Kali Linux 2018 Live USB with Encrypted Persistence

Guide: Kali Linux 2019 & 2018 Live USB with Encrypted Persistence (Windows)

Last updated on

In this guide we will install Kali Linux 2019 Live USB (also works with Kali Linux 2018) and configure an encrypted persistent partition so we can securely retain files and setting between reboots.

If you want persistence without encryption, please see Guide: Kali Linux 2019 & 2018 Live USB with Persistence (Windows).

1. Write Kali Linux 2019 ISO to USB

UPDATE FEB 2019: Tested and working in both Kali Linux 2019 and Kali Linux 2018. Do not use Kali Linux 2018.3 as this build was botched. Use 2018.3a or later.  Let us know in the comments if you have any issues.

Begin by downloading your preferred image of Kali Linux 2019 (guide also works with Kali Linux 2018). In this guide we are using the Kali Linux 2019 64 Bit image, though it should work fine with the 32 Bit and Light images as well.

Write the ISO to your USB drive using a tool like Universal USB Installer or UNetbootin. In this guide we are using Universal USB Installer.

Run Universal USB Installer.

Step 1: Select Kali Linux from the dropdown menu. (Kali is listed under Security and Penetration Testing).

Step 2: Browse for the Kali Linux ISO you downloaded.

Step 3: Select your USB drive from the drowpdown menu.

Now select the checkbox Fat32 Format Drive (Erases Content).

Finally, click Create.

It may take a few minutes to write the ISO to USB. Once complete, continue to Step 2 to set up partitions.

2. Resize USB Partition

Now that your Kali Linux 2019 ISO has been written to your USB drive, we can begin setting up partitions to work with Kali Live encrypted persistence. You can configure partitions with the partition manager of your choice, but in this guide we are going to use MiniTool Partition Wizard

Download and install MiniTool Partition Wizard Free Edition for Windows.

Once installed, run and select MiniTool Partition Wizard Free.

Right-click on the blue disk space bar of your USB drive and click Move/Resize. In the example below, the USB drive is Disk 3 and it has a blue USB icon over it.

Resize the partition to 4GB and click OK.

3. Create Persistence Partition

Right-click on the Unallocated partition and click Create.

In the File System menu, select Unformatted and click OK.

Finally, click Apply in the top left-hand corner and click Yes to apply changes.

The Partition Wizard will now set up your partitions. This may take some time depending on the size of your USB drive.

Once done, close Partition Wizard and safely eject your USB drive.

4. Boot Into Kali Live 2019 USB

Once partitioning is complete, restart your machine and boot from USB.

You may need to do some searching on Google on how to boot from USB on your particular machine. Sometimes pressing Shift and the restart button in Windows will invoke a menu at bootup. If that doesn’t work, repeatedly pressing one of the function keys (F12F2, etc) or the ESC or Delete keys on bootup will invoke the boot or BIOS menus on most machines. 

In the Kali boot menu, select Live system and press Enter.  Don’t select the encrypted persistence option here yet, we will do that later.

The menu may look different depending on your version of Kali. It’s usually the first option you want here.

If Kali prompts for login details, the default username is root and the password is toor.

5. Initialize LUKS encryption

Once Kali has booted, we will use fdisk to view the disk devices and partitions.

Open a new terminal window and run:

fdisk -l

You will see several entries for partitions and devices listed. Look for your USB drive. It will have two partitions: A 4GB partition and the empty partition you created earlier.

Device     Boot    Start       End   Sectors   Size Id Type
/dev/sdb1           2048   8390655   8388608     4G  c W95 FAT32 (LBA)
/dev/sdb2        8390656  30463999  22073344  10.5G 83 HPFS/NTFS/exFAT

In the above example, we can see the USB drive with a 4GB partition and a larger empty partition with the device name sdb2. This device name may be different on your setup. Make sure you have the right one before continuing.

Assuming our empty partition device name is sdb2, we will now initialize LUKS encryption on sdb2 with the following commands:

IMPORTANT: You must enter these commands exactly and ensure you choose the correct device (yours may not be sdb2), otherwise encrypted persistence will not work.

cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb2

You will see a warning. Type YES and press ENTER to overwrite data.

