Has anyone figured out how to encrypt the root fs for Kali Linux 2020.2b using the Zymkey 4i?
Hi there, Joining the question, does the script support latest kali running on rpi3b+.
thanks a lot.
We don’t officially support Kali linux but you should be able to use the Zymkey by pointing at our Ubuntu 20.04 repository and doing a little editing. Here are the steps. Most of the commands require root privilege. Do a “sudo su” first to get root privilege.
-
Follow the standard steps to bring up Kali on your PI.
-
Run apt-get update and upgrade:
sudo apt-get update
sudo apt-get upgrade -y
-
Enable the I2C bus.
3a. Edit /boot/config.txt and uncomment the line:dtparam=i2c_arm=on
3b. Edit /etc/modules and add a line containing:i2c-dev -
Reboot
-
Verify the i2c bus is enabled. “ls” should find the device now:
ls -l /dev/i2c-1
- Pull down the Zymkey install script. You are going to edit the script to point at focal, then run locally.
curl -G http://s3.amazonaws.com/zk-sw-repo/install_zk_sw.sh --output install_zk_sw.sh
Edit install_zk_sw.sh and change the distro variable to be focal.
Find the following line around line 72 and change
distro=`lsb_release -c | cut -f2 -d$'\t'`
to
distro="focal"
- Give the script write permission and run locally as su:
sudo su (if you are not already su)
chmod +x ./install_zk_sw.sh
./install_zk_sw.sh
The script should install the Zymkey software. It will reboot during the process and when it comes back up, the Zymkey will complete binding and blink the blue LED once every three seconds.
- If you are continuing on to encrypt your rootfs, you can now follow the regular steps. Details are up on community.zymbit.com.
Notes on Encryption Process:
- The encryption process will automatically reboot twice. After the first reboot, the process boots the rootfs off of the USB drive. Kali uses an ext3 partition and the encryption script expects ext4. To fix:
Edit /boot/cmdline.txt on the sd-card and change the rootfstype from ext3 to ext4. This has to be done by mounting the sd-card on a different system and editing there. Replace in the PI and boot up to finish the rest of the encryption process.
You can see progress at that point via journalctl. I’m not sure if you will hit the same problem or not.
- After the second reboot, the Zymkey service, zkifc didn’t want to start. I fixed that by disable/enabling the zkifc service and rebooting.
sudo systemctl disable zkifc
sudo systemctl enable zkifc
sudo reboot
Once the whole process is done, you should see the Zymkey return to blink the blue LED once every 3 seconds.
Let me know if this works for you. We will consider officially adding Kali support in the future if demand is there.
Bob
I should get my key by monday, will update how every thing went! thanks a lot.
worked well!
i still have some questions though, what is the luks key length? (brute force attack?)
if someone gets unlimited physical access (without perimeter detection active) can they get the key and decrypt the data?
thanks a lot!