How to Nuke your Encrypted Kali Installation

anvilfour

Full article:

https://www.kali.org/tutorials/nuke-kali-linux-luks/

By now I am sure you're all aware that the encrypted installation of Kali Linux comes with the option of a "nuke" password which when entered destroys the LUKS header, effectively making it impossible to restore your data without a backup.

The common argument against having a "nuke" password for an encrypted device is that the bad guys are inevitably going to make a copy of the drive as is before they ask you to enter the password and can keep bashing you with a $5 wrench until you give it up.

The advantage though is that if you use the nuke password deliberately before the device can be seized e.g before you come to a border checkpoint, the data will be irretrievable.

Once you're safely in your hotel room you can then use a Live CD to restore your backup of the LUKS volume header and log in as normal.

You'll note in the article that it's recommended you protect the header itself with a password. It seems to make more sense to me also to keep it online rather on a USB stick on your person when you're crossing borders.

All thoughts are welcome!

anvilfour

thisland wrote: »

I think you have the best argument.

Thanks!

I don't know what kind of defence this would be against compulsory key disclosure laws like RIPA but in practice even if you gave up the password it would be no good without the header.

anvilfour

bedlam wrote: »

Yes, if what is on your computers is important they are not going to make an appointment to seize your devices. The ECA has provisions requiring divulging of passwords. I'm not sure if it has been tested here but it could results in you being seen as interfering with a case.



If you know your laptop is going to be seized at an airport and you bring it with you you are doing it wrong.

Every device has the potential to be seized. There is a chance this can happen when crossing borders. You also may need the use of the device and information. Given your only viable alternative is to put ALL your sensitive data in the cloud then download it all over again once you've arrived at your destination, I think it this is a good compromise.

So not only are you bringing a laptop with sensitive information that will probably seized, you are carrying the headers to make the destruction reversible?

Nope, that's why I said:

"You'll note in the article that it's recommended you protect the header itself with a password. It seems to make more sense to me also to keep it online rather on a USB stick on your person when you're crossing borders."

I don't mind answering questions but please read the post fully before commenting! :-)

The data is also encrypted, which is the point of this post.

I'd hazard a guess that if you garner such interest that this is needed, its use would be seen as spoliation of evidence.

It may be if the device is seized and it can be proved you nuked it. Of course you could just have a laptop with a dodgy header. There's no real way to be sure without other corroborating evidence.

anvilfour

bedlam wrote: »

There are other alternatives. You can just not travel with electronic devices or have specific "travel" devices which are sanitized.

My comment was more about the wider use of it not just when crossing borders but in general daily life. if your use case is just crossing borders and that you feel you need to use it at every crossing save your self the hassle and don't travel with sensitive data.

Again, I've already touched on that point. You may need the use of the devices and doing without them altogether may not be an option. Having a wiped device is all well and fine but as I said you'd then need to store ALL your sensitive information in the cloud then download it again on the other side.

I welcome all thoughts but please read fully before commenting or else we're just talking at cross purposes! It's a real shame as the discussion can't go any further.

anvilfour

bedlam wrote: »

If the use case is going to be so very specific, not expanded on and you do not want to explore a slightly bigger picture or option that would fit more people than just you, the "discussion" comes down to two answers, yes it's fine, no it's not (but you don't want to explore alternatives for that answer). It's probably not a great idea to say "all thoughts welcome" because as you said of me, it kills the discussion.

So to recap, if this is a situation only you are going to use, go for it, it's your time to kill but there are many options some better some worse but you are not really interested in those...

I give up.

moneymad

anvilfour wrote: »

Full article:
The common argument against having a "nuke" password for an encrypted device is that the bad guys are inevitably going to make a copy of the drive as is before they ask you to enter the password

There's no argument. That's what will happen.

anvilfour wrote: »

The advantage though is that if you use the nuke password deliberately before the device can be seized e.g before you come to a border checkpoint, the data will be irretrievable.

How is that an advantage when you increase risk?