Enter a passphrase of your choice. Don’t forget it!

When you see “Command successful”, run the following command:

cryptsetup luksOpen /dev/sdb2 my_usb

Enter your passphrase one last time.

6. Configure Persistence Partition

Create an ext4 filesystem. This may take a minute.

mkfs.ext4 -L persistence /dev/mapper/my_usb

Once the filesystem is created, label it persistence.

e2label /dev/mapper/my_usb persistence

Now mount the new encrypted partition.

mkdir -p /mnt/my_usb
mount /dev/mapper/my_usb /mnt/my_usb

Set up the persistence.conf file and unmount the partition.

echo "/ union" > /mnt/my_usb/persistence.conf
umount /dev/mapper/my_usb

Lastly, close the encrypted channel to our persistence partition.

cryptsetup luksClose /dev/mapper/my_usb

We’re done!

7. Reboot and Test

Restart and boot from USB, and from now on always select Live system (encrypted persistence, check kali.org/prst)

You should see a message like below.

Please unlock disk /dev/sdb2:

Enter your passphrase and press ENTER. Kali should now load.

To test if encrypted persistence is working correctly, try creating an empty test folder on the Desktop and restarting. Select Live system (encrypted persistence, check kali.org/prst) again and if the test folder is still there, encrypted persistence is working correctly.

If you are having issues, please mention the exact Kali image you downloaded in the comments.

Let me know in the comments if this helped. Follow me on Twitter, Facebook and YouTube.

p.s. I increased my AdSense revenue by 68% using AI 🤖. Read my Ezoic review to find out how.

1 Star2 Stars3 Stars4 Stars5 Stars 4.82 (38 votes)

Leave a Reply

Your email address will not be published. Required fields are marked *

We use Markdown to style comments, like on Github and Reddit.
To do a line break, type two spaces after the sentence.
You can add inline code by wrapping it in backticks: `code here`

    To do an entire block of code  
    type four spaces before the line
    and it will appear in a block like this.
    <-- four empty spaces

138 replies

Thank you very much. Quick question.
When I get to the persistance phase, the command “mkfs.ext4 -L persistence /dev/mapper/my_usb” doen’t work, it tells it doesn’t exist
any suggestion??

thank you very much

Whenever I boot my system into Kali Linux with encrypted persistence, I get to the point where I am supposed to enter my passphrase, which I enter, but then when I get to the desktop, the test folder is never there. I then check the file manager, which has a device labeled “26 GB Encrypted” in the left hand column (I am using a 32GB USB with 6GB for the operating system and 26GB for persistence). I click on the device and I get prompted to enter the passphrase. After I enter the passphrase, I get an error that says ‘Unable to access “persistence”‘. More specifically, it says:

Unable to access "persistence"

Error mounting /dev/dm-0 at /media/root/persistence: wrong fs type, bad option,
bad superblock on /dev/mapper/
luks-1971d87e-5c90-414e-88b3-43a30fca485d, missing codepage or helper
program, or other error

I have tried this on both Kali Linux 2019.1a and 2019.3. I can’t figure out what the problem is. After the first time it didn’t work I started just copying and pasting the commands into the terminal to make sure that I wasn’t mistyping anything, so I know that the problem isn’t the commands being mistyped.

After doing this when I set a root password it just reverts back to “toor” the next time I boot into it. The instructions you provided worked like a charm but I was hoping you could help me with this further step.
Thanks.

This works flawlessly on Kali Linux 2019.2 amd64. Best “how to” ever; clear, concise, well written. Thank you so much. Spent needless hours trying this, till we found your tutorial.
Just awesome! Thank you again.

I already test all persistence it is not working, if i reboot all folder are gone, i use RoG strix how suppose i do?? Sorry for bad english

Hey there, having a strange issue hoping I can get some advice here.

I’ve done this before in the past and I’ve followed this guide to the letter, but whenever I boot from the USB and select the “encrypted persistence” option it asked me to unlock /dev/sda3. I enter in the exact passphrase, and it just tells me there’s no key slot with that passphrase. From what I see in kali (running in VM) there’s only two partitions. Just does’t make sense to me. please advise.

However I was under the assumption (from what I found googling the issue) I could use symbols from the 7-bit ASCII Table?

