I want to make sure my sensitive data is protected while traveling with my laptop.
First, persistence. Persistence allows us to save our changes and configurations across reboots or power cycles. This can be useful when we need to perform a long-term test on a target network without having to constantly configure the same settings every time we boot up Kali Linux.
To enable persistence, create a new file called “persistence.conf” in your USB drive and add this line:
#!/bin/bash
# This is a bash script for enabling persistence on a USB drive in Kali Linux.
# Create a new file called "persistence.conf" in the USB drive.
touch persistence.conf
# Add the line "union" to the persistence.conf file.
echo "union" >> persistence.conf
# The "union" command allows for the overlay of multiple file systems,
# making changes to the USB drive persistent even after reboots or power cycles.
This will mount our USB drive as read-write during startup and save any changes made to the system.
Now encryption. Kali Linux provides full disk encryption (FDE) by default, but we can add an extra layer of security using a “nuke password”. This is a special password that will erase all data on our encrypted partitions if it’s entered incorrectly too many times.
To set up the nuke password, install the cryptsetup-nuke-password package and configure it:
# Install the cryptsetup-nuke-password package
sudo apt install -y cryptsetup-nuke-password
# Configure the nuke password
sudo dpkg-reconfigure cryptsetup-nuke-password
This will prompt you to enter a nuke password. Make sure this is something that’s easy for you to remember, but difficult for others to guess!
To backup our LUKS keyslots (which contain the encryption information), use the following command:
# This script is used to backup the LUKS keyslots, which contain the encryption information, for a specific device.
# It prompts the user to enter a password and uses that password to create a backup file.
# The backup file is saved as "luksheader.back" and will be used to restore the LUKS keyslots if needed.
# Prompt the user to enter a password for the backup file.
read -p "Enter a password for the LUKS keyslots backup: " password
# Use the entered password to create a backup file for the LUKS keyslots.
cryptsetup luksHeaderBackup --header-backup-file luksheader.back /dev/sdX3 -p "$password"
# The "-p" flag is used to specify the password for the backup file.
# The "--header-backup-file" flag is used to specify the name and location of the backup file.
# The "/dev/sdX3" argument specifies the device for which the LUKS keyslots will be backed up.
# This ensures that the backup file is secure and can only be accessed by the user who knows the password.
Replace “sdX3” with your actual device name and path to the backup file. This will create a new file called “luksheader.back”.
To encrypt this backup file, use openssl:
#!/bin/bash
# This script uses openssl to encrypt a backup file of a LUKS header.
# Specify the device name and path to the backup file.
device="sdX3"
backup_file="/path/to/backup/file"
# Create a new file called "luksheader.back".
touch luksheader.back
# Use openssl to encrypt the backup file with AES-256-CBC encryption.
openssl enc -e -aes-256-cbc -in "$backup_file" -out luksheader.back.enc
# Print a success message.
echo "Backup file encrypted successfully."
This will create a new file called “luksheader.back.enc” which is encrypted using AES-256 encryption with CBC mode.
To restore our LUKS keyslots, use the following command:
# This script uses the openssl command to decrypt a file called "luksheader.back.enc" and output it as "luksheader.back"
# The file is encrypted using AES-256 encryption with CBC mode.
# The -d flag specifies that the file should be decrypted
# The -aes-256-cbc flag specifies the encryption algorithm and mode to use
# The -in flag specifies the input file to be decrypted
# The -out flag specifies the output file to be created
openssl enc -d -aes-256-cbc -in luksheader.back.enc -out luksheader.back
This will decrypt the backup file and create a new file called “luksheader.back”.
To restore our LUKS keyslots to the encrypted partition, use:
# This script restores the LUKS keyslots to an encrypted partition by using a backup file.
# The "cryptsetup" command is used to manage encrypted devices, in this case, it is used to restore the LUKS header.
# The "luksHeaderRestore" option specifies that we want to restore the LUKS header.
# The "--header-backup-file" option specifies the location of the backup file.
# The "luksheader.back" is the name of the backup file.
# The "/dev/sdX3" is the encrypted partition where the LUKS keyslots will be restored.
cryptsetup luksHeaderRestore --header-backup-file luksheader.back /dev/sdX3
Replace “sdX3” with your actual device name and path to the backup file. This will restore our LUKS keyslots to their original state.
To avoid accidentally erasing all data on our encrypted partitions, make sure you remember your nuke password! If it’s entered incorrectly too many times, Kali Linux will automatically wipe out any sensitive information and render the system unusable.