View Issue Details
|Fixed in Version
|0005373: Replace cryptsetup nuke passphrase with a dedicated system service
The feature described in https://www.kali.org/tutorials/nuke-kali-linux-luks/ relies on a custom C patch of cryptsetup that we are carrying and updating over time. Maintaining this patch can be very hard at times. Right now, I have spent more than a day to try to implement the feature for the luks2 format which is the new default format used by cryptsetup 2.1.0 and I'm not done yet.
To avoid this regular work, I wanted to work with upstream on this feature and get it merged. Thus I opened https://gitlab.com/cryptsetup/cryptsetup/issues/447 and I got a clear answer that this was not going to be merged in any form. But upstream also suggested that we should create some system service calling "cryptsetup luksErase" to provide the same feature. This ticket is about this idea.
I believe that this is a good idea and that we should pursue it. If the "nuke password" use case is mainly a quick & easy way to wipe everything on early boot, then we can imagine extending the initramfs with a hook that would scan the kernel command line for "cryptsetup-nuke=yes" and that would erase the luks header in that case... we could even add a new grub menu entry in the advanced menu to make it more accessible (with a "cryptsetup-nuke=ask" parameter that would require an explicit confirmation before erasing anything to avoid accidental selection of the menu entry). However we would loose the authentication brought by the nuke password since anyone with access to the machine could wipe the luks header (but I guess as soon as anyone is in a position to access the machine and reboot it, he can destroy it in many other ways).
Such a feature can be implemented in an entirely separate kali-specific package and it would be easier to maintain over time. Opinions ?
It seems that creating an advanced grub menu entry is the only practical way to do this going forward. The nuke feature, while cool, has a pretty limited use-case so I don't think it's worth the effort of you fighting with it.
I'd like not to lose this function.
So I created "cryptsetup-nuke-password" as a separate package hijacking the cryptsetup password prompt in the initramfs. That will let us switch to an unmodified cryptsetup.
See https://gitlab.com/kalilinux/packages/cryptsetup-nuke-password for details.
The new cryptsetup and the new cryptsetup-nuke-password package are both in kali-experimental. Feel free to test them.
I wonder what else needs to happen before I can move them to kali-dev... I guess we want to update https://www.kali.org/tutorials/nuke-kali-linux-luks and the sidebar in the book (cf end of https://kali.training/topic/adding-persistence-to-the-live-iso/).
Do we want to modify cryptsetup so that luksAddNuke prints an informative error message directing users to the new package ?
I updated cryptsetup 2.1.0-5kali1 in kali-experimental to print a warning:
And the package has a recommends on cryptsetup-nuke-password. cryptsetup-nuke-password is now in kali-rolling as well.
Kali Revealed book updated with commit a5fe5bd88d9e04a070ba38d40f16260799703777 and asked digip to update its online copy.
Now on the website, there are at least two articles that need to be updated to document the new cryptsetup-nuke-password feature:
The websites have been updated, the packages have been pushed to kali-rolling. Nothing left to do here.
|new => assigned
|Note Added: 0010458
|Note Added: 0010527
|Note Added: 0010695
|Note Added: 0010738
|Note Added: 0010741
|assigned => resolved
|open => fixed
|Fixed in Version
|Note Added: 0010769
|high => normal