I was able to figure it out, The laptop I was booting the USB from also had a LUKS encrypted partition and was asking for that passphrase first. I had to enter a bad password then select “no”. After that I was prompted to enter the passphrase for the correct partition.

Thanks for the guide, it’s very well written. The partitioning and installation went flawlessly. However I do have an issue with the thing running extremely slow, like apt-get update && apt-get dist-upgrade takes more than a whole day to finish installing after downloading 1GB of files.

I use a 64GB Kingston 3.0 USB, plugged in to a 3.0 USB port.

The machine has an i7 8550U processor and 8GB RAM with a Windows 10 main operating system. I have disabled secure boot in order to boot from USB. Perhaps you will have a clue and point me in the right direction on how to solve this? Is it the BIOS settings that require some modifying?

I used the 2019.1 image for Kali.

Creating file system section of tutorial was almost flawless, I ran into errors due to usb label having a space in it but finally got it working by only using the fist part of usb label, ie Kali Live to just Kali where the usb label was needed. Thanks for a great resource!

I’ve just done it with Kali 2018.4. Works perfect! Thank for such a full guide!

(For those one who has discrete nvidia card and stuck at firts boot – press e when choose kali boot option and type nouveau.modeset=0 in the end of “Linux” line)

A very good guide but … l have a little trouble that when I created a passphrase and verified it, but the Teminal got this to me:”Command failed with code -1 (wrong or missing parameters).” So I just wander how to solve this problem, thank you very much!

This guide worked almost flawlessly. In the end, following these instructions did give me a bootable USB with Kali + Persistence; however I was not able to resize the partition. I’m using a pretty standard Lexar USB and no matter where or how I tried, it wouldn’t give me the option to resize. I’ll likely try again with another USB stick, but I wanted to confirm that even though I couldn’t resize – simply creating the new partition and following the rest of the guide still results in a successful configuration.

Nice one!

Got this working as described in article on first attempt. Thanks very much for this guide as its much more thorough than what is provided in the official Kali Docs.

FYI I used 2018.4 amd64 image with SanDisk Cruzer 16GiB USB drive.

Works like a charm.

THANK YOU!!!!
After hours of frustration, came upon this page, followed the instructions and got my live usb with persistence encryption working straight away. And I’m a newbie…
Brilliant. Thank You so much!

I’m using 2018.2 and I try to do the command for create new partition, it failed for mount /dev/mapper/my_usb /mnt/my_usb saying mount does not exist. Anyone can help me ?

I’ve to clearify that i followed the guide partially, i created the partition inside kali with the native “Disks” tool. I don’t think change nothing but i want to specify

I didn’t see the “Please unlock disk /dev/sdb2:” message and my test folder disappeared after reboot =(. I used 2018.3 amd64 image. And now I’m going to use the previous release (2018.2). Hope it will work.

I’m not sure yet, I haven’t had the time to test it. And there isn’t any discussion about this on the Kali forums from what I can see. If anyone else could test I would be grateful! 🙂

Works! Commenting from an encrypted persistence live boot.

“Running apt-get update && apt-get upgrade” now to see if moving to the latest breaks anything, will report back.

2018.2 amd64

looks like the problem is w/newer versions of dm-crypt I think. When I ran apt-get upgrade and it got to updating, it provided me with a warning about how the hooking method that was being used will be deprecated soon. It’s fine I guess if you already have an encrypted partition setup, but if you try to create a new one, nothing.

I will find the exact warning and post it here later.

when i rebooted, it asked “Please unlock disk /dev/sdb3 and it had worked.
but when check “new folder” i was created, nothing was saved.
what should i do ?

Hello!
i multiple times have created a new USB Stick after this instruction, but Kali does not auto mount my Partition with encrypted persistence??

I dont know why! I have also tried other Instructions, that i have found in Goolge, but same error!
Without the encryption it works, but with encryption kali does not ask me for a password, when i boot from my USB!

I also have tried several Notebooks…

Can you help me?

And sorry for my bad English, i am a German User with terrible English Skills =)

Best Regards
Mark

Story time:

This command – “mkfs.ext4 -L persistence /dev/mapper/my_usb” – is the culprit

For whatever reason, after running this command, the type of drive shown from “fdisk -l” still shows “Microsoft Basic Data” for the drive.

I figured it out by using the mkfs command while going through your other guide instead of setting up the partition as EXT4 when I start with miniTool partition wizard. lo and behold, I saw with a quick fdisk -l afterwards that the type hadn’t changed

So I ran Gparted and reformatted the partition as EXT4 and labeled it “persistence”, now when I run fdisk -l it shows “Linux filesystem”

Restart into the persistence option and BOOM! Mission accomplished.

I would recommend perhaps modifying the guide to run “Gparted &”, and format the partition as EXT4 after using the cryptsetup luksOpen command instead of mkfs. If you want to keep that step as command line, when running Gparted it shows you what command it does to sucessfully change the partition.

Ok, thanks for the feedback. I cannot recreate the problem here though I’ll need to do more tests.

The partition shouldn’t be showing as Microsoft Basic Data. When you run fdisk -lwhen first booting into Kali, the persistence partiton type should show as HPFS/NTFS/exFAT. Are you sure you created it as unformatted as specified in Step 3. Create Persistence Partition?

I think I’m having the same issue. After running “mkfs.ext4 -L persistence /dev/mapper/my_usb”, fdisk-l continues to show the partition as “HPFS/NTFS/exFAT.” By using Gparted, I am able to format it as EXT4 and get it to display as “Linux”. Unfortunately, Kali still ignores the persistence.conf when I reboot. I formatted my persistence partition as “unformatted” in step 3.

When I rebooted, it asked “Please unlock disk /dev/sdb2” and I thought it had worked. The second time I rebooted it didn’t ask for a password, and nothing was saved. The persistent encrypted partition is there, it just doesn’t boot off it (I always chose “Live system (encrypted persistence, check kali.org/prst)”).

I’ve followed this guide word for word, no luck.

Everytime I boot and choose “encrypted persistence”, it does not unlock the drive upon boot. I boot into Kali’s gui first, root toor, then I have to use “cryptsetup luksOpen /dev/sdb2 persistence” and then mount it.

Because it doesn’t unlock the drive on boot, it can’t read the persistence.conf file, so no persistence is maintained.

I’m using kali-linux-xfce-2018.3-amd64.iso as my image (I ran a hash check to confirm it’s good). I’ve imaged using rufus, UNetbootin, and DD. I’ve managed the partitions using Windows disk manager, gparted, parted, and the minitool partition wizard.

I’m imaging on to a 32 gb flash drive (I’ve tried two different ones to see if the hardware was causing the issue). I’ve flashed the image as a GPT filetable and MBR. I’ve booted using UEFI and legacy.

Could really use some help.

Do you get the message Please unlock disk /dev/sdb2 on boot?

A lot of these issues are caused by an incompatible USB drive. Is the second USB you tried the same brand? Also if possible try creating partitions on a different computer as there could be some other USB hardware issue. If you can pick up a new USB drive, I recommend the SanDisk Ultra USB 3.0 Flash Drives. I have loads of them and they’ve never failed me.

Nope, no message on boot to unlock /dev/sdb2. As for the brand, both of them are SanDisk, one is a Cruzer Glide 32gb, the other is an Ultra 32 gb.

I will try to create the partitions on a different machine and report back.

Nope, tried on a different machine. Nothing.

On a related note, I just noticed upon startup as it loads

“sdb sdb1 sdb2
WARNING: unable to load module dm-crypt
WARNING: cryptsetup is unavailable”

I think there might be something wrong with the xfce version of Kali…I will try the base image and report back”

Nope. That didn’t do it either. No warning this time for dm-crypt or cryptsetup either…or at least one that I can see… 🙁

That’s a pain. And sdb2 is definitely the right partition? Try cryptsetup -v luksFormat /dev/sdb2 --debug in Step 5 to see if any errors come up in the debug.

Also see if you can get unencrypted persistence working using my other guide. If that works, then you know your USB and partitions are ok and it’s some other issue with encryption only. Also try and copy and paste the commands from the guide just to rule out typos, and make sure you have the correct device, sdb2, etc.

I can’t believe I’m about to say this because I am a total noob, but I think I might be able to offer some insight here.

