![Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]](https://www.ineedhack.com/wp-content/uploads/2023/01/Course-content-16-360x180.png)
The recently added LUKS nuclear nuke patch to Kali Linux’s cryptsetup package has been the subject of . This is an opportunity for us to explain the feature and to show some practical approaches that are worth learning.
LUKS Nuke In a Nutshell
Michael Lee’s explains that a master key can be generated randomly when creating encrypted LUKS containers. The master key is encrypted using a passphrase. The passphrase does not link directly to data. This means that even if the master keys are used for two identical sets of data, they cannot be exchanged. This means that no matter what passphrase was used, data cannot be recovered if the master keys are lost. This allows you to use the process as a nuke, by wiping out keys.
Exemple Use Case for LUKS Nuke
This feature was introduced in Kali Linux to make it easier for clients and employees to securely travel with their confidential information. Although “LUKS Nuking” your drive may result in inaccessible data, it can be done to back up your keylots and then restore them afterwards. This allows us to “brick” sensitive laptops prior to travel and separate ourselves from any restoration keys, which we encrypt. Then “restore” the computers to their original location. If our data is stolen or accessed by someone else, nobody can restore it.
You can delete the keyslots in other ways, but the Nuke option has the advantage that it’s quick and easy. You can nuke your keyslots anytime you feel uneasy if you keep a backup. You can then restore the backup when you are feeling secure.
This is what you can do for yourself
Let’s get started with the basics of backing up, encryption, destruction, then restoration using Kali Linux. Install Kali Linux 1.0.6 using Full Disk Encryption. After that, verify your data as follows:
:~# cryptsetup luksDump /dev/sda5 LUKS header information for /dev/sda5 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha1 Payload offset: 4096 MK bits: 512 MK digest: 04 cd d0 51 bf 57 10 f5 87 08 07 d5 c8 2a 34 24 7a 89 3b db MK salt: 27 42 e5 a6 b2 53 7f de 00 26 d3 f8 66 fb 9e 48 16 a2 b0 a9 2c bb cc f6 ea 66 e6 b1 79 08 69 17 MK iterations: 65750 UUID: 126d0121-05e4-4f1d-94d8-bed88e8c246d Key Slot 0: ENABLED Iterations: 223775 Salt: 7b ee 18 9e 46 77 60 2a f6 e2 a6 13 9f 59 0a 88 7b b2 db 84 25 98 f3 ae 61 36 3a 7d 96 08 a4 49 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED You can see that we have slots 1 through 7 enabled. We will now add the nuke key.
:~# apt install cryptsetup-nuke-password :~# dpkg-reconfigure cryptsetup-nuke-password The LUKS container was not modified by this, it simply installed the nuke password as well as a hook in the initrd. This hook detects when you type in your nuke password during boot and will then call ” cryptsetup luksErase” on your LUKS containers at that point.
Wonderful. We now need to backup the encryption keys. You can do this easily with the “luksHeaderBackup” option.
:~# cryptsetup luksHeaderBackup --header-backup-file luksheader.back /dev/sda5 :~# file luksheader.back luksheader.back: LUKS encrypted file, ver 1 [aes, xts-plain64, sha1] UUID: 126d0121-05e4-4f1d-94d8-bed88e8c246d :~# In our example, we want to store the data encrypted. This could be achieved in many ways, but we’ll use openssl because it makes the process fast and simple using Kali default tools.
:~# openssl enc -aes-256-cbc -salt -in luksheader.back -out luksheader.back.enc enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password: :~# ls -lh luksheader.back* -r-------- 1 root root 2.0M Jan 9 13:42 luksheader.back -rw-r--r-- 1 root root 2.0M Jan 9 15:50 luksheader.back.enc :~# file luksheader.back* luksheader.back: LUKS encrypted file, ver 1 [aes, xts-plain64, sha1] UUID: 126d0121-05e4-4f1d-94d8-bed88e8c246d luksheader.back.enc: data We now have an encrypted header that can be back up. We would place this header where it can be easily accessed in the above case. It could as easy as putting the header on a USB thumbdrive that has been stored in a secure location. Let’s reboot, use the Nuke key to see how Kali reacts.
We used the Nuke key and we were unable to boot into Kali. We will now see the disk’s actual contents by starting up a Kali CD, and then dumping the LUKS header.
:~# cryptsetup luksDump /dev/sda5 LUKS header information for /dev/sda5 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha1 Payload offset: 4096 MK bits: 512 MK digest: 04 cd d0 51 bf 57 10 f5 87 08 07 d5 c8 2a 34 24 7a 89 3b db MK salt: 27 42 e5 a6 b2 53 7f de 00 26 d3 f8 66 fb 9e 48 16 a2 b0 a9 2c bb cc f6 ea 66 e6 b1 79 08 69 17 MK iterations: 65750 UUID: 126d0121-05e4-4f1d-94d8-bed88e8c246d Key Slot 0: DISABLED Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED We can clearly see that no keylots have been used. As expected, the Nuke performed as intended. It’s easy to retrieve the encrypted header file from your USB stick in order to restore the header. We can then decrypt the header and perform our restore.
[email protected]:~# openssl enc -d -aes-256-cbc -in luksheader.back.enc -out luksheader.back enter aes-256-cbc decryption password: [email protected]:~# cryptsetup luksHeaderRestore --header-backup-file luksheader.back /dev/sda5 WARNING! ======== Device already has LUKS header. Removing the header will cause destruction of existing keyslots. Are you sure? (Type uppercase yes): YES [email protected]:~# cryptsetup luksDump /dev/sda5 LUKS header information for /dev/sda5 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha1 Payload offset: 4096 MK bits: 512 MK digest: 04 cd d0 51 bf 57 10 f5 87 08 07 d5 c8 2a 34 24 7a 89 3b db MK salt: 27 42 e5 a6 b2 53 7f de 00 26 d3 f8 66 fb 9e 48 16 a2 b0 a9 2c bb cc f6 ea 66 e6 b1 79 08 69 17 MK iterations: 65750 UUID: 126d0121-05e4-4f1d-94d8-bed88e8c246d Key Slot 0: ENABLED Iterations: 223775 Salt: 7b ee 18 9e 46 77 60 2a f6 e2 a6 13 9f 59 0a 88 7b b2 db 84 25 98 f3 ae 61 36 3a 7d 96 08 a4 49 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
Your slots have been restored. We just need to reboot the computer and enter our normal LUKS password to restore it to its previous state.