Our main purpose for introducing this feature in Kali Linux is to simplify the process of securely traveling with confidential client information

So who needs this tool? I don't get it. Could you give examples of the type of work you're involved in which would employ this as a strategy to keep your clients information confidential?

anvilfour

moneymad wrote: »

There's no argument. That's what will happen.

...and here we have one solution!

How is that an advantage when you increase risk?

You're not increasing the risk, you're destroying the Master key, so the data cannot be retrieved without both the header and the password. Please read the post fully.

So who needs this tool? I don't get it. Could you give examples of the type of work you're involved in which would employ this as a strategy to keep your clients information confidential?

Certainly David Miranda who had confidential information on his device relating to Edward Snowden could have benefited from a bricked device while travelling through Heathrow, rather than having his password extorted out of him and arguing about it in court after.

I'm troubled you ask this though as this point is addressed in the original article I posted, to quote it:

"
Our main purpose for introducing this feature in Kali Linux is to simplify the process of securely traveling with confidential client information. While “LUKS Nuking” your drive will result in an inaccessible disk, it is possible to backup your keyslots beforehand and restore them after the fact. What this allows us to do is to “brick” our sensitive laptops before any travel, separate ourselves from the restoration keys (which we encrypt), and then “restore” them to the machines once back in a safe location. This way, if our hardware is lost or otherwise accessed midway through our travels, no one is able to restore the data on it, including ourselves.



There are other ways to delete your keyslots, however the advantage of the Nuke option is it is quick, easy, and does not require you to fully login to your Kali installation. If you maintain a backup of your header, you can Nuke the keyslots whenever you feel uncomfortable. Then conduct a restoration when you feel secure."

Again - please read the post (and linked article) fully before commenting, it causes me great despair not to be able to discuss the issue further with anyone due to asking questions about points which have already been raised.

moneymad

Ok so now you've narrowed it down to the type of people who should employ this strategy.
People who have files retaining to national security issues.
Your argument is use this and also keep the files online.
I wouldn't be using your above suggestions at all. I'd keep it offline till i was sharing it with someobody else.

Khannie

I like the idea of travelling with something that is temporarily useless, which I can restore to usefulness later. I cross borders quite a bit and I like to take sensitive company information with me for convenience purposes. I also trust nobody. However I don't get something.....If I'm able to restore it later somehow, can they not just make me do it at the border crossing?

Another way to achieve this might be to have someone else encrypt the device then securely send you the password once you were safe.

Alternatively, you could just download the data securely after travelling. The header is fast and convenient as it says.

edit: My preference is a sanitised travel device as Bedlam suggested. This isn't always cost effective mind you.

further edit: I do clean data before travelling though. I'm in the middle east at the moment and you can be sure that I removed all the hot pictures of your mom from my phone before travelling.

anvilfour

moneymad wrote: »

Ok so now you've narrowed it down to the type of people who should employ this strategy.
People who have files retaining to national security issues.
Your argument is use this and also keep the files online.
I wouldn't be using your above suggestions at all. I'd keep it offline till i was sharing it with someobody else.

Actually I didn't narrow this down just now, I explained this in the first post but I did clarify what was in the article, which you could have read and saved us the trouble of me having to explain it to you again just to make sure we are on the same page.

I want to make it clear I am not suggesting storing any sensitive files online, just an encrypted version of the header. Once again if you read the article, THEN comment this would be clear.

anvilfour

bedlam wrote: »

One of the problems with nuking the header is you now have an inoperable computer which given some people are being asked to fully log into the computer at border crossings, being unable to do that could quite possibly see you losing the device altogether.

This article and my suggestion was not being suggested as a defence against the device being seized. As we discussed, any device can potentially be seized and the chance of this happening increases when you cross a border. It would not be possible however to log in to the device or recover the encrypted data without both the header and a password.

Sure, you could claim that you don't have access to the headers at which point as above they could just take you off to some room for further questioning and confiscate your laptop. Also you need to take into account that if you have an SSD the headers could potentially be recoverable thanks to over provisioning, if you are a person of real interest and they wanted into the laptop it's effort they may be willing to go it. If recovered they'd still have the issue of the password protecting the FDE, so you'd in some cases be no better off using the kali nuke method that just ensuring your laptop was shut down on border crossings and claiming you don't know the password.

It's true if you claim that you know where the headers are and that you have removed them, you could have your device seized (again a nuke switch isn't supposed to prevent this), or you could be ordered by a court to retrieve the headers and decrypt the device.

Your best bet in those situations would simply to provide a password (doesn't have to be the real one) and say you don't know why it isn't logging in. An analysis of the boot partition will show there's no key slot for the encrypted partition which can easily be explained by a software error with your machine or a dodgy install. Certainly there'd be no way to prove in court beyond all reasonable doubt that you have deliberately tampered with the machine.

It is absolutely true to say that you may not be believed and your device can be seized anyway. The good news is that as you say even if law enforcement does a very detailed forensic examination of an SSD and retrieves the entire header, you're not really any worse off than you were before unless they can prove you deliberately removed it.

anvilfour

Khannie wrote: »

I like the idea of travelling with something that is temporarily useless, which I can restore to usefulness later. I cross borders quite a bit and I like to take sensitive company information with me for convenience purposes. I also trust nobody. However I don't get something.....If I'm able to restore it later somehow, can they not just make me do it at the border crossing?

Another way to achieve this might be to have someone else encrypt the device then securely send you the password once you were safe.

Alternatively, you could just download the data securely after travelling. The header is fast and convenient as it says.

edit: My preference is a sanitised travel device as Bedlam suggested. This isn't always cost effective mind you.

further edit: I do clean data before travelling though. I'm in the middle east at the moment and you can be sure that I removed all the hot pictures of your mom from my phone before travelling.

Hi Khannie,

Thanks for your thoughts on this.

As you say, another idea would be to have a completely sterile device (perhaps erased with DBAN?) and then download everything the other side... how long do you find this takes? Do you use tor/VPN or similar to make sure that no one can snoop on your connection as you download your stuff back onto it?

anvilfour

My August colleague has suggested as an alternative to the Kali kill switch simply encrypting your device but removing the boot partition altogether so it simply looks like your laptop is filled with random data. This can plausibly be explained as you all know, as many programs designed to erase a drive will fill it with random data e.g the dd command and you can just claim it's a wiped device.

Once again, this won't prevent your device being seized but might give you something of an edge when crossing borders.

I would say all thoughts are welcome but should clarify that all thoughts are welcome if they are relevant to the original post and do not raise points already addressed!

anvilfour

bedlam wrote: »

And when I suggest this (travel laptop), I'm "not reading the post properly" :rolleyes: ZOMG!!!!111eleven please stay on topic of your original post about kali nuke :pac:

It was clear that Khannie had read my post and was responding accordingly. You didn't.

As for DBan, it is a waste of resources (time), it you are going to wipe a drive use the ata secure erase option, it's many times faster than and will wipe sectors dban can't

OK, I'm not the one selling a wiped device as a great idea as I'd be too concerned about the time taken as well as people snooping on my connection but it's helpful to know all the tools out there.

For a travel laptop you could do FDE with two accounts (one "dummy", one real (themselves encrypted). If you are forced to turn on the laptop you only ever log into the dummy account which leaves the data in your main account still encrypted. This should satisfy agents at border crossings thta your computer works. If you are in a position where they are checking accounts on the computer and demanding to see those, well you have bigger problems and as I said earlier you are probably a person who should either not be travelling with sensitive information on the drive or taking a laptop at all.

Do you mean having a hidden volume? Or did you want to have a separate account on other encrypted partitions?

It would be good if you could expand on your threat model because frankly a lot of this just sounds like posturing. if you are 1) someone who is trying to protect them selves from a TLA they are not just going to stop at the border 2) you are not of interest to anyone in which case most of this is overkill.

Would you like to clarify what you feel needs to be expanded on that's not covered in the original article which describes sensitive information being taken across a border?

Again, I feel that we're talking at cross purposes simply because you haven't taken on board fully what the article is about. It says quite specifically where the Kali kill switch can and can't help you.

Do you mean you would like some examples of what kind of information would be sensitive enough to warrant encryption?

Khannie

anvilfour wrote: »

My August colleague has suggested as an alternative to the Kali kill switch simply encrypting your device but removing the boot partition altogether so it simply looks like your laptop is filled with random data. This can plausibly be explained as you all know, as many programs designed to erase a drive will fill it with random data e.g the dd command and you can just claim it's a wiped device.

I had /boot, grub and the decryption key on a USB key before. You could reasonably download that on the far side easily however it does leave the problem of confiscation.

I know you say the chances of confiscation increase on crossing a border, but realistically having a non-functioning computer increase those chances dramatically. It's suspicious as hell tbh. Suspicious enough that I'd wager many border guards would tell you to fcuk off home and I wouldn't imagine any of their superiors would blame them for it.

Khannie

bedlam wrote: »

people are being asked to fully log into the computer

Interesting article. I'm amazed he logged in then thought he had any vestige of control left! What's to stop them yoinking it off you there and then?

Khannie

bedlam wrote: »

it you are going to wipe a drive use the ata secure erase option, it's many times faster than and will wipe sectors dban can't

You have to trust it though. Do you?

edit: I did read before that a simple dd if=/dev/zero of=<your device> works very well and that this multiple writes business is really rubbish. I would welcome any thoughts on that.

kkontour

I would have thought a bootable SD card with a Linux OS would show the device (laptop) was functioning.
The HD would remain nuked and border control would be none the wiser. Simple, no?

_Tombstone_

Hey there, why does your laptop have to be able to boot at borders?

anvilfour

kkontour wrote: »

I would have thought a bootable SD card with a Linux OS would show the device (laptop) was functioning.
The HD would remain nuked and border control would be none the wiser. Simple, no?

Hi kkontour,

I think you have hit upon an excellent idea.

If you could indeed boot to a clean install of Linux on an SD card without border control noticing (for example by changing the boot order) on the laptop, then it would indeed appear to load as normal.

Of course this wouldn't be a defence against a more detailed search but it might deflect attention away from the LUKS header on your laptop itself. Certainly it would be enough for a superficial search!

anvilfour

_Tombstone_ wrote: »

Hey there, why does your laptop have to be able to boot at borders?

Hi Tombstone,

A very good question! Why not solve the problem by removing the battery after all?

The answer is that if your electrical devices won't start up, they are more likely to be seized when traveling through US and UK:

http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/10952671/Airport-security-you-wont-fly-to-the-US-if-your-mobile-phone-battery-is-dead.html

http://www.dailymail.co.uk/news/article-2684723/Now-terror-checks-phones-laptops-spread-flights-Middle-East-Africa-BA-u-turns-says-WILL-able-fly-phones-not-charged.html

anvilfour

Khannie wrote: »

You have to trust it though. Do you?

edit: I did read before that a simple dd if=/dev/zero of=<your device> works very well and that this multiple writes business is really rubbish. I would welcome any thoughts on that.

Hi Khannie,

I agree with you that one pass of zeroes is sufficient. Indeed this seems to be the opinion of those behind The Great Zero Challenge as a number of data recovery firms declined the offer to try to recover files after they learned an HDD had been zeroed out. Of course SSD's are a different matter altogether!

anvilfour

Khannie wrote: »

I had /boot, grub and the decryption key on a USB key before. You could reasonably download that on the far side easily however it does leave the problem of confiscation.

I know you say the chances of confiscation increase on crossing a border, but realistically having a non-functioning computer increase those chances dramatically. It's suspicious as hell tbh. Suspicious enough that I'd wager many border guards would tell you to fcuk off home and I wouldn't imagine any of their superiors would blame them for it.

Hi Khannie,

I suppose you have to weigh up this option versus the alternatives... wouldn't an entirely blank computer raise more suspicion? Unless it was brand new I suppose... Damned expensive way to do things if you need to move sensitive info around mind you!

Khannie

_Tombstone_ wrote: »

Hey there, why does your laptop have to be able to boot at borders?

Otherwise they think it's a bomb disguised as a laptop / phone.