This short tutorial shows how to apply the Kali Linux nuke patch to LUKS cryptsetup in Linux Mint 16 and Ubuntu 13.10.
From a physical security and privacy-enhancing perspective, the nuke patch to LUKS cryptsetup is the best news from any distribution so far this year. What the nuke patch gives you, is a cryptsetup command that allows you to render an encrypted disk inaccessible.
It was published by the developers of Kali Linux, a distribution based on Debian and designed for offensive security tasks. You may read about it at A Kali Linux cryptsetup patch that can “nuke” an encrypted disk.
Though this tutorial is targeted at Linux Mint 16 and Ubuntu 13.10 installations, it can be used for any other distribution. Just make sure that all the dependencies are installed. Also, the target system must have full disk encryption configured. Otherwise, what’s the point?
All the steps in this tutorial are accomplished from the command-line, so you need to have a shell terminal open to begin.
1. Install dependencies by typing:
sudo apt-get install libgcrypt11-dev libdevmapper-dev libpopt-dev uuid-dev libtool automake autopoint debhelper xsltproc docbook-xsl dpkg-dev. Note: Without the dependencies installed, the next steps will fail.
2. Get cryptsetup source code: Since the source code for cryptsetup is what we’ll be patching (we can’t patch a binary), get a copy of it by typing
sudo apt-get source cryptsetup. After the operation has completed, there should be a directory named cryptsetup-1.4.3. Take note of that.
3. Grab the patch: After getting a copy of cryptsetup, now we need to grab the patch. That’s accomplished by typing
git clone https://github.com/offensive-security/cryptsetup-nuke-keys. There should now be a directory named cryptsetup-nuke-keys in the present directory
4. Apply the patch: To do that, cd into the cryptsetup directory –
cd cryptsetup-1.4.3, then type
patch -p1 < ../cryptsetup-nuke-keys/cryptsetup_1.4.3+nuke_keys.diff.
5. Build the packages by typing
dpkg-buildpackage -b -uc. After the build has completed (successfully), there should be two cryptsetup*.deb and two libcryptsetup*.deb packages that will have to be installed.
6. Install the packages by typing
dpkg -i ../libcryptsetup*.deb and
dpkg -i ../cryptsetup*.deb. This is what actually gets the nuke option implemented. Now if you type cryptsetup and hit enter, you should see a “luksAddNuke” command.
7. Add a nuke key to the system by typing
cryptsetup luksAddNuke /dev/sdaX. Replace “X” with the number of the encrypted partition on your setup. On a default installation of Ubuntu and Linux Mint, that number should be “5,” so the command will be
cryptsetup luksAddNuke /dev/sda5. After typing that command, you’ll be prompted to “Enter any existing passphrase.” On a default installation, the passphrase you enter is the one configured during installation. That’s the encryption passphrase. After that, you will be prompted to enter and confirm the nuke passphrase. That should do it.
Now that the nuke patch has been applied to cryptsetup, let’s see what happens when a system that has full disk encryption is booted (I used a test installation of Ubuntu 13.10 in a virtual environment for this).
The encryption passphrase must be entered correctly for the system to boot.
If that’s done, the system will boot.
But if the nuke passphrase is entered instead, the keyslots, where the encryption and nuke passphrases are stored, are wiped clean. So the system returns: cryptsetuo: cryptsetup failed, bad password or options. It is the same message the system returns if the wrong passphrase is specified. However, there’s a catch to this. If you backed up the keyslots, it is possible to restore them, and be able to boot the system using the encryption passphrase. See the tail end of How to nule your Kali Liux installation for how to do this.