Hi everyone, I am trying to Encrypt KALI LINUX hard drive after the installation (I forgot to set that option during set up). what I have searched so far, indicates I need to re-install the OS.
it is possible to Encrypt without having to reinstall Kali Linux?
Yes, it is possible, I’ve personally never tried to do it but this post seems to detail it clearly:
Thanks, this post seems useful.
while trying to install dependencies got this error.
This solution for ubuntu may work, since both are debian based:
I never use Kali, only Debian or NixOS, but I always prefer to have everything encrypted: /boot, /, swap, LVMS volumes, etc.
The only passphrase, randomly generated according to @roaring-lamport guidelines, is asked by GRUB at the very beginning of the boot process. This step decrypts the entire disk even before the GRUB menu. Then the kernel decrypts again, but this time without any interaction using a key file stored on /boot. Finally, for X, I use autologin.
With this strategy, security and usability are maximized. A laptop, after all, is a single-user setup.
To go in this direction, I think you will need to reinstall. For full, fast, and cheap backups that easily enables reinstallation, I moved to restic and Backblaze (B2). Currently is operating better than the hacks needed for Dropbox, Google Drive, rclone, file sync utilities without deduplication or local encryption capabilities.
The exact conf needed to reach that in NixOS is:
$ cat ~/conf/os/conf.nix
...
boot.loader.grub = {
enable = true;
version = 2;
enableCryptodisk = true; # ask passphrase
extraInitrd = "/boot/initrd.keys.gz"; # key file needed for kernel decryption
device = "/dev/nvme0n1";
};
boot.initrd.luks = {
devices = [ {
name = "root";
preLVM = true;
keyFile = "/keyfile.bin"; # using key file, avoiding 2nd interaction
fallbackToPassword = true;
device = "/dev/nvme0n1p1";
} ];
};
...
To configure X auto-login:
$ cat ~/conf/os/conf.nix
...
services.xserver = {
enable = true;
displayManager.auto = {
enable = true; # avoiding third interacion
user = ${secrets.username};
};
windowManager = {
default = "i3"; # required for autologin
i3.enable = true; # dont delete / not redundat
};
desktopManager.default = "none";
};
...
The commands for appropriate formatting and encryption are:
$ cryptsetup luksDump /dev/nvme0n1p1
(only one slot used)
$ dd if=/dev/urandom of=./keyfile.bin bs=1024 count=4
$ cryptsetup luksAddKey /dev/nvme0n1p1 ./keyfile.bin
(two slots used, 0 for passphrase, 1 for keyfile)
$ cryptsetup luksDump /dev/nvme0n1p1
...
$ sudo su -
root$ echo ./keyfile.bin | cpio -o -H newc -R +0:+0 --reproducible | gzip -9 > /boot/initrd.keys.gz
To configure backups:
$ cat ~/conf/os/backup.nix
{ pkgs, ... }:
{
services.restic.backups = {
home = {
passwordFile = "/home/${secrets.username}/.secrets/restic";
s3CredentialsFile = "/home/${secrets.username}/.secrets/b2";
user = "${secrets.username}";
paths = ["/home/${secrets.username}"];
repository = "b2:XXXX:YYYY";
extraOptions = ["b2.connections=25"];
extraBackupArgs = [ "--exclude=/home/${secrets.username}/.cache"
"--verbose" ];
timerConfig = {
OnBootSec = "5m"; # backup 5 minutes after each boot
OnUnitActiveSec="60m"; # then, every 60min after the last one
};
};
};
# journalctl --unit restic-backups-home.service -f
}
Soon, I will hope even the formatting will be functional and as code: