Nuke Your Encrypted Kali Installation WORK
As explained well By Michael Lee in his ZDNet article, when creating an encrypted LUKS container, a master key is generated at random. A passphrase is then used to encrypt the master key in turn. This process means that the passphrase is not directly coupled to the data. That is, if two sets of identical data are encrypted and the same passphrase used, the master keys remain unique to each set and cannot be swapped out. What this also means however, is that regardless of the passphrase used, if the master key is lost, recovering data is impossible. This process conveniently lends itself to being used as a nuke by deliberately wiping the keys.
Nuke your Encrypted Kali Installation
There are other ways to delete your keyslots, however the advantage of the Nuke option is it is quick, easy, and does not require you to fully login to your Kali installation. If you maintain a backup of your header, you can Nuke the keyslots whenever you feel uncomfortable. Then conduct a restoration when you feel secure.
Setting up full disk encryption with Kali is a simple process. The Kali installer includes a straightforward process for setting up encrypted partitions with LVM and LUKS. Once encrypted, the Kali operating system requires a password at boot time to allow the OS to boot and decrypt your drive, thus protecting this data in case your laptop is stolen. Managing decryption keys and partitions is done using the cryptsetup utility.
Today we are pleased to announce the immediate availability of Kali Linux 1.0.5 with a rollup of various tool additions, fixes, and upgrades, including our fix for the encrypted encrypted LVM installation issue that we documented last week. As usual, users with Kali already installed just need to run a simple update to get the latest goodness:
When encrypted LUKs containers or volumes are created a master key is then generated at random along with a pass-phrase to then further encrypt the master key. This allow a pass-phrase to not be directly coupled to the data or volume in question. If two sets of the same data were encrypted and the same pass-phrase was used the master keys they would remain unique to each set and could not be swapped. However this also means that if the master key was somehow lost or destroyed recovering the data would be impossible without the master key this is why is so essential to keep your master key backed up safely.
As you can see, we have slot 0 enabled with slots 1 to 7 unused. At this point, we will add our nuke key. Backup LUKs Header Back up LUKs header file to a safe location such as an encrypted USB drive you can use whatever backup methods you like as long as the backed up header file is backed up this will allow us to restore LUKs headers files back to their original state I will explain how you can restore your LUKs header files later on in this article.
When you install Ubuntu there's an option to encrypt the installation. I didn't select that, can I still encrypt Ubuntu? I do not want to encrypt my home folder I would like to encrypt Ubuntu as if I did select that option on the setup process. Also I recently saw that Offensive Security added the NUKE key feature to Kali's encrypted partitioning and LVM option. Can I install that on Ubuntu as well?
Using proxies is a tried and true method of obscuring your identity on the Internet. Although your traffic is not encrypted and can be sniffed, the traffic cannot be attributed to any person as the proxies use their IP addresses rather than yours. Of course, this does not prohibit your traffic being tracked by your cookies.
You can access private VPN services where you will connect to their VPN server through an encrypted tunnel and then browse the Internet with their IP address. All of your traffic appears to be from their IP address and your communication to the service is encrypted so the traffic can not be traced back to you.
Other good option, if your use linux, is to use LVM and LUKS encryption. One good feature of LUKS is the ability to backup the keystore (so it can be restored later) and nuke the on-computer keys. I store my backup heavily encrypted in the cloud and always nuke my laptop keys when traveling. When I get to destination (or more correctly, when I and my laptop get to destination) I boot my laptop with a LiveCD, download, decrypt the keys and restore the LUKS keystore. Hard drive is completely useless to anyone until the keys are restored. LUKS Nuking is clearly described on the Internet.
In January 2014, Kali Linux published an article titled How to Nuke your Encrypted Kali Installation that described how to use an old `cryptsetup` patch (from 2008 by Juergen Pabel) that would permit the user to type a special duress password when decrypting the drive on-boot. When entered, this duress password would wipe (nuke) the encrypted drive where Kali was installed.
LUKS supports using a detached header. With this configuration, your actual encrypted storage drive could be setup without any LUKS header actually stored on it--giving you total plausible deniability as your entire drive's contents would be indistinguishable from a random distribution of bits.
Using a detached LUKS header, you could in theory get a 2-32 MB USB drive to store your LUKS header on, then have BusKill just overwrite the entire drive when triggered. This is a more robust solution to ensure your master key's destruction (less error prone, even for future iterations of LUKS), and it would also be more fail-safe to recover from a false-positive: just download your (client-side encrypted) LUKS header from the cloud or a safety deposit box located in a free country, and use that to decrypt & access your data again.
Mounting the LUKS encrypted filesystem automatically has security implications. For laptop users, doing this is not a wise choice. If your device gets stolen, so is your data that was stored in the encrypted partition.
So, for example, if someone forces you to enter your password or give it to them so that they can enter it, using the special nuke password will instantly leave the entire contents of the hard drive in a permanently encrypted state.
One of the best ways to keep your data secure is by only writing data to an encrypted hard drive. On a standard drive, it's possible to view data just by mounting the drive as if it were a thumb drive, and it's even possible to display and recover even deleted data with tools like Scalpel and Testdisk. But on an encrypted drive, data is unreadable without a decryption key (usually a passphrase you enter when mounting the drive.)
Kodachi nuke is a self destructing LUKSs partition you can use it on Kodachi only if Kodachi is installed and encrypted. Simply what it does it will encrypt your Kodachi with its own keys so you will have two passwords the one you entered during Kodachi encrypted installation and the new nuke password you will have to enter after running the Nuke script. You will continue to use your first Kodachi password but once you are forced to open the system all you have to do is enter the nuke password and system will be completely destroyed ! no way to decrypt it even with your first password. So basically with nuke password you are commanding Kodachi to kill it self by destroying the encryption headers.
Hi Warith. I have a problem and do not find a solution.1. With rufus I created a usb stick with your distro on it. Under windows. Stick working fine. Boots, starts up, have working kodachi.2. After startup of kodachi I did the offline installation by that desktop button. After process was finished stick did not work and not boot. 3 more attempts the same result. Same results with the online installation.Do you have any idea, what I am doing wrong or simply missing.I would like to have a permanent installation on usb stick for my notebook.CheersJhh
Encrypted persistence is not possible for now I explained why here -Log.txt. Persistence is possible instructions are here -kodachi/. If you must have encrypted USB then install it on your USB with LVM on this is possible during the setup.
Can you set nuke system in installation process? with randome keys which system is related to with a encrypted system so no one can access those keys? It is hard to complete the manual process with modified chips (reverse engineering)
Hi Warith, your Kodachi is a great distro, I love it and I change half of the Backbox with your good script in .kbase. So, I had some problems with the installation on HD in the prevoius version ( installation forced to finish, overheating CPU, and lost apt.list on rebboot). I will try again with the 5.0. Please include Waterfox in the next release, and thanks for all.
Nice maybe you could share your changes on the scripts if you made them better. Kodachi 5.0 has problem with installation on UEFI enabled system you can only install it if you run the bios in Legacy mode.
Hi Warith, your Kodachi is a great distro, I like it but I had some problems with the HD installation on the previous release ( installation forced to finish, overheating CPU and lost apt.list on reboot). I need Kodachi in my HD, no just usb-live, so I will try to installate it again with version 5.0. Please, add Waterfox in the next release and thanks for all.
Hello, good afternoon. When some new version? By the way, when using the encrypted installation, it tells you to install cryptsetup, then, when you install it and start it, everything is correct, install it. But when the installation finishes, it gives an error in the encryption. Could you solve that? thank you very much.
See the table for special information you should know before you begin installing the operating system. If your Intel NUC model isn't listed in this table, there are no additional special instructions and you can proceed directly to the installation steps.
You will again receive a single line of base64 encoded output, which is the public key for your WireGuard Peer. Copy it somewhere for reference, since you will need to distribute the public key to the WireGuard Server in order to establish an encrypted connection.