/my_usb/persistence.conf
    • umount /dev/mapper/my_usb
  10. Close the encrypted partition:
    • cryptsetup luksClose /dev/mapper/my_usb
  11. At this point, you have a bootable Kali USB with an encrypted data partition. For the next part, adding the Nuke password, you will need to do this from a device that has Kali's LUKS Nuke Patch. This can be done by the following:
    • Install the Kali Tools as described in an earlier article
    • Boot the Kali USB, and use Kali to do this
      • Myself, since I have installed the Kali tools on my regular Linux machine, I can just carry on from here.
    • Either way, run the following command:
    • cryptsetup luksAddNuke /dev/sdb3
  12. First, you will be asked for the EXISTING password, enter that. After this, you will now be asked for the Nuke password. I suggest using something much simpler (and maybe a little more obvious) than your "real" password. In this event, should someone try brute-forcing your password, they are more like to use the "obvious" nuke password (and nuke the passwords), and afterwards, even IF they use the actual password, it still won't decrypt. Another possibility (which I always imagine in my mind), is that if someone were to ever take the USB key, and try to force the password out of me, I can just give them the nuke password. Once the password's been nuked, even if I'm tortured and really DO give up the actual password, it's too late, the decryption password has been nuked.
    • You can backup the LUKS encryption header, and use this to later RESTORE the encyption keys. Kali has more details here.
  13. You are DONE!

Next up, we'll do a few post-install customizations to Kali.

For these next parts, we will first need to boot from the USB and get Kali loaded up. If you are using a USB 2.0 device, you will note that it is likely a little bit slower to load than what you are used to (especially if you have a Solid State HDD lilke I do). This is also all personalizations, that can (and hopefully will) differ from user to user, so if there's something down here you don't want, skip over it, if there's something else you want, add it in. Once it's all up and running, open a terminal window, and we'll start the post-"install" work.

  1. For starters, we need to mnake sure everything is up to date:
    • apt-get update
    • apt-get upgrade
      • Be warned: this WILL take a LONG time. Be sure that this can complete without being interrupted. Plug in your laptop if you are using one. Give it overnight if need be.
      • Due to the limited I/O of USB, the lock screen may seem to be 'frozen' or VERY slow to respond; this is because it is already SUPER busy with the updates. Be patient with the lock screen while the update is going on.
  2. Next, change the root password:
    • passwd
      • Hopefully the encryption password you chose is rather complex. There is nothing REQUIRING that you use the same password here. In fact, I would suggest using a simpler, shorter password here. In the end, if someone else can get to this prompt, you have bigger problems with the fact that your drive was decrypted.
      • I would strongly DIScourage you from using the NUKE password here, if for no other reason there is a greater possibility that you MIGHT enter the NUKE password instead of the decryption password (password confusion). Then again, if you intentionally use the same ones you have a plausible reason for giving the 'wrong' password... Either way, your choice, just be sure to remember it.
    • Now, this password change will only last until the next reboot. The makers of Kali have put in an init script that resets the root password to 'toor' (default). You can run the following command to comment out that command, and keep your new password:
      • sed -i '/usermod/s/^/#/' /lib/live/config/0031-root-password
  3. Remove the original Keyring to reset that password as well:
    • mv /root/.local/share/keyrings/login.keyring /root/.local/share/keyrings/login.keyring.original
  4. Have NUM-Lock turned on after boot:
    • gedit /etc/kbd/config
    • uncomment the line:
    • #LEDS=+num
  5. Add VPN Connectivity options to NetworkManager: (not neceswsary for version 2016.2)
    • apt-get install network-manager-openvpn network-manager-openvpn-gnome network-manager-pptp network-manager-pptp-gnome network-manager-vpnc network-manager-vpnc-gnome
  6. Install alacarte to edit the Menu:
    • apt-get install alacarte
  7. Install Youtube downloader:
    • pip install youtube-dl
  8. Download the TOR Browser bundle from here:
  9. Edit the file "start-tor-browser.sh"
  10. Look for the following lines:
    • if [ "'id -u'" -eq 0 ]; then
       complain "The Tor Browser Bundle should not be run as root. Exiting."
       exit 1
    • And comment them out:
      • #if [ "'id -u'" -eq 0 ]; then
        # complain "The Tor Browser Bundle should not be run as root. Exiting."
        # exit 1
  11. Install the Latest VirtualBox
  12. Install Pidgin IM with the OTR plugin:
    • apt-get install pidgin pidgin-otr
  13. Install xChat IRC Client:
    • apt-get install xchat
  14. Make VLC run-able by the root user:
    • cp /usr/bin/vlc /usr/bin/vlc-backup
      needle=$(objdump -d /usr/bin/vlc | grep euid | tail -1 | awk '{print "\\x"$2"\\x"$3"\\x"$4"\\x"$5"\\x"$6;}')
      sed -ir "s/$needle/\xb8\x01\x00\x00\x00/" /usr/bin/vlc
  15. Install Filezilla FTP Client:
    • apt-get install filezilla filezilla-common
  16. Install Audacity:
    • apt-get install audacity
  17. Install Seahorse (GnuPG frontend):
    • apt-get install seahorse
  18. Install GPA (GnuPG frontend):
    • apt-get install gpa
  19. Install gpg4usb (portable, Linux and Windows compatible):
  20. Install xfce4 (instead of gnome3):
    • apt-get install kali-defaults kali-root-login desktop-base xfce4 xfce4-places-plugin xfce4-goodies
  21. Make xfce4 default:
    • update-alternatives --config x-session-manager


This list here is likely to increase/decrease and change as time goes and I add/remove/change things as I slowly fully customize it. What about your customizations? What additional software do you add to your Kali? Let me know what additional customizations and software you add.


# Renato 2020-10-01 00:56
For hottest news you have to go to see the web and
on world-wide-web I found this web site as a finest website
for newest updates.
Reply | Reply with quote | Quote

Add comment

Security code