OnWorks Linux and Windows Online WorkStations

Logo

Free Hosting Online for WorkStations

< Previous | Contents | Next >

9.4.4. Using Multiple Persistence Stores‌


If you have multiple use-cases for your Kali live system, you can use multiple filesystems with dif- ferent labels and indicate on the boot command line which (set of) filesystems should be used for the persistence feature: this is done with the help of the persistence-label=label boot parameter.

Let’s assume that you are a professional pen-tester. When you work for a customer, you use an encrypted persistence partition to protect the confidentiality of your data in case the USB key is stolen or compromised. At the same time, you want to be able to showcase Kali and some pro- motional material stored in an unencrypted partition of the same USB key. Since you don’t want to manually edit the boot parameters on each boot, you want to build a custom live image with dedicated boot menu entries.

The first step is to build the custom live ISO (following section 9.3, “Building Custom Kali Live ISO Images” [page 237] and in particular section 9.3.4, “Using Hooks to Tweak the Contents of the Image” [page 239]). The main customization is to modify kali-config/common/hooks/live/ persistence-menu.binary to make it look like this (note the persistence-label parameters):


#!/bin/sh


if [ ! -d isolinux ]; then cd binary

#!/bin/sh


if [ ! -d isolinux ]; then cd binary


fi

cat >>isolinux/live.cfg <<END label live-demo

menu label ^Live USB with Demo Data linux /live/vmlinuz

initrd /live/initrd.img

append boot=live username=root hostname=kali persistence-label=demo persistence


label live-work

menu label ^Live USB with Work Data linux /live/vmlinuz

initrd /live/initrd.img

append boot=live username=root hostname=kali persistence-label=work persistence-

encryption=luks persistence


END

fi

cat >>isolinux/live.cfg <<END label live-demo

menu label ^Live USB with Demo Data linux /live/vmlinuz

initrd /live/initrd.img

append boot=live username=root hostname=kali persistence-label=demo persistence


label live-work

menu label ^Live USB with Work Data linux /live/vmlinuz

initrd /live/initrd.img

append boot=live username=root hostname=kali persistence-label=work persistence-

encryption=luks persistence


END


Next, we will build our custom ISO and copy it to the USB key. Then we will create and initialize the two partitions and files ystems that will be used for persistence. The first partition is unencrypted (labeled “demo”), and the second is encrypted (labeled “work”). Assuming /dev/sdb is our USB key and the size of our custom ISO image is 3000 MB, it would look like this:


# parted /dev/sdb mkpart primary 3000 MB 55%

# parted /dev/sdb mkpart primary 55% 100%

# mkfs.ext4 -L demo /dev/sdb3

[...]

# mount /dev/sdb3 /mnt

# echo ”/ union” >/mnt/persistence.conf

# umount /mnt

# cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb4

[...]

# cryptsetup luksOpen /dev/sdb4 kali_persistence

[...]

# mkfs.ext4 -L work /dev/mapper/kali_persistence

[...]

# mount /dev/mapper/kali_persistence /mnt

# echo ”/ union” >/mnt/persistence.conf

# umount /mnt

# cryptsetup luksClose /dev/mapper/kali_persistence

# parted /dev/sdb mkpart primary 3000 MB 55%

# parted /dev/sdb mkpart primary 55% 100%

# mkfs.ext4 -L demo /dev/sdb3

[...]

# mount /dev/sdb3 /mnt

# echo ”/ union” >/mnt/persistence.conf

# umount /mnt

# cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb4

[...]

# cryptsetup luksOpen /dev/sdb4 kali_persistence

[...]

# mkfs.ext4 -L work /dev/mapper/kali_persistence

[...]

# mount /dev/mapper/kali_persistence /mnt

# echo ”/ union” >/mnt/persistence.conf

# umount /mnt

# cryptsetup luksClose /dev/mapper/kali_persistence


And that’s all. You can now boot the USB key and select from the new boot menu entries as needed!


Adding a Nuke Password Kali provides a cryptsetup-nuke-password package that modifies cryptsetup’s early‌

for Extra Safety boot scripts to implement a new feature: you can set a nuke password which—when used—will destroy all keys used to manage the encrypted partition.

This can be useful when you travel a lot and need a quick way to ensure your data cannot be recovered. When booting, just type the nuke password instead of the real one and it will then be impossible for anyone (including you) to access your data.

Before using that feature, it is thus wise to make a backup copy of your encryption keys and keep them at some secure place.

You can configure a nuke password with this command (assuming that you have the package installed):

# dpkg-reconfigure cryptsetup-nuke-password


More information about this feature can be found in the following tutorial:

https://www.kali.org/tutorials/nuke-kali-linux-luks/



Top OS Cloud Computing at OnWorks: