I’m following the official guide for making a Kali Live Boot USB with encrypted persistence. Everything’s gone smoothly until the last part on creating a nuke password. When running sudo dpkg-reconfigure cryptsetup-nuke-password, instead of seeing
I: update-initramfs is disabled (live system is running on read-only media).
and when rebooting, the nuke password doesn’t do anything, and my normal LUKS password still works.
Do I need to run dpkg-reconfigure cryptsetup-nuke-password from an installed version of Kali? Or will any other installed distro do? And since there aren’t any parameters to that command, will the setup menu ask for the path to the USB I want to apply the nuke to? Don’t want the nuke on my daily driver!
In the guide for another distro, I found an explanation of why a LUKS nuke isn’t possible for a live usb. I assume it’s the same case with Kali, but then why is that section on the kali.org page for “Adding Encrypted Persistence to a Kali Linux Live USB Drive”? And it’s been there forever: there’s a 5-year-old r/kalilinux thread with the exact same question that didn’t get resolved.
Because you CAN set up a LUKS encrypted persistence partition, just NOT FROM A LIVE USB YOU BOOTED FROM
i.e. when I first create the USB Drive I create the ISO image AND the persistence image BEFORE I use the same to boot the computer.
Once it is used to boot a system, it is now ‘mounted’ and cannot be changed whilst in that state.
Anyway, most people want a system they can boot from and update etc as if it were any other installed OS so the easiest way to achieve this is to have 2 separate USB drives, one you put a Live Kali ISO on, and boot from it, then the other you can either create a USB as per the guide, or you can simple install Kali on it as if it were any other hard drive, if you go this route, don’t forget to make sure that the GRUB bootloader is also installed on that USB drive, then it will be both bootable and easily updatable.
Now your USB drive is ready to plug in and reboot into Live USB Encrypted Persistence mode.
kali@kali:~$ reboot
Then, there is a picture of GRUB with the option “Live system with USB Encrypted persistence” highlighted.
So it’s clear the guide is wrong. As you suggested, you can install Kali to a separate USB, with a another one for encrypted persistence, and I’m sure setting up the nuke password in that case is simple.
But I’m still wondering whether it’s possible for a Kali Live Boot environment. Even if you boot from a different Linux system, dpkg-reconfigure cryptsetup-nuke-password never asks where you want the nuke applied. So what happens if you’re already running installed Linux with FDE, and want to put the nuke on the USB?
Even when you set up an OS on an internal hard disk, yo set up encryption etc BEFORE you reboot into it.
The main problem with a USB with persistence, is that the USB is basically a fixed ISO image of Kali, just like the Live USB (immutable) with the extra space on the USB then used for an extension partition that contains an overlay of any updates that is applied to the loaded ISO ‘in memory’, and it is only the persistence part that contains the updates.
It is, in my opinion, far easier to set up Kali directly on a USB drive, as if it were any other disk drive, i.e. a ‘Full Install’ as if on bare metal, and it how I create a Kali OS I can carry around and it will boot on 90% of systems as most drivers and firmware are already part of the basic install. Because this method is a normal install, it can then be updated etc and will load faster too, as its not unpacking an ISO and then updating it using the overlay..
I wasn’t suggesting installing Kali on one drive, and then using another just for persistence, you can use a VM to boot a live image if you only have a single USB drive to use, and then install to that USB with all partitions needed, encrypted if you want, ‘as if it were any other drive’
Sorry, I did misunderstand. But I ended up doing exactly what you said in your clarification: I installed Kali with full disk encryption to a USB flash drive. Then, I followed the guide (intended for Kali live!) to set up a nuke password, and it worked without any problems.
For anyone seeing this that wants to try it, the only possible snag is that you might have to install grub yourself. After the installer completes, allow your computer to reboot into your new Kali USB flash drive, and check if /boot/efi/EFI/ has a BOOT folder. If not, run sudo grub-install --removable --recheck --efi-directory=/boot/efi
Honestly, it’s been a mixed bag. Yeah, the kernel can be updated, and the nuke password is possible. Maybe it does go from off to login a bit faster, but I’ve noticed a major drawback. With Kali live, I think the DE is completely loaded into RAM, so it’s pretty snappy. Installed Kali expects to be able to grab stuff from disk, as needed, which can take a while for an external USB flash drive, and Kali haaaaaaangs the first time I do things like hit the super key to open the whisker menu or access settings or open up the first console. But I am using a USB 3.0 drive, so I’ll have to free up one that’s 3.1 or 3.2 and try again.