I think it’s an issue with the new Kali version 2018.3

I followed the instructions above like you and installed the newest ISO which is 2018.3 but it doesn’t prompt you for the password during the boot sequence anymore. When you boot in, you can unlock your persistence through the Places> menu and selecting the encrypted drive but it seems unstable.

I am a total noob, so please take everything I say with a big pinch of salt, but if I had to make a largely uneducated guess, I would say it seems to be an issue with the persistence partition not mounting correctly on boot.

If you follow the instructions above to the letter, but instead go back to using the 2018.2 ISO, (which is still on the kali index website), it will work perfectly. The upgrade to the new kali version from within using apt upgrade command, that might work for you.

Like I said, I am a completely newbie so I might be way offside here, but thought I would share what I’ve seen.

Good luck, let us know if you figure it out.

Hi, thank you for your guide.
I followed the steps many time, I tried with a complicated passphrase with symbols lowercase and numbers, and then I tried again only with lowercase and numbers.
And everytime I ve got this error : IO error while encrypted keyslot.
Command failed with code -1 (wrong or missing parameters).
What should I do?

What happens when you run

cryptsetup -v luksFormat /dev/sdb2 --debug

where sdb2 is your persistence partition.

Thank you for your quick answer. It says it will overwrite data on dev/sdc2 I put YES. It asks me to enter my passphrase, then to verify. I post you the complete lines. ibb.co/gV96Q9

It seems to be having problems writing to that partition. All I can suggest it that you format your USB and try creating the partitions again from scratch. Or if you can, try on a different USB drive.

You found the issue, I tried from scratch, and it goes wrong again.
Then I tried from a different usb key, and everything is working perfectly now, thanks to you.
You are a savior. Thank you so much.
Take care

Where does the persistance live? I mean where is the encyrption with this set up? Is it the whole disk or partition? Or is it just the users home directory for instance?

Cheers – great article

The entire persistence partition is encrypted. e.g sdb2 and this is where your home folder resides. The 4GB system partition (sdb1) is not encrypted because otherwise you wouldn’t be able to load the LUKS encryption software on boot.

Thanks
I suppose this is my issue, insofar as I would want logs, browsing history, passwords, well everything really. Someone could just get the USB Drive and access all you have been doing in terms of software etc

Thanks

All that will be encrypted. The persistence partition is where files, settings, logs, etc, are saved to. The partition where Kali resides is not written to at all. It’s a Live USB and is therefore effectively read-only.

I’m having a hard time getting this to work. I followed the guide as exactly as I possibly could, and yet when I turn off the system to reboot the log says failed unmounting /lib/live/medium. Then upon booting in encrypted persistence, I get to the point where it says Please unlock disk, and I type my password in and nothing happens. I have to force shutdown. What could be the reason behind this… I have cleaned, repartitioned, and reformatted the usb many times now to no avail. Thanks for the help

When you type your password, there is no feedback in Linux like there is in Windows/Mac, eg. no stars or dots. This seems to throw off a lot of people. Just type your password carefully and press enter.

Thank you, I should have clarified that I understand there is no visual when entering a password. I entered it correctly, and hit enter, nothing happened. Then, I had to force shutdown the machine.

So, I decided to give it a whirl on my desktop instead of my laptop. Everything worked perfectly, including encrypted persistence….. So, I tried again on my laptop, and nothing… same problem, cant get past please unlock disk password request. Then I thought, what if i plug in the keyboard from my desktop to my laptop and it worked! But now the touchpad doesn’t work when i plug in the external keyboard.

I’m using a surface book, and I have no idea why this is happening. Again, Thank you

2 things,
first no matter what partition tool I use I can not resize the partition with the image on it.
thinking this was not a huge issue I proceeded to finish per the instructions.

second after rebooting, logging in with persistence, creating a file and rebooting I find the file or any changes at all are not saved.

could my first problem be causing the second? if not what is causing it not to save? I followed every step and got no errors.

Yeah, you’ll need to get your partitions right first.

I would suggest removing all partitions from the USB drive and trying again.

