Kali 2.0 on a Raspberry Pi 2 with Disk Encryption not working

[stgrosso]

I used to run on a RPi2 the former kali image (kali-1.1.1-rpi2) with disk encryption which I did install according to the tutorial at
https://www.offensive-security.com/k...sk-encryption/
All has always worked well also when updating to most recent versions.

Now, I installed kali 2.0 on the RPI SD card but when I am starting the ssh session, instead of being prompted to enter the passphrase to unlock the disk, i get the following error:
/scripts/local-top/cryptroot: line 1: line 1: /lib/cryptsetup/askpass: not found
/scripts/local-top/cryptroot: line 1: line 1: /sbin/cryptsetup: not found
And eventually close the connection adding it could be bad settings or password.

Askpass and cryptsetup are where they should, maybe is the script in cryptroot which can't find them but honestly I wouldn't know where to start to fix this.
Has any one an idea of where the problem could be and point me in the right direction?

[stgrosso]

i finally decided to go back to 1.1.1 image and upgrade to 2.0 from there.
it is now working

[amars]

Were you ever able to get this going? I am running into the same exact thing; very bummed because I absolutely love Kali 2.0.1 on the Pi2 otherwise!
I have what appears to be the same output as you on the screen. The Pi itself does grab an IP appropriately, echos the "waiting 5 seconds for USB" bit, then loops the text you describe for a minute or so. When I attempt to SSH into the Pi, here is the exact output (had to enable logging to make this work; putty window closes instantly):
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.08.26 09:09:25 =~=~=~=~=~=~=~=~=~=~=~=
Using username "root".
Authenticating with public key "imported-openssh-key"
Passphrase for key "imported-openssh-key":
/scripts/local-top/cryptroot: line 1: /lib/cryptsetup/askpass: not found
/scripts/local-top/cryptroot: line 1: /sbin/cryptsetup: not found
cryptsetup: cryptsetup failed, bad password or options?
/scripts/local-top/cryptroot: line 1: /lib/cryptsetup/askpass: not found
/scripts/local-top/cryptroot: line 1: /sbin/cryptsetup: not found
cryptsetup: cryptsetup failed, bad password or options?
/scripts/local-top/cryptroot: line 1: /lib/cryptsetup/askpass: not found/scripts/local-top/cryptroot: line 1:
/sbin/cryptsetup: not found
cryptsetup: cryptsetup failed, bad password or options?

[steev]

Sounds to me like the initramfs isn't being generated correctly when it's being created. I will try to look into this, this weekend, and see what I can come up with.

[steev]

Okay, I had time to dig in - not entirely sure what's up with the changes to cryptsetup, however, what worked for me was, before running the mkinitramfs command after editing networking, also adding a file to /usr/share/initramfs-tools/conf-hooks.d/ called forcecryptsetup and the contents are just "export CRYPTSETUP=y"

Before I left the chroot, I verified that things were where they should be with

lsinitramfs /boot/initramfs.gz | grep cryptsetup

And saw that the expected cryptsetup files were there.

So the steps look something like:

cat /etc/initramfs-tools/root/.ssh/id_rsa (and copied into my laptop user's .ssh directory as rpi_rsa) then chmod 0600 .ssh/rpi_rsa
ssh -i .ssh/rpi_rsa root@myrpi2

steev$ ssh -i .ssh/rpi_rsa [email protected]
Please unlock disk /dev/mmcblk0p2 (crypt_sdcard):
cryptsetup: crypt_sdcard set up successfully
Connection to 192.168.11.28 closed.

And then once it is unlocked:

steev$ ssh [email protected]
[email protected]'s password:


The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.


Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@kali:~#

[elk]

Hi.

I'm also running kali 2.0.1 on the pi2.

Is there any way to use disk encryption if I'm not owning a linux machine but a mac? Can I install it completely from the pi for instance?
I tried to follow the tutorial from offensive security mentioned above using kali inside my VirtualBox, but that didn't work because the VB dies each time I fire some chroot commands. Maybe it's due to the lack of being able to talk to the sd card directly but only via a virtual disk image. Don't know.

