Adding USB Persistence with LUKS Encryption

Adding USB Persistence with LUKS Encryption

Alternatively, you can create a LUKS-encrypted persistent storage area. This adds an extra layer of security to your sensitive files when traveling with Kali Live on USB devices.

In the following example, we’ll create a new partition to store our persistent data into, starting right above the second Kali Live partition and ending at 7GB, set up LUKS encryption on the new partition, put an ext3 file system onto it, and create apersistence.conf file on it.

Image the latest Kali Linux ISO (currently 2016.2) to your USB drive as described in this article.Create the new partition in the empty space above our Kali Live partitions.


read start _ < <(du -bcm kali-linux-2016.2-amd64.iso | tail –1); echo $start

parted /dev/sdb mkpart primary $start $end

The parted command may advise you that it can’t use the exact start value you specified; if so, accept the suggested value instead.

If advised that the partition isn’t placed at an optimal location, “ignore” it. When parted completes, the new partition should have been created at /dev/sdb3; again, this can be verified with the command “fdisk -l“.

Initialize the LUKS encryption on the newly-created partition. You’ll be warned that this will overwrite any data on the partion. When prompted whether you want to proceed, type “YES” (all upper case).

Enter your selected passphrase twice when asked to do so, and be sure to pick a passphrase you’re going to remember: if you forget it, your data will still be persistent, just irretrievable (and unusable).

cryptsetup –verbose –verify-passphrase luksFormat /dev/sdb3

cryptsetup luksOpen /dev/sdb3 my_usb

Create the ext3 filesystem, and label it “persistence”.

mkfs.ext3 -L persistence /dev/mapper/my_usb

e2label /dev/mapper/my_usb persistence

Create a mount point, mount our new encrypted partition there, set up thepersistence.conf file, and unmount the partition.

mkdir -p /mnt/my_usb

mount /dev/mapper/my_usb /mnt/my_usb

echo “/ union” > /mnt/my_usb/persistence.conf

umount /dev/mapper/my_usb

Close the encrypted channel to our persistence partition.

cryptsetup luksClose /dev/mapper/my_usb

That’s really all there is to it! To use the persistent data features, simply plug your USB drive into the computer you want to boot up Kali Live on — make sure your BIOS is set to boot from your USB device — and fire it up.

When the Kali Linux boot screen is displayed, choose the persistent option you set up on your USB drive, either normal or encrypted.

One thought on “Adding USB Persistence with LUKS Encryption

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: