Apply the nuke patch to LUKS cryptsetup in Linux Mint 16 and Ubuntu 13.10

This short tutorial shows how to apply the Kali Linux nuke patch to LUKS cryptsetup in Linux Mint 16 and Ubuntu 13.10.

From a physical security and privacy-enhancing perspective, the nuke patch to LUKS cryptsetup is the best news from any distribution so far this year. What the nuke patch gives you, is a cryptsetup command that allows you to render an encrypted disk inaccessible.

It was published by the developers of Kali Linux, a distribution based on Debian and designed for offensive security tasks. You may read about it at A Kali Linux cryptsetup patch that can “nuke” an encrypted disk.

Though this tutorial is targeted at Linux Mint 16 and Ubuntu 13.10 installations, it can be used for any other distribution. Just make sure that all the dependencies are installed. Also, the target system must have full disk encryption configured. Otherwise, what’s the point?

All the steps in this tutorial are accomplished from the command-line, so you need to have a shell terminal open to begin.

1. Install dependencies by typing:
sudo apt-get install libgcrypt11-dev libdevmapper-dev libpopt-dev uuid-dev libtool automake autopoint debhelper xsltproc docbook-xsl dpkg-dev. Note: Without the dependencies installed, the next steps will fail.

2. Get cryptsetup source code: Since the source code for cryptsetup is what we’ll be patching (we can’t patch a binary), get a copy of it by typing sudo apt-get source cryptsetup. After the operation has completed, there should be a directory named cryptsetup-1.4.3. Take note of that.

Related Post:  Use Tor Browser, get your computer blacklisted

3. Grab the patch: After getting a copy of cryptsetup, now we need to grab the patch. That’s accomplished by typing git clone https://github.com/offensive-security/cryptsetup-nuke-keys. There should now be a directory named cryptsetup-nuke-keys in the present directory

4. Apply the patch: To do that, cd into the cryptsetup directory – cd cryptsetup-1.4.3, then type patch -p1 < ../cryptsetup-nuke-keys/cryptsetup_1.4.3+nuke_keys.diff.

5. Build the packages by typing dpkg-buildpackage -b -uc. After the build has completed (successfully), there should be two cryptsetup*.deb and two libcryptsetup*.deb packages that will have to be installed.

6. Install the packages by typing dpkg -i ../libcryptsetup*.deb and dpkg -i ../cryptsetup*.deb. This is what actually gets the nuke option implemented. Now if you type cryptsetup and hit enter, you should see a “luksAddNuke” command.

7. Add a nuke key to the system by typing cryptsetup luksAddNuke /dev/sdaX. Replace “X” with the number of the encrypted partition on your setup. On a default installation of Ubuntu and Linux Mint, that number should be “5,” so the command will be cryptsetup luksAddNuke /dev/sda5. After typing that command, you’ll be prompted to “Enter any existing passphrase.” On a default installation, the passphrase you enter is the one configured during installation. That’s the encryption passphrase. After that, you will be prompted to enter and confirm the nuke passphrase. That should do it.

Related Post:  How to customize Linux Mint 10

Now that the nuke patch has been applied to cryptsetup, let’s see what happens when a system that has full disk encryption is booted (I used a test installation of Ubuntu 13.10 in a virtual environment for this).

The encryption passphrase must be entered correctly for the system to boot.
Encrypt disk Ubuntu

If that’s done, the system will boot.
Decrypt encrypt disk Ubuntu 13.10

But if the nuke passphrase is entered instead, the keyslots, where the encryption and nuke passphrases are stored, are wiped clean. So the system returns: cryptsetuo: cryptsetup failed, bad password or options. It is the same message the system returns if the wrong passphrase is specified. However, there’s a catch to this. If you backed up the keyslots, it is possible to restore them, and be able to boot the system using the encryption passphrase. See the tail end of How to nule your Kali Liux installation for how to do this.
Nuke LUKS cryptsetup encrypt disk Ubuntu

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn

Hola! Did you notice that LinuxBSDos.com no longer run network ads?  Yep, no more ads from the usual suspects that track and annoy you across the Internet. But since I still need to pay to keep the site running, feel free to make a small donation by PayPal or your favorite cryptocurrency.

  • Bitcoin
  • Ethereum
  • Xrp
  • Bitcoin cash
  • Bitcoin sv
  • Litecoin
  • Binance coin
  • Cardano
  • Ethereum classic
Scan to Donate Bitcoin to bc1qzvlte2m224zkayhdc7fdfjkp2rsgt0l5a496ua

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0F4362DFF77F3Ba0Dc637F5f3Eba35D09a2fA60C

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Xrp to r4ggjvL36njsMCYTkJ3S7cTHscPsMsSGQv

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Bitcoin cash to qrs0dedzp9t55af3nfwypydghp29r0xguy9s20fz2k

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Bitcoin sv to 15K9TLyVDBtLuG9cYvXCX9SSkq9C9oUKHK

Donate Bitcoin sv to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin sv

Scan to Donate Litecoin to LetJ9QQMb7u2LMZ9Tu6rtHwcBcQFW98fbG

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Binance coin to bnb1ga8trq08ssqepd90v6225nzfgy448pu5pw8gxp

Donate Binance coin to this address

Scan the QR code or copy the address below into your wallet to send some Binance coin

Scan to Donate Cardano to addr1qx2354yw49etstfljpdhwja3ajjlt487lg95vu9ngy2q6vu4rf2ga2tjhqknlyzmwa9mrm997h20a7stgectxsg5p5esq5l7d9

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Ethereum classic to 0xcD6CC972a2297FcafACDcfE042C55C69516a9264

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Subscribe for updates. Trust me, no spam!

