Create Parrot OS pendrive with encrypted persistence volumeJuly 16, 2019
Apart from working as a developer, I also do some server administration in my spare time. Mostly as a devops for projects which I write, but also I host my own server with mail, git etc. I keep a lot of private info there, so naturally I had to learn a lot about securing it and keeping it as safe as possible.
However I always did it from "defendant" perspective, and learned techniques connected mostly with that (closing ports, configuring firewalls etc.). Recently I came to conclusion, that this may be not enough - I have to start thinking as an attacker, to better understand the tools and tricks used in todays cyberworld.
To do that, I started reading security blogs, collecting tools and playing with self-prepared vulnerable virtual machines. Really quickly my laptop got filled with a lot of stuff which I used to play with, adding more and more mess. And as a programmer, with strong belief in "Single responsibility principle", I didn't like that - my base system should be used only for my daily needs and I need to separate my "hacker wanna be" activities. So, naturally I started looking for some specialised Linux distro just for that.
Everybody heard about Kali Linux (formerly known as BackTrack), so naturally I started there. And I didn't like what I found - it felt bloated, sluggish - more like "Debian + pentesting friends" instead of a distro built from scratch with hacking principle in mind. A lot of people use it, and are happy for it - but for me it didn't feel right.
And then I discovered Parrot OS, and immediately felt in love with it. It's beautiful (when you work a lot with designers, at some point you start noticing things like that), fast, has all the tools and as a bonus - it's built from scratch with privacy in mind.
Setting up a pendrive with Live distro is a breeze - just download ISO, and flash it. However it gets a little wild, when you want to set a permanent, encrypted storage for it. Hence this guide.
Step 1: Flash Parrot OS to pendrive
This step is pretty simple and self explanatory - just download the ISO and flash it. There are plenty, fancy tools for that, but good, old
dd is still best suited for the job.
dd if=Parrot-security-4.6_amd64.iso of=/dev/rdisk2 bs=1m
On OSX, it is important to use
/dev/rdiskX instead of
/dev/diskX as it provides raw (thus way faster) access to the device. On Linux, just pass
/dev/sdX as you normally do.
Step 2: Partition the pendrive
Okay, we have our distro set up, let's give it a spin! You may notice many
GRUB options, but for now - let's go with basic, Live USB.
Dealing with gparted and ISO partition
This was an issue at the time of writing this article, with
0.28. If it doesn't apply to you, you can skip this section.
You can also create a partition using good, old
fdiskwhich handles this case properly.
The next step is to partition the disk - you will notice something odd, immediately after starting
gparted and switching to your pendrive.
Whole disk is occupied by mysterious "iso" volume, despite the fact the image was only 4GB! Clearly, something is wrong with partition table. Let's check offsets with wipefs:
wipefs /dev/sdb DEVICE OFFSET TYPE UUID LABEL sdb 0x8001 iso9660 2019-04-25-11-04-24-00 Parrot OS sdb 0x1fe dos sdb 0x3ba2ffe00 gpt
You may notice, that
/dev/sdb contains signatures of two (or three) different data structures - an ISO image written to the whole disk, a DOS partition table, and optinally - a GPT partition scheme signature. When you check your drive with
blkid /dev/sdb /dev/sdb: UUID="2019-04-25-11-04-24-00" LABEL="Parrot OS" TYPE="iso9660" PTUUID="f3dc8ed4" PTTYPE="dos"
... you will notice, that ISO partition is the preferred one. That's why gparted gets crazy and reports it as a whole drive. Thankfully, the fix is pretty easy - just wipe out information about ISO:
wipefs -o 0x8001 -f /dev/sdb /dev/sdb: 5 bytes were erased at offset 0x00008001 (iso9660): 43 44 30 30 31
Since you will be altering already mounted partition, don't forget
-f flag to force the overwrite. After that,
gparted should start reporting partition and free space correctly.
Partition the free space
This is pretty straightforward - create a new partition over free space, set it's type to
ext4 and label to
persistence. Then apply the changes.
Step 3: Encrypt the partition
This step is optional - however, it's a good habit to encrypt everything. I see no reason for exceptions here.
First, set encrypted luks volume over a newly created partition:
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb3 WARNING: Device /dev/sdb3 already contains a 'ext4' superblock signature. WARNING! ======== This will overwrite data on /dev/sdb3 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdb3: Verify passphrase: Existing 'ext4' superblock signature on device /dev/sdb3 will be wiped. Key slot 0 created. Command successful.
Next, attach it:
cryptsetup luksOpen /dev/sdb3 my_part Enter passphrase for /dev/sdb3:
Now we can format it or create multiple LVMs - it's up to you. Since it's a pendrive, I decided to not go crazy, and just created one
ext4 partition, filling up all the space (don't forget to label it):
mkfs.ext4 -L persistence /dev/mapper/my_part mke2fs 1.44.5 (15-Dec-2018) Creating filesystem with 2931456 4k blocks and 732960 inodes Filesystem UUID: 592d5d84-f630-4e80-9ea9-0c9973be68f4 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208 Allocating group tables: done Writing inode tables: done Creating journal (16384 blocks): done Writing superblocks and filesystem accounting information: done e2label /dev/mapper/my_part persistence mount /dev/mapper/my_part /mnt
Now, we need to configure Parrot to treat this new partition as a volume which would store it's data. This is done by one line in persistence configuration file.
echo "/ union" > /mnt/persistence.conf
That's it! Umount the partition, and close the luks volume.
umount /mnt cryptsetup luksClose /dev/mapper/my_part
Optional: Set a nuke password
Newer versions of luks provide interesting functionality - a "nuke" password. The idea is simple - if you are forced to reveal the password, you can provide the "nuke" one instead of the real thing, and your partition will be unrecoverably destroyed (thus "nuke").
Personally I don't see any sense in it - if the forensic is smart, he would make a one to one copy as a first thing which would render nuking pointless - but hey, you can always meet somebody less sharp, and it may actually help.
To add a nuke, simply invoke:
cryptsetup luksAddNuke /dev/sdb3 Enter any existing passphrase: Enter new passphrase for key slot: Verify passphrase:
Note: Recent versions of Parrot have
luksAddNuke patch removed in favor of separate
cryptsetup-nuke-password package. To add nuke password using this, use:
Do not mix those passwords yourself, as nuked partition is unrecoverable.
Step 4: Reboot
We're done. Reboot Parrot, and select
Encrypted persistence option. In this mode, everything you do, will be saved to the pendrive.
Now, you can wear your obligatory hoodie, play some hacker music and start nuking Gibsons!