A Kali Linux cryptsetup patch that can “nuke” an encrypted disk

A recent article titled Emergency Self Destruction of LUKS in Kali revealed an ongoing attempt to add a “nuke” option to cryptsetup, the utulity used to manage disk encryption.

The idea is very simple. But before I get to the gist of the article, here’s how setting up full disk encryption protects your data from authorized unauthorized access. When a disk is encrypted, a passphrase is specified at setup time. That passphrase will have to be specified at boot time before the OS installed on the disk can boot (properly). If the correct passphrase is not specified, your data remains where it is – encrypted and secure, safe from unauthorized access.

It’s a physical security feature that works to your advantage until you forget or misplace the encryption passphrase. Unless you have a friend or relative at a secretive government agency, you might as well throw the HDD away. This feature ranks number 1 on the list of physical security features you can use to protect sensitive data.

Related Post:  Migrating from Kali Linux 2 to Kali Linux 2016.1

The “nuke” option that the developers of Kali Linux are cooking up is designed to let you specify a passphrase that will destroy saved keys thereby rendering data on the target disk inaccessible. As described in the original post (See Emergency Self Destruction of LUKS in Kali):

On any subsequent reboots, you will be asked for the LUKS decryption password each time as usual. If for whatever reason, you were to enter the nuke password, the saved keys would be purged rendering the data inaccessible.

Cryptsetup nuke disk

But why would you want to nuke your encrypted hard disk and in the process lose your data – forever? The authors of the article and the patch did not speculate on the reason(s) one might want to “nuke” an encryption disk, but here’s one occasion where that nuke passphrase might come in handy: Say your computer is confiscated by law enforcement authorities and you refuse to hand over the encryption passphrase. You can maintain that stance until a judge says give in or go to jail. Since I’m sure you don’t like the idea of spending time in jail and you also want to keep your data from those guys, you could, if you have one configured, give them the nuke passphrase.

Related Post:  How to triple-boot Ubuntu 15.10, Kali Linux 2, Windows 10 on a PC with UEFI firmware

I think I like the “nuke” idea and would love to see the patch in the official cryptsetup utility. If you do, let the developers know by voting in a poll set up here.

UPDATE: Kali Linux 1.0.6 has just been released. And it comes with the “nuclear option” integrated in cryptsetup. See Kali Linux 1.0.6 released. Cryptsetup has “nuclear option” integrated.

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn

Hola! Did you notice that LinuxBSDos.com no longer run network ads?  Yep, no more ads from the usual suspects that track and annoy you across the Internet. But since I still need to pay to keep the site running, feel free to make a small donation by PayPal or your favorite cryptocurrency.

  • Bitcoin
  • Ethereum
  • Xrp
  • Bitcoin cash
  • Bitcoin sv
  • Litecoin
  • Binance coin
  • Cardano
  • Ethereum classic
Scan to Donate Bitcoin to bc1qzvlte2m224zkayhdc7fdfjkp2rsgt0l5a496ua

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0F4362DFF77F3Ba0Dc637F5f3Eba35D09a2fA60C

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Xrp to r4ggjvL36njsMCYTkJ3S7cTHscPsMsSGQv

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Bitcoin cash to qrs0dedzp9t55af3nfwypydghp29r0xguy9s20fz2k

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Bitcoin sv to 15K9TLyVDBtLuG9cYvXCX9SSkq9C9oUKHK

Donate Bitcoin sv to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin sv

Scan to Donate Litecoin to LetJ9QQMb7u2LMZ9Tu6rtHwcBcQFW98fbG

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Binance coin to bnb1ga8trq08ssqepd90v6225nzfgy448pu5pw8gxp

Donate Binance coin to this address

Scan the QR code or copy the address below into your wallet to send some Binance coin

Scan to Donate Cardano to addr1qx2354yw49etstfljpdhwja3ajjlt487lg95vu9ngy2q6vu4rf2ga2tjhqknlyzmwa9mrm997h20a7stgectxsg5p5esq5l7d9

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Ethereum classic to 0xcD6CC972a2297FcafACDcfE042C55C69516a9264

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Subscribe for updates. Trust me, no spam!

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.

Upcoming events

8 Responses

  1. after reading the kali linux documentation, this ‘nuke’ feature is badly implemented: https://www.kali.org/tutorials/nuke-kali-linux-luks/

    “it is possible to backup your keyslots beforehand and restore them after the fact.”

    “‘restore’ them to the machines once back in a safe location.”

    ‘nuking’ is useless if it just ‘nukes’ the password but leaves the data behind to be ‘restored’ ‘in a safe location’

  2. If your disk is confiscated, it’s already to late –
    digital forensic always work on copied data!
    There’s only one use case:
    If cops knocking on your door, nuke it …

      1. >Even if the disk is encrypted??
        Sure – raw disc image are made for several reason –
        one is independent expert witness

      2. Even if the disk is encrypted??

        no. the best the bad guys could do is make an image of your encrypted disk. use strong aes-plain-xts with a 512 byte sha hash. if the bad guys could read your encrypted partitions, they wouldnt need the key.

        i think a nuke option could be bad if done wrong. if it can be shown you deliberately nuked a disk, you could still face the consequences. the nuke option needs to quietly overwrite the disk with random data or gibberish which is impossible if the image is burnt onto a dvd. perhaps 2 keys is the best option. the second key further encrypts as the data is written. if you offer a key to the bad guys and it would unencrypt 1 level and still be random data. make it so both keys have to be used to get the real data. also make it indeterminate how many keys exist. frankly, advertising a nuke option is not very wise. every forum on the internet is archived and scanned. not much of a secret.

  3. Using “authorized” instead of “unauthorized” is an obvious error, and thanks for pointing it out. It has been corrected.

    Like @Frodo said, you don’t seem to know the difference between physical and network security.

    If encryption is not a physical measure, what is it?

  4. This article is poorly written. It should read ‘unauthorized’ in “… full disk encryption protects your data from -> authorized <- access."

    Secondly, encryption is not a 'physical' security measure, which implies it's not possible by laws of nature to access the data. This is simply incorrect. Any means of encoding information that requires a key or passphrase to decode the information is protected by statistical, thus mathematical, laws that have nothing to do with the physical world.

    It is true that the information itself is converted into another format and is stored onto the drive in such a way. This does not mean that the security measure is a physical one, like an actual door lock, it rather means that it's extremely hard to interpret the data without the key.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.

Categories
Archives

The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.