Live Kali USB with Encrypted Persistence
If you've already gone through the Kali's documentation here, you must have realised that they are a little vague and have no explaination as to why a particular command is being run. This lack of explaination inspired me to write this post.
So basically, what we need to do is install Kali on a USB stick using the dd command. Checkout out this post, or alternatively you can run the following (assuming /dev/sdb is your USB stick):
dd if=path/to/kali-linux-xxxx.x-live-amd64.iso of=/dev/sdb bs=4M
Once you are done with making your USB bootable. You can run fdisk -l to check the partitions. Most likely, you will have 2 partitions under /dev/sdb:
/dev/sdb1 # this might be around 3GB
Now, the idea is to create a new partition called /dev/sdb3, such that when summed up with /dev/sdb1 and /dev/sdb2, adds up to 7GB.
Therefore, use fdisk to make the partitions. Alternately you can use gparted which you need to install on your linux machine (you're running currently). I like fdisk as it's available by default, simple (once you understand) and works on CLI.
Running this would start fdisk with a prompt where you can make the neccessary changes to the your USB drive.
Create a new partition using n, select primary partition, then select partition number as 3 (which is given by default) and select the default start block (just hit enter). Now for the end block, give +4G and hit enter. Verify typing p (lists the partitions). If everything looks good (you'll see sdb1, sdb2, sdb3 with different sizes, but should sum to 7GiB) just write the partition table using w (you'll exit out of fdisk prompt after this).
This partition will be used by Live Kali OS to persist changes that will be made in Kali, once you boot using the USB stick.
Enable encryption on this partition so that, if you lose your USB stick, your files stay unreadable. Remember that, if you forget the passphrase to decrypt (which will be asked every time you boot through USB stick), then you won't be able to access it either.
NOTE: Use a password manager to save the partition encryption passphrase.
Running the following will encrypt the partition and will prompt you to provide the passphrase:
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb3 cryptsetup luksOpen /dev/sdb3 my_usb
Format the newly created partition and label it persistence using the following command: mkfs.ext3 -L persistence /dev/sdb3 e2label /dev/sdb3 persistence
We are not done yet, as we still have to tell Kali what to enable persistence. And to do that, you'll have to create a directory, mount the partition on the directory and create a config file as follows:
mkdir -p /mnt/p_usb mount /dev/sdb3 /mnt/p_usb echo "/ union" > /mnt/p_usb/persistence.conf
Now, un-mount the partition by running umount /dev/sdb3 command.
Close the encryption channel using:
cryptsetup luksClose /dev/mapper/my_usb
We are done. You can boot through the USB stick (select Live USB Encrypted Persistence in the boot menu) and provide the passphrase for sdb3 when prompted (during the booting process).
The partition /dev/sdb3 will be mounted to /usr/lib/live/mount/persistence/sdb3 and used by Live Kali OS if the password is provided at boot time. If not, the persistence will not be enabled and you'll get the default Kali.
Now, you can update & upgrade your repositories using:
sudo apt update sudo apt upgrade
NOTE: The upgrades will be persisted only if you've entered the mounted the persistence (/dev/sdb3) partition during the boot time. Your changes to the .bashrc, .profile etc should also be persisted across multiple boots, even using this USB across different machines.