A recent article titled Emergency Self Destruction of LUKS in Kali revealed an ongoing attempt to add a “nuke” option to cryptsetup, the utulity used to manage disk encryption.
The idea is very simple. But before I get to the gist of the article, here’s how setting up full disk encryption protects your data from
authorized unauthorized access. When a disk is encrypted, a passphrase is specified at setup time. That passphrase will have to be specified at boot time before the OS installed on the disk can boot (properly). If the correct passphrase is not specified, your data remains where it is – encrypted and secure, safe from unauthorized access.
It’s a physical security feature that works to your advantage until you forget or misplace the encryption passphrase. Unless you have a friend or relative at a secretive government agency, you might as well throw the HDD away. This feature ranks number 1 on the list of physical security features you can use to protect sensitive data.
The “nuke” option that the developers of Kali Linux are cooking up is designed to let you specify a passphrase that will destroy saved keys thereby rendering data on the target disk inaccessible. As described in the original post (See Emergency Self Destruction of LUKS in Kali):
On any subsequent reboots, you will be asked for the LUKS decryption password each time as usual. If for whatever reason, you were to enter the nuke password, the saved keys would be purged rendering the data inaccessible.
But why would you want to nuke your encrypted hard disk and in the process lose your data – forever? The authors of the article and the patch did not speculate on the reason(s) one might want to “nuke” an encryption disk, but here’s one occasion where that nuke passphrase might come in handy: Say your computer is confiscated by law enforcement authorities and you refuse to hand over the encryption passphrase. You can maintain that stance until a judge says give in or go to jail. Since I’m sure you don’t like the idea of spending time in jail and you also want to keep your data from those guys, you could, if you have one configured, give them the nuke passphrase.
I think I like the “nuke” idea and would love to see the patch in the official cryptsetup utility. If you do, let the developers know by voting in a poll set up here.
UPDATE: Kali Linux 1.0.6 has just been released. And it comes with the “nuclear option” integrated in cryptsetup. See Kali Linux 1.0.6 released. Cryptsetup has “nuclear option” integrated.