WARNING, I’m not done with this yet.

Secure Kali Pi 2019

Posted on May 12, 2019

This tutoial is meant to assist those looking to create a full disk encryption on a small portable computer using Kali and LUKS. I attempted to use the Kali website and follow their instructions (See: https://www.kali.org/tutorials/secure-kali-pi-2018/) and a Raspberry Pi 3 B+, but there were several issues that arose from their methods. It might be because the instructions are a year old at this point, that they are incomplete, or that Raspberry Pi’s are just really difficult for this. But if you were starting from just hardware and you need to get to the point where Kali is loaded, the disk is encrypted and you can ssh into it with a Yubikey, then this is the tutorial for you.

First things first, put your Raspberry Pi aside, and buy an Atomic Pi with a baby breakout board. It’s a little bigger than the Raspberry Pi, but it’s still just $35. The Atomic Pi uses Intel instead of ARM, which is easier for Kali and LUKS, but it also has a BIOS so that you don’t have to take the SD card out and use a second system to finish the encryption. The baby break out of only $3 extra, and gives you a barrel connector for power. Otherwise, you’ll be wiring up your own power.

This tutorial will:

  1. Create a normal Kali Linux installation disk on an SD card
  2. Install Kali with encrypted LVM
  3. Set up remote SSH login
  4. Use Dropbear and Busybox to remote unlocked the LUKS encrypted disk
  5. Setup Yubikey-LUKS to use your Yubikey to unlock the encrypted disk
  6. Hack away!

Hopefully this tutorial will keep you from having to reload Kali severl dozen times on the same SD card just to get the encryption right.

First things first, go get yourself some Kali on their website. It’s important to not only download Kali but verifying the signiture on the download. The last thing you need is to download a bad version of Kali to start with. I got my version of kali for pi from offensive security: https://www.offensive-security.com/kali-linux-arm-images/ The Pi version is in the list at the bottom.

Then use the instructions for verifying your image. https://docs.kali.org/introduction/download-official-kali-linux-images

Then use the instructions for your particular system to put Kali onto your SD card: https://docs.kali.org/downloading/kali-linux-live-usb-install Which, so long as you’re on Linux or Unix is basically just…
sudo dd if=kali-linux-2019.1-rpi3-nexmon-64.img of=/dev/disk2 bs=1m
With whatever the location of your kali is as the if= and whatever your disk is as of=, but see the link for more description.

When you first boot up, make sure that your dates are correct. This was an issue for me several times. So run the command :
If your date is off, I have a good way to help you out with it. Run this command :
ntpdate ntp1.eecs.wsu.edu
It will ping the WSU.edu university time servers to update your machine. :)

Run the two most basic first things you should:
apt-get update
apt-get full-upgrade
And go get a coffee, because this will take a while.
Then make sure to reboot.

Get all the packages you will need to make this work:
apt install cryptsetup lvm2 busybox dropbear