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.

Upcoming events

19 Responses

  1. I get stuck at step 5. I get the following error:
    tail: cannot open ‘debian/changelog’ for reading: No such file or directory
    dpkg-buildpackage: error: tail of debian/changelog gave error exit status 1

    I don’t know whether this is because I’m missing something or because I honestly believe I don’t have a debian directory. Googling how to fix this brings up nothing of value.

      1. Hi finid, thanks but a little more details about how to actually do it (noob,sorry)? What do you do with that script? save it as ..? run when? After doing the steps above, somewhere in the middle … Maybe the article could/should be updated to reflect that since the patch worked yesterday morning, ubuntu made updates to cryptosetup and at 8PM it all the work was for nothing 🙁

        Anyway EXCELLENT article and excellent patch!

  2. Doesn’t seem to work on Debian 7 (Wheezy). Is there an update?

    /cryptsetup-1.4.3# dpkg-buildpackage -b -uc
    dpkg-buildpackage: source package cryptsetup
    dpkg-buildpackage: source version 2:1.4.3-4
    dpkg-buildpackage: source changed by Jonas Meurer
    dpkg-buildpackage: host architecture amd64
    dpkg-source –before-build cryptsetup-1.4.3
    dpkg-checkbuilddeps: Unmet build dependencies: pkg-config
    dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting
    dpkg-buildpackage: warning: (Use -d flag to override.)

  3. Thanks!! I need some help though! I am running Kali and want this feature, but my disk is currently not encrypted. I found the below syntax, but this formats the drive.

    cryptsetup -c aes-xts-plain -s 512 -h sha256 -y luksFormat /dev/sda1

    What syntax can I use to encrypt the drive with the nuke password without formatting my current install?

    Thanks for any help!

    1. If the hard drive was not encrypted during installation, I don’t think you can use cryptsetup to encrypt afterwards. That, of course, means that you can’t set a nuke password.

  4. Hello can you write a tutorial on how to apply this on linux mint 17 it will be great to have this feature on mint 17 🙂

  5. Hello i have some troble apply this to linux mint 16 x^4 Cianamon

    After step 1 i apply thr step 2 and i get this

    sudo apt-get source cryptsetup
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done

    You must put some ‘source’ URIs in your sources.list

    What should i do next or what is wrong

    1. By default, Mint does not have source repository entries in its sources.list file. That’s likely the error. To get around it, add source URI’s to the /etc/apt/sources.list.d/official-package-repositories.list file.

      Open the file for editing by typing sudoedit /etc/apt/sources.list.d/official-package-repositories.list. Then for every deb entry in that file, add its deb-src complement.

      Here’s an example taken from that file. The first two lines of that file begin with.

      deb http://packages.linuxmint.com petra main upstream import
      deb http://extra.linuxmint.com petra main
      

      After you edit it, it should read:

      deb http://packages.linuxmint.com petra main upstream import
      deb-src http://packages.linuxmint.com petra main upstream import
      deb http://extra.linuxmint.com petra main
      deb-src http://extra.linuxmint.com petra main
      

      Just do the same with each line.

      1. Thank you finid that workt but now on the Build package step dpkg-buildpackage -b -uc

        It apear

        dpkg-buildpackage: source package cryptsetup
        dpkg-buildpackage: source version 2:1.4.3-4ubuntu4
        dpkg-buildpackage: source changed by Dmitrijs Ledkovs
        dpkg-buildpackage: host architecture amd64
        dpkg-source –before-build cryptsetup-1.4.3
        dpkg-checkbuilddeps: Unmet build dependencies: build-essential:native
        dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting
        dpkg-buildpackage: warning: (Use -d flag to override.)

        And i can’t go ther next step

        dpkg -i ../libcryptsetup*.deb

        As i get this

        dpkg: error processing ../libcryptsetup*.deb (–install):
        cannot access archive: No such file or directory
        Errors were encountered while processing:
        ../libcryptsetup*.deb

        Can you please help me out with this to

        1. cannot access archive: No such file or directory

          That likely indicates that you are not in the proper directory when you issued the command, or you did not include the proper number of “..“.

          Check the command again and be sure that you are executing it from the right directory.

  6. found a small error (or typo?). Patching command should of course patch the correct version. If you source cryptsetup-1.4.3 you will have to patch patch -p1 < ../cryptsetup-nuke-keys/cryptsetup_1.4.3+nuke_keys.diff

    -crzydg

  7. This could instead be set up with apt-build to ensure the nuke patch is applied to all future upgrades to cryptsetup with little effort. Script the upgrade to something like:
    #! /bin/bash
    set -e
    set -u
    pushd /usr/local/src/
    git clone https://github.com/offensive-security/cryptsetup-nuke-keys
    apt-build –patch /usr/local/src/cryptsetup-nuke-keys/cryptsetup_*+nuke_keys.diff -p1 install cryptsetup
    popd
    exit 0

Leave a Reply to Sevenup Cancel reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.

Categories
Archives

The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.