Exercise 3, Chapter 9 - Live USB with Multiple persistence stores and LUKS Nuke
- Create a live USB with Multiple persistence stores and LUKS Nuke password enabled.
In this section, we assume that you have prepared a Kali Live USB Key by following the instructions at Section 2.1.4, “Copying the Image on a DVD-ROM or USB Key” and that you have used a USB key big enough to hold the ISO image (roughly 3 GB) and the data of the directories that you want to persist. We also assume that the USB key is recognized by Linux as /dev/sdb and that it only contains the two partitions that are part of the default ISO image (/dev/sdb1 and /dev/sdb2). Be very careful when performing this procedure. You can easily destroy important data if you re-partition the wrong drive.
Plug in your USB device into the VM (or computer) and identify the device name using dmesg or fdisk. We'll assume it's named /dev/sdb. Unmount any partitions if they automunted. Start the partitioning process.
umount /dev/sdb1 umount /dev/sdb2 parted /dev/sdb
For this demonstration, we’ll set up two persistent stores - where one is encrypted and the other isn’t.
(parted) print Model: SanDisk Ultra USB 3.0 (scsi) Disk /dev/sdb: 124GB Sector size (logical/physical): 512B/512B Partition Table: msdos Disk Flags: Number Start End Size Type File system Flags 1 32.8kB 2794MB 2794MB primary boot, hidden 2 2794MB 2794MB 721kB primary (parted) mkpart primary 2794 5000 (parted) mkpart primary 5000 100% (parted) quit Information: You may need to update /etc/fstab.
The mkpart primary 2794 5000 command, is making the first new partition (the third one in total), which will start at 2794MB, finishing at 5000MB. We are using this starting value, because our Kali image only takes up 2794MB on the device. You may have to change these values depending on the size of your Kali image and USB device.
Once the two new partitions are created, we can now start configuring them as persistent partitions to our Kali Linux boot environment. We start by using sdb3 for our non encrypted store. We first format the partition, and then give it a label persistence. This label is critical. IF you skip this, or misspell it, persistence won't work!
mkfs.ext3 /dev/sdb3 e2label /dev/sdb3 persistence
Then, we create a persistence.conf files which defines the folders which we want persistence on - in this case, we want persistence on all the file-systems:
mkdir -p /mnt/usb mount /dev/sdb3 /mnt/usb echo "/ union" > /mnt/usb/persistence.conf umount /mnt/usb
Next, we configure the encrypted persistence store, encrypt the partition using cryptsetup, format and label the partition, check the output, and then define a persistence.conf file as before:
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb4 cryptsetup luksOpen /dev/sdb4 my_usb mkfs.ext3 /dev/mapper/my_usb e2label /dev/mapper/my_usb persistence ls -l /dev/disk/by-label mkdir -p /mnt/my_usb mount /dev/mapper/my_usb /mnt/my_usb echo "/ union" > /mnt/my_usb/persistence.conf umount /dev/mapper/my_usb cryptsetup luksClose /dev/mapper/my_usb
That’s it! Now we can boot the USB, and choose to boot it up cleanly (no persistence store), with the non-encrypted persistence store, or with the encrypted one:
To add a “self destruct” (LUKS Nuke) feature to the encrypted persistence store, we simply need to run the following command:
cryptsetup luksAddNuke /dev/sdb4