Results 1 to 2 of 2

Thread: Installing Kali in steel for Macs with FDE - dual boot or encrypted USB

  1. #1
    Join Date
    2013-Oct
    Posts
    4

    Installing Kali in steel for Macs with FDE - dual boot or encrypted USB

    This walkthrough provides detailed steps for installing Kali in steel with FDE for EFI based Macs. You can use this method to either produce a dual boot system or to create a bootable encrypted USB install. Other walkthroughs on the internet provided the foundation for my post, but I have found the methods in these other sources to be somewhat unreliable and requiring significant tweaking. The major reference for my work is acknowledged in Note vi below, and kudos to 0xBADCA7 for doing the initial heavy lifting.


    1. Prepare installation destination.
    a. If doing a dual boot, decrypt OS X partition, shrink and then re-encrypt.
    b. If using a USB stick, install to that dev.
    2. Install Kali.
    a. Set up following partitions:
    i. /boot - ext2 - 10-100 MB - make sure the bootable flag is set.
    ii. /sdx-crypt - logical volume for encryption.
    b. Set up encrypted partition to be logical volume for LVM.
    c. Set up LVM partition as ext4 - mount point /. Name it root to produce a volumeName-root LVM entry.
    Note: If you have your heart set on a swap partition, harvest it from this LV.
    d. Confirm changes and follow through installer to write the system files.
    3. Install bootloader to /boot partition. It will fail, but has copied across the kernel etc. Finish the installation regardless.
    4. Mount the /boot partition, copy all files from it, reformat in gparted to FAT32, copy back the files. Make sure boot flag is set.
    5. Download the contents of the EFI folder at ftp://mirrors.kernel.org/fedora/rele...ora/x86_64/os/
    6. Copy this folder to /boot.
    7. Replace /boot/EFI/BOOT/grub.cfg with:
    Code:
    set default="0"
    
    function load_video {
      insmod efi_gop
      insmod efi_uga
      insmod video_bochs
      insmod video_cirrus
      insmod all_video
    }
    
    load_video
    insmod gzio
    insmod part_gpt
    insmod ext2
    insmod part_msdos
    set root='(hd1,gpt4)'
    insmod png
    
    set timeout=5
    ### END /etc/grub.d/00_header ###
    
    
    ### BEGIN /etc/grub.d/10_linux ###
    menuentry 'Kali' --class debian --class gnu-liux --class gnu --clas os {
    	load_video
    	insmod gzio
    	insmod part_msdos
    	insmod ext2
    	set root='(hd1,gpt4)'   
    	echo 'Loading kernel....'
    	linuxefi /vmlinuz-3.7-trunk-amd64 root=/dev/mapper/volumeName-root
    	echo 'Loading ramdisk...'
    	initrdefi /initrd.img-3.7-trunk-amd64
    	
    }
    8. Amend the roots above with the relevant (hdX,gptY) for the /boot partition, and ensure that volumeName-root reflects your volume name.
    9. Type following commands:
    Code:
    		umount /boot
    		crypsetup luksOpen /dev/sdx volumeName
    		vgchange -ay
    		mkdir /newRoot
    		mount /dev/mapper/volumeName-root /newRoot
    		mount /dev/sdxn /newRoot/boot #sdxn should be your boot partition
    		cd /newRoot
    		mount -t proc proc proc/
    		mount -t sysfs sys sys/
    		mount -o bind /dev dev/
    		chroot .
    10. Edit /etc/fstab to comment out the /dev/mapper/volumeName-root line, then change the UUID of the /boot partition to reflect the shorter UUID of the /boot partition after formatting as FAT32. You can get UUIDs by invoking blkid.
    11. Edit /etc/crypttab and change sdX_crypt to volumeName-root. Leave the rest of the line intact.
    12. Save changes and execute:
    Code:
    		update-initramfs -u
    		update-grub
    		exit
    		reboot
    13. You should get the required grub boot loader on reboot, and if you've done it right then you'll start the boot process. After a short time it will spawn an error and drop to an (initramfs) shell. At this stage, type:
    Code:
    		cryptsetup luksOpen /dev/<id of encrypted partition> volumeName
    		vgchange -ay
    		exit
    14. The boot process will then continue, and you'll come to the login screen shortly.

    Notes:
    i. You will have to type the commands in step 13 each time you boot. This is because the volumeName-root entry is commented out in /etc/fstab. If you uncomment this line, I have found that the system stalls when it tries to automatically mount the encrypted volumes and you're stuck without a bootable OS. You then have to mount the encrypted volume using another install of Kali, re-comment the line and rebuild the initial RAM disk. I suggest you accept this as a quirk of encrypted EFI booting.
    ii. This method works for both dual boot and USB drive installs on Macs.
    iii. It is possible that other errors will be thrown after manually mounting the encrypted disks on load. If this happens, just acknowledge/continue/exit out of them and the boot process should continue.
    iv. If this method doesn't work for you, try it again from scratch. EFI booting is a tricky thing, and I have verified this walkthrough as valid for both dual boots and USB installs. If it isn't working for you, it may well be a PEBCAK problem.
    v. rEFInd/rEFIt are not necessary if using OS X 10.9.
    vi. Foundation information provided at http://securetty.standard.io/post/56...isk-encryption.
    vii. I usually hang out on #vulnhub if you have questions.

  2. #2
    Join Date
    2013-Oct
    Posts
    4

    Enhanced method

    Further to the main post above, should you wish to update your installation to avoid manually unlocking volumes, follow these additional steps:

    Ensure cryptab entry references the UUID of the /dev/sdX partition which hosts the LVM encrypted partition.
    Insert following line into /etc/fstab:
    Code:
    dev/map/per/<crypted volume>-root / ext4 defaults 0 1
    Run following command:
    Code:
    echo 'CRYPTOPTS=target=<crypted volume>,source=/dev/<sdXX>,lvm=<crypted volume>-root' > /etc/initramfs-tools/conf.d/cryptroot
    Then,

    Code:
    update-initramfs -u -k all
    update-grub reboot
    Make sure you replace all the required values above in <>, and note that this will now allow you to use luksNuke on Macs.

Similar Threads

  1. Dual Mac/Kali encrypted lvm boot problems
    By lallepot in forum TroubleShooting Archive
    Replies: 0
    Last Post: 2017-08-11, 23:11
  2. Dual Boot Ubuntu Encrypted, Kali Encrypted
    By BrandonEckert in forum Installing Archive
    Replies: 1
    Last Post: 2015-10-24, 05:11
  3. Installing Kali on an encrypted partition (dual boot with Arch)
    By DarkPassenger in forum Installing Archive
    Replies: 0
    Last Post: 2015-04-18, 14:29
  4. Getting dual boot Kali on fully encrypted disk
    By forumkali@yopmail.com in forum Installing Archive
    Replies: 0
    Last Post: 2014-09-08, 19:28

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •