penetration testers often need to travel with sensitive data stored on their laptops. Of course, they usually use full disk encryption wherever possible, including their Kali Linux machines, which tend to contain the most sensitive materials.
Setting up full disk encryption with Kali is a simple process. The Kali installer includes a straightforward process for setting up encrypted partitions with LVM and LUKS. Once encrypted, the Kali operating system requires a password at boot time to allow the OS to boot and decrypt your drive, thus protecting this data in case your laptop is stolen. Managing decryption keys and partitions is done using the cryptsetup utility.
a few days ago, they had the idea of having a "nuke" option in their Kali install. meaning that they would have a boot password that would destroy, rather than decrypt, the data on the drive.
later on they found an old cryptsetup patch by Juergen Pabel which does just that, adding a nuke password to cryptsetup, which when used, deletes all keyslots and makes the data on the drive inaccessible. They ported the patch for a recent version of cryptsetup and posted it on Github.
This feature isn't implemented in Kali yet because they wanted to gather user feedback before applying the patch
If youd like to try it our yourself, these are the build instructions.
Start by running an LVM encrypted installation in Kali and set a decryption password. Once done, download the cryptsetup package source and apply the patch to it. Proceed to build the patched package as follows:
root@kali:~# apt-get source cryptsetup
root@kali:~# git clone https://github.com/offensive-security/cryptsetup-nuke-keys
root@kali:~# cd cryptsetup-1.6.1/
root@kali:~/cryptsetup-1.6.1# patch -p1 < ../cryptsetup-nuke keys/cryptsetup_1.6.1+nuke_keys.diff
patching file lib/libcryptsetup.h
patching file lib/luks1/keymanage.c
patching file lib/setup.c
patching file src/cryptsetup.c
root@kali:~/cryptsetup-1.6.1# dpkg-buildpackage -b -uc
Once the package has built, install the cryptsetup packages to get the nuke option implemented:
root@kali:~/cryptsetup-1.6.1# ls -l ../*crypt*.deb
-rw-r--r-- 1 root root 149430 Jan 4 21:34 ../cryptsetup_1.6.1-1kali0_amd64.deb
-rw-r--r-- 1 root root 250616 Jan 4 21:34 ../cryptsetup-bin_1.6.1-1kali0_amd64.deb
-rw-r--r-- 1 root root 105226 Jan 4 21:34 ../libcryptsetup4_1.6.1-1kali0_amd64.deb
-rw-r--r-- 1 root root 49580 Jan 4 21:34 ../libcryptsetup-dev_1.6.1-1kali0_amd64.deb
root@kali:~/cryptsetup-1.6.1# dpkg -i ../libcryptsetup*.deb
root@kali:~/cryptsetup-1.6.1# dpkg -i ../cryptsetup*.deb
Now that the patched cryptsetup package has been installed, we can go ahead and add a nuke key to our setup:
root@kali:~# cryptsetup luksAddNuke /dev/sda5
Enter any existing passphrase: (existing passphrase)
Enter new passphrase for key slot: (nuke passphrase)