Avantguard Computer & Security Systems

Boot Nuke / LUKS

LUKS Full-Disk Encryption with Nuke Key

Install cryptsetup-nuke

On Kali Linux or Debian:

apt install cryptsetup-nuke

This patches cryptsetup to support a special “nuke” passphrase that destroys the LUKS header (and thus all data) when entered.

Add a Nuke Key

# Add nuke password (separate from your real passphrase)
cryptsetup-nuke /dev/sda5
# Enter the existing passphrase when prompted
# Then set the nuke passphrase

When the nuke passphrase is entered at boot, the LUKS key slots are wiped — the data becomes permanently unrecoverable.

