How to install Kali Linux with full disk encryption or encrypted user’s home folder

Table of contents

1. Full disk encryption, partition encryption, encryption of individual directives and files

2. How disks and partitions are encrypted in Linux

3. Disk encryption password and user account password

4. How to install Kali Linux with full disk encryption

5. How to install Kali Linux with encrypted user's home folder

5.1 How to install Kali Linux with encrypted user's home folder (auto-partitioning)

5.2 How to install Kali Linux with encrypted user's home folder (manual partitioning)

6. Commands to manage LVM encrypted disks


Full disk encryption, partition encryption, encryption of individual directives and files

Probably everyone has come across encrypted files that require a password to view. These could be archives or office files. With VeraCrypt you can encrypt folders and files very securely.

Of course, all of this is available on Linux as well. You can create encrypted archives, install VeraCrypt or another program to encrypt files and folders.

Related: How to install VeraCrypt on Linux

In addition to this approach to encryption, Linux installers offer full disk encryption. The bottom line is that all data on the disk is encrypted. When the computer starts up, the bootloader prompts you to enter a password to decrypt the disk. If the password is correct, then the disk is decrypted and the computer continues booting and working. With this approach, you do not need to think about encrypting individual files – everything is encrypted, so there is no danger that something can be copied from a turned off computer.

The downside of this approach is that encryption slows down the system a little, since data processing (encryption/decryption) is required when reading and writing data to disk.

Another danger is that if a disk (file system) fails, there is a possibility of losing data, or you will need to boot from a Live OS to perform disk recovery operations.

Partition encryption is an intermediate option. For example, why encrypt the root filesystem and binaries that are the same for all users? However, many users would like to encrypt their folder in the /home directory. The result is a good compromise: on the one hand, the really important data is encrypted, but the system does not slow down, since its files are mostly not encrypted.

How disks and partitions are encrypted in Linux

Of course, disk and partition encryption in Linux can be used without understanding the technical details. For example, you can see in the screenshot the option “Guided - use entire disk and set up encrypted LVM”.

If you select it, then a lot in setting up encryption of the disk (or partition) on which the OS is installed will be done automatically, the difference from the standard setting comes down to the fact that you need to come up with and remember a password to encrypt the disk.

But if problems arise, such as a file system error due to a disk failure, then you cannot simply run fsck and fix the disk errors. Again, if you want something other than the default markup configuration, then it will be difficult for you to do this without understanding LVM.

Therefore, a few words about programs for full-disk encryption.

Cryptsetup and LUKS are used for encryption.

The Kali Linux (and other Debian-based distributions) installer offers LVM for creating and managing volumes, and if you want to choose to encrypt disks or partitions, then they will be created using LVM. The LVM technology itself (Logical Volume Manager) primarily provides powerful and flexible tools for organizing disk space, for example, you can create one partition from several disks or resize partitions without rebooting the system. The Kali Linux installer uses LVM for disk partitioning and the familiar Cryptsetup and LUKS for encryption. All this you need to know at least for the fact that when a disk failure occurs, depending on the stage at which the failure occurred, before using fsck, you may need to decrypt the disk using “cryptsetup open --type luks” and/or activate the disk using lvchange/vgchange.

Disk encryption password and user account password

At first glance, it might seem that the user's login password (the same password is used for executing commands with sudo and for unlocking the screen, as well as logging in via SSH) and the password for decrypting the disk are very similar. They are both designed to keep your computer safe and secure from unauthorized access.

But in fact, from a practical point of view, these are quite different things. Account password can be easily changed or reset. Any user's password can be changed by any other user who can execute commands with sudo. Even if you do not have administrator rights, but you have physical access to the computer, you can reset the password for any user, including root, see the article “How to reset a forgotten login password in Linux” for details.

As for the disk decryption password, everything is different with it: if you forget this password, you will not be able to reset it. In theory, the password can be recovered using brute force, but this takes time and computational resources.

Full disk encryption protects user data more securely than a login password.

That is, the user password can be forgotten, but the disk decryption password must not be forgotten!

How to install Kali Linux with full disk encryption

This is the easiest option to set up and use – the entire drive will be encrypted. For encryption during the Kali Linux installation, as well as for use, you do not need to delve into how it works.

Go to the page https://www.kali.org/get-kali/, in the Bare Metal section download the installation image.

Using a cross-platform program, Etcher writes an image to a USB flash drive.

How to install Kali Linux with encrypted user's home folder

Encrypted user folder and unencrypted system files are a good option if you want to keep your files safe but don't want to be faced with a loss in system performance.

This example will completely encrypt the /home folder. The OS partition and the encrypted partition will fit on the same disk, although you can place them on different disks.

How to install Kali Linux with encrypted user's home folder (auto-partitioning)

The installer has a template for encrypting the user's home folder and it is perfect for novice users – the default settings are quite acceptable, the setup is very simple.

The markup template has the following parameters:

  • EFI partition – 500 MB
  • /boot partition – 500 MB
  • / (root) partition – 30 GB
  • swap (swap partition) – 1 GB
  • /home partition – all remaining space

Let's dwell directly on the disk layout, since the rest of the installation steps are identical.

        

How to install Kali Linux with encrypted user's home folder (manual partitioning)

If the above automatic disk layout template with encryption of the home folder does not suit you, then you can configure disk layout manually, below is shown how to do it.

With manual marking, remember that for a normal installation you need at least two partitions:

  • EFI – 200 Megabytes is enough
  • / (root of the filesystem) – this is where the OS is installed. If there are no other partitions, then user files will be stored here.

In this example, in addition to the two necessary ones, we will create another partition and encrypt it, this partition will be mounted on the /home path.

Let's dwell directly on the disk layout, since the rest of the installation steps are identical.

If everything is done correctly, you will be prompted for a password when you turn on the computer.

You can make sure that the list of block devices is exactly as we intended it.

Commands to manage LVM encrypted disks

List block devices:

lsblk

Search for all volume groups:

sudo vgscan

Auto-activation of volume groups:

sudo vgchange -ay

Listing all logical volumes in all volume groups:

sudo lvscan

Auto-activate the specified logical volume:

sudo lvchange -ay /dev/xubuntu-vg/root

The following command decrypts and opens, that is, maps the /dev/nvme0n1p3 partition with the name nvme0n1p3_crypt.

sudo cryptsetup open --type luks /dev/nvme0n1p3 nvme0n1p3_crypt

In fact, the previous command creates a new block device at /dev/mapper/NAME with the decrypted contents, in this case it will be /dev/mapper/nvme0n1p3_crypt). This device can be mounted using the mount command.

Mounting an encrypted partition (after it has been opened with cryptsetup):

sudo mount /dev/mapper/HackWare--Kali--vg-home /home

Configuration file for encrypted block devices:

cat /etc/crypttab

Mount point information is contained in the /etc/fstab file:

cat /etc/fstab

See also: Kali Linux post-installation tips and settings

Recommended for you:

Leave a Reply

Your email address will not be published.