  1. Press Windows + R simultaneously, type cmd, click “OK” to open an elevated command prompt.
  2. Type diskpart and hit enter
  3. Type list disk. Soon diskpart will list all the hard drives on your computer, including your USB flash drive that is connecting with the computer. Assuming that your USB flash drive is drive G:
  4. Type select disk G and hit enter.
  5. If there are one more partitions on the flash drive and you wish to delete some of them, now type list partition and hit enter. There should list all the partitions, numbered as 0, 1, 2…
  6. Type select partition 0 and hit enter
  7. Type delete partition and hit enter
  8. Repeat step 6 and step 7 to delete partition 1 or 2…
  9. After deleting all the target partitions, type create partition primary and hit enter.
  10. Exit the command prompt. Right-click on the USB drive in explorer and format it.

to clarify, I did create a second partition but the disk imaging software I was using created a partition for the image the exact size of the image and would not allow me to increase it’s size.
I’ve since used Universal USB Installer as per this guide and was able to make the 4gb partition for kali and partition the remaining space for persistence.

I’ve followed the guide exactly now a few times without error and still nothing is saving.

should this be the only line in persistence.conf

/ union

Yes, it’s just / union. Did you try doing the partitions in MiniTool Partition Wizard?

In most cases, this is a partition issue or the wrong commands are entered in part 5 and 6. If you can, copy and paste them and make sure you have the correct device name.

thanks for all the help. yes, the last 6 attempts I used all tools mentioned in this guide. I’ve tried this and other guides over the last 4 days all with no success and I’m still unsure if I keep making a typo and that is causing it to fail. I’ll be trying again with many different USB and microsd in usb adapters and I’ll try doing it without typing 120wpm. I’ll even triple check my spelling of “persistence” as it’s just one of those words I’ll spell wrong 50% of the time. thanks again for the help and writing this guide, it’s by far the easiest to follow and seems to wok great when using the tools described. I’m sure the problem is with me and my spelling and impatient typing. OR could it be I’ve been using a microsd card in a USB adapter? ultimately I NEED kali on a microsd with persistence but I’ll try a standard usb right now.

setelah saya reboot, saya tidak bisa memasukan passphrase padahal saya sudah membuat mudah passphrase saya

after I reboot, I can’t enter the passphrase even though I have made my passphrase easy

Are there any symbols in your password? Is it case sensitive? Because I suspect it might be a keyboard layout issue. Try a password all lowercase with no symbols next time.

Perfect!

I’ve been through countless guides for setting up encrypted persistence and this has been the only one that worked properly.

Thank you.

Followed instructions as posted and everything works with absolutely no problems at all. Nice guide. Thanks

Ok so when i get into kali live and try set up persistence, i go through the terminal and do everything up to cryptsetup where i have to enter my own pass it wont allow me to type anything. I’ve rebooted and reran terminal over again and nothing seems to work.

When you type a password in Linux, there are no dots or stars so it looks like nothing is being typed. Just type your password carefully and press enter.

I tried booting into encrypted persistence from a usb after doing the above but now it doesn’t ask me for the passphrase firstly and secondly, after kali linux loads, I cannot interact with the interface at all – cannot click anything.
Please advise

This works on my computer. However, when I boot up on a different computer, it doesn’t recognize my pass code. I get a message saying “No key available for this passphrase”

Do you have any special chars in your passphrase? Your other computer might have a different keyboard layout configured.

It is a nice guide but may I ask how can I “full install” Kali to my USB instead of making a persistence for it to use file..? I have search this in Google but all I found is Live or with persistence only…

I’ve never done it before but I’m sure it’s possible.

I think you’ll need two USB drives though, one to load the ISO install, and when you get the the bit about partitions disks (Step 10 here), see if your other USB drive shows up there.

It is not working..I can’t find my usb on the boot menu after the installation…I guess I will have to use the encrypted persistence 🙁

Hello!
Thanks for that!

some info:
If you after 1-3 parts start live on mac and do steps 4-7 you don’t have success. In mac fdisk -l also /dev/sdb2 but doesn’t save changes.
Then I start live on Win computer and do steps 4-7 and then it’s all done! 🙂 and after that it starts normally on mac.

I have a multi-boot external hard drive, with kali-2017.2 and a luks encrypted persistence drive. I just added kali-2018.1 to the bootloader and want to know how I reformat the drive to work with kali-2018?