I recently wanted to create a live Kali USB drive. The main reason behind this was to have a clean slate each time a new hacking session is started, as far as the pentesting environment goes. Live environments images on the USB are usually not changed while booted, only their memory copies are. This would allow a pentester to have totally clean environment each time on boot.
The persistence and the LUKS encryption
I also wanted to be able to keep some changes and some data stored for the future use. I didn't want to set up and update the whole environment from scratch each time I reboot. The persistence was the key thing to research.
How to make it happen?
Kali has some really nice articles how to install a live USB environment with the persistence and LUKS encryption:
I also added some of my own changes. First of all, I started off with Kali Weekly build as to have the up-to-date system as possible. It is very important to check the iso checksum, not only because of the security reasons, but also to avoid having to debug ghost errors which are not there in the first place, but you have a corrupted download - this happened to me. I also had some SCSI booting problems, so turning on legacy booting helped some issues.
How does it work?
Once you have it set up, you are able to boot into the Kali live with Encrypted Persistence. If you do this, you will be asked for a passphrase to open the encrypted drive, but once booted, you won't see it available as a drive. It will behave as it is a part of the main image and all your changes will be persisted - from language settings to updated applications. This is great if you want your changes persisted, but any changes done through a malware or a hack might be persisted and loaded during the following boot.
If you don't select to boot with the encrypted persistence, the originally burned image to USB will load without any updates, but you will have the ability to open the encrypted drive and input the passphrase to access the data. This option is perfect if you are fine with keeping only the data and not the changes to the system, as it will always load fresh from the image.
I still haven't found a perfect solution for me. I will be investigating further. My investigation will proceed more towards the latter approach. Here is what I'd like to test:
- Have a script on the encrypted drive that will update my settings on boot automatically, like language, shortcuts...
- Keep my Kali image up to date with the weekly build
- Keep the data on the encrypted drive
This way I will have a clean image without persisting the image state, but the data will be encrypted and persisted.