Searching the web didn't bring up valuable results -- this thread being the best of all.
It would be great if someone could post the steps to be done or give some hints.
Thanks
elk

[amars]

Okay, I had time to dig in - not entirely sure what's up with the changes to cryptsetup, however, what worked for me was, before running the mkinitramfs command after editing networking, also adding a file to /usr/share/initramfs-tools/conf-hooks.d/ called forcecryptsetup and the contents are just "export CRYPTSETUP=y"

Before I left the chroot, I verified that things were where they should be with

lsinitramfs /boot/initramfs.gz | grep cryptsetup

And saw that the expected cryptsetup files were there.

So the steps look something like:

cat /etc/initramfs-tools/root/.ssh/id_rsa (and copied into my laptop user's .ssh directory as rpi_rsa) then chmod 0600 .ssh/rpi_rsa
ssh -i .ssh/rpi_rsa root@myrpi2

steev$ ssh -i .ssh/rpi_rsa [email protected]
Please unlock disk /dev/mmcblk0p2 (crypt_sdcard):
cryptsetup: crypt_sdcard set up successfully
Connection to 192.168.11.28 closed.

And then once it is unlocked:

steev$ ssh [email protected]
[email protected]'s password:


The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.


Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@kali:~#

Thanks a lot Steev; this seems to have done the trick for me. I screwed up something with the SSH key itself, but cryptsetup isn't looping and will allow for local login. Going to try again from scratch; I think I just missed a step with the SSH key itself. PEBCAK haha. I will post a followup once I actually have it working as expected.

Unrelated to the issue being discussed, but: Any idea how I can get initramfs / dropbear to work with eth1 in addition to / instead of eth0? I have a 4g modem that adds itself as eth1; I would love to use this instead of eth0 for the purpose of unlocking.
If not, is it possible to have this setup fire off a reverse ssh tunnel instead? I was hoping to be able to use this setup behind a NAT without port forwarding. Either reverse SSH or 4g modem will make this work for me.

[amars]

After a few more tries (PEBCAK on my part) I was able to get this going - Kali 2.0.1 on the Raspberry Pi 2 Model B. Steev should get 100% of the credit here;
Still hoping to figure out how to enable eth1 in addition to eth0 for unlocking via ssh (or eth1 INSTEAD of eth0 if it is not possible to do both), OR configure the pi to reverse-ssh to allow unlock behind NAT. Any input is appreciated on this!
Unfortunately, it will be a few days before I can type up any kind of in-depth guide, but I am guessing someone out there will find my functional notes useful:


dd if=/root/Downloads/kali-2.0.1-rpi2.img of=/dev/sdb bs=4M
reboot
#PAUSE FOR REBOOT
mkdir -p /mnt/chroot/boot
mount /dev/sdb2 /mnt/chroot/
mount /dev/sdb1 /mnt/chroot/boot/
mount -t proc none /mnt/chroot/proc
mount -t sysfs none /mnt/chroot/sys
mount -o bind /dev /mnt/chroot/dev
mount -o bind /dev/pts /mnt/chroot/dev/pts
cp /usr/bin/qemu-arm-static /mnt/chroot/usr/bin/
LANG=C chroot /mnt/chroot/
apt-get update
apt-get install -y busybox cryptsetup dropbear htop screen
mkinitramfs -o /boot/initramfs.gz 3.18.16-v7
update-rc.d ssh enable
passwd
#ENTER NEW PASSWORD
echo dwc_otg.fiq_fix_enable=0 console=ttyAMA0,115200 kgdboc=ttyAMA0,115200 console=tty1 elevator=deadline root=/dev/mapper/crypt_sdcard cryptdevice=/dev/mmcblk0p2:crypt_sdcard rootfstype=ext4 rootwait > /boot/cmdline.txt
##If Above Command Doesn't work, try the following[based on original in pi2]:
#echo dwc_otg.fiq_fix_enable=2 console=tty1 console=tty1 root=/dev/mapper/crypt_sdcard cryptdevice=/dev/mmcblk0p2:crypt_sdcard rootfstype=ext4 rootwait rootflags=noload > /boot/cmdline.txt
echo initramfs initramfs.gz 0x00f00000 > /boot/config.txt
cat /etc/initramfs-tools/root/.ssh/id_rsa
#copy to your computer
nano /etc/initramfs-tools/root/.ssh/authorized_keys
#paste the following on the same line as the key. Yes there is a space between " and ssh-rsa
command="/scripts/local-top/cryptroot && kill -9 `ps | grep -m 1 'cryptroot' | cut -d ' ' -f 3`"
#Add commands to /etc/fstab. Paste entire command FROM HERE:
cat << EOF >/etc/fstab
proc /proc proc defaults 0 0
/dev/mmcblk0p1 /boot vfat defaults 0 2
/dev/mapper/crypt_sdcard / ext4 defaults,noatime 0 1
EOF
##TO HERE
echo crypt_sdcard /dev/mmcblk0p2 none luks > /etc/crypttab
nano /usr/share/initramfs-tools/scripts/init-premount/dropbear
##Change configure_networking & TO :
echo "Waiting 20 seconds for USB to wake"
sleep 20
configure_networking &
####
echo export CRYPTSETUP=y > /usr/share/initramfs-tools/conf-hooks.d/forcecryptsetup
mkinitramfs -o /boot/initramfs.gz 3.18.16-v7
exit
umount /mnt/chroot/boot
umount /mnt/chroot/sys
umount /mnt/chroot/proc
mkdir -p /mnt/backup
rsync -avh /mnt/chroot/* /mnt/backup/
umount /mnt/chroot/dev/pts
umount /mnt/chroot/dev
umount /mnt/chroot
#REBOOT
echo -e "d\n2\nw" | fdisk /dev/sdb
echo -e "n\np\n2\n\n\nw" | fdisk /dev/sdb
##REBOOT - POSSIBLE ISSUE WITH ABOVE 2 COMMANDS
cryptsetup -v -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sdb2
cryptsetup -v luksOpen /dev/sdb2 crypt_sdcard
mkfs.ext4 /dev/mapper/crypt_sdcard
mkdir -p /mnt/encrypted
mount /dev/mapper/crypt_sdcard /mnt/encrypted/
rsync -avh /mnt/backup/* /mnt/encrypted/
umount /mnt/encrypted/
rm -rf /mnt/backup
sync
cryptsetup luksClose /dev/mapper/crypt_sdcard

[steev]

You'd most likely need to look into the dropbear settings in the initramfs (before creating the initramfs that is!) and change it so that it listens on all addresses (iirc, dropbear needs to just have the port listed to listen on all addresses) - but how exactly would you find out it's IP address if it's a 3G/4G modem? It doesn't afaik, get a static IP address.

[amars]

Hey Steev,
The 4g modem (a Freedompop Ubee Stick PXU1964) grabs DHCP from the ISP, however that DHCP address has remained the same for the 2 years I have had the modem allowing me to treat it as a static. Limited coverage (only works within Sprint's 4g coverage), but they happen to cover the bulk of the town I live in.
Ideally this would allow for initramfs to use EITHER eth1 or eth0, but it looks like that may be challenging or impossible. Instead I am going to take a stab at modifying /etc/initramfs-tools/initramfs.conf to have "DEVICE=eth1" instead of "DEVICE=eth0" prior to the second/final mkinitramfs command (based loosely on this: https://bugs.debian.org/cgi-bin/bugr...cgi?bug=627883 ). If that doesn't do the trick, I may try modifying /usr/share/initramfs-tools/hooks/udev/rules.d/70-persistent-net.rules prior to the second/final mkinitramfs to swap the interface naming, making my 4g card eth0 and integrated NIC eth1.
I'll report back later with results!
-Amars

[amars]

Alright, I managed to get this working for a single interface. Once booted on the Pi, I installed lshw to help me identify the missing piece of hardware:
apt-get install -y lshw
lshw -C Network
This output the specific information I needed regarding the missing module:
*-network:0
description: Ethernet interface
physical id: 2
logical name: eth0
serial: XX.XX.XX.XX.XX
size: 100Mbit/s
capacity: 100Mbit/s
capabilities: ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=smsc95xx driverversion=22-Aug-2005 duplex=full firmware=smsc95xx USB 2.0 Ethernet ip=192.168.201.61 link=yes multicast=yes port=MII speed=100Mbit/s
*-network:1
description: Ethernet interface
physical id: 3
logical name: eth1
serial: XX.XX.XX.XX.XX.XX
capabilities: ethernet physical
configuration: broadcast=yes driver=cdc_ether driverversion=22-Aug-2005 firmware=CDC Ethernet Device ip=XXX.XXX.XXX.XXX link=yes multicast=yes

I then edited /etc/initramfs-tools/modules to include cdc_ether
echo cdc_ether >> /etc/initramfs-tools/modules
It is worth mention that on my Pi, the module cdc_ether doesn't finish loading for 22-24 seconds after boot. I extended the USB wait (described as 5 seconds in the official guide, or listed as 20 seconds in my notes above) to avoid the interface not being initialized prior to dropbear loading. I went with 60 seconds since I am never really in a hurry for this thing to come up.
Last but not least, I modified /etc/initramfs-tools/initramfs.conf to change "DEVICE=" to "DEVICE=eth1". There is a chance this step isn't necessary; I don't have FreedomPop / Sprint 4g coverage at my work so I'll have to try again from home this evening and report back. My hope is if this is left blank, it will allow the Pi to use either interface.
Last but not least, I rebuild the initramfs
mkinitramfs -o /boot/initramfs.gz 3.18.16-v7
It does appear the same methodology could be used to enable a WLAN interface for unlocking via SSH, but I don't intend to tinker with this since I don't have a need / use.

[amars]

Sorry to bring a dead thread back to life, but I figured it was still the most suitable place for this: I am attempting to adapt this for the Pi2 / Kali 2.1, and am running into an issue with the mkinitramfs step. Results pasted below. I'll admit I haven't looked into this much yet, but am hoping someone else out there has already done the legwork!


mkinitramfs -o /boot/initramfs.gz 3.18.16-v7
cryptsetup: WARNING: failed to detect canonical device of /dev/mmcblk0p2
cryptsetup: WARNING: could not determine root device from /etc/fstab
dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via ssh won't work!
Wide character (U+20AC) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 49.
Wide character (U+160) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 51.
Wide character (U+161) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 53.
Wide character (U+17D) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 65.
Wide character (U+17E) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 69.
Wide character (U+152) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 73.
Wide character (U+153) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 74.
Wide character (U+178) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 75.
Unsupported ioctl: cmd=0x5331

[soroush731]

replace the /dev/blabla to the uuid in /etc/fstab
you can find the uuid by typing blkid

then
make an ssh key rename the public key to authorized_keys and copy it to /etc/dropper/initramfs

[matrizero]

Hey, amars!

Did you figure out what was wrong with that?
I'm going through the same thing here:

Linux kali 4.1.19-v7 #1 SMP Tue Mar 15 15:10:00 CDT 2016 armv7l GNU/Linux

My SSH key is also not generated in that directory.

Sorry to bring a dead thread back to life, but I figured it was still the most suitable place for this: I am attempting to adapt this for the Pi2 / Kali 2.1, and am running into an issue with the mkinitramfs step. Results pasted below. I'll admit I haven't looked into this much yet, but am hoping someone else out there has already done the legwork!


mkinitramfs -o /boot/initramfs.gz 3.18.16-v7
cryptsetup: WARNING: failed to detect canonical device of /dev/mmcblk0p2
cryptsetup: WARNING: could not determine root device from /etc/fstab
dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via ssh won't work!
Wide character (U+20AC) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 49.
Wide character (U+160) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 51.
Wide character (U+161) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 53.
Wide character (U+17D) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 65.
Wide character (U+17E) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 69.
Wide character (U+152) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 73.
Wide character (U+153) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 74.
Wide character (U+178) in pattern match (m//) at /usr/bin/ckbcomp line 3295, <ACM> line 75.
Unsupported ioctl: cmd=0x5331

[matrizero]

Sir, could you please elaborate on the "dev/blabla" bit?

The entries on my /etc/fstab are as follows:

Code:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc /proc proc nodev,noexec,nosuid 0  0
/dev/mmcblk0p2  / ext4 errors=remount-ro 0 1
# Change this if you add a swap partition or file
/dev/mmcblk0p3 none swap sw 0 0 
/dev/mmcblk0p1 /boot vfat auto 0 0

I'm facing the same issues present in Amar's last message.

replace the /dev/blabla to the uuid in /etc/fstab
you can find the uuid by typing blkid

then
make an ssh key rename the public key to authorized_keys and copy it to /etc/dropper/initramfs

[steev]

What was meant by /dev/blabla is, in your example,

run

Code:

blkid /dev/mmcblk0p2

Then replace /dev/mmcblk0p2 in /etc/fstab with
UUID=<UUID-OUTPUT-FROM-ABOVE COMMAND>