Kali Encrypted USB Persistence

Secure, Persistent Kali Linux Live USB

A few days ago, we added an awesome new feature to Kali allowing users to set up a Live Kali USB with encrypted persistence. What this means is that you can now create a bootable Kali USB drive allowing you to either live boot to a “clean” Kali image or alternatively, overlay it with the contents of a persistent encrypted partition, allowing you to securely save your changes on the USB drive between reboots. If you add our LUKS nuke feature into this mix together with a 32GB USB 3.0 thumb drive, you’ve got yourself a fast, versatile, and secure “Penetration Testing Travel Kit”.

New Default Kali Boot Options

From Kali 1.0.7 onwards, everything needed for encrypted Live USB persistence to work is already available in our ISO release, including an altered boot menu which now also contains two persistent boot options:

For either of these persistence options to work, we first need to image the Kali ISO to the USB device and then prepare a persistence partition, which can now also be encrypted. We’ve updated our Kali Linux documentation site to include the instructions for setting up your own Kali Linux Live USB with encrypted persistence.

Following these few simple commands, you can now secure your USB persistent data while traveling. Of course, if you’re über paranoid, you can also enable the Kali LUKS nuke feature to this persistent storage. Following the example from our Kali documentation site, our LUKS encrypted partition is located at /dev/sdb2. We can add a LUKS nuke key as follows:

[cc lang=”bash]
root@kali:~# cryptsetup luksAddNuke /dev/sdb2
Enter any existing passphrase: (the existing password)
Enter new passphrase for key slot: (the nuke password)
[/cc]

Once the nuke key is set, all the data on the encrypted persistent partition would be rendered useless should the nuke key be entered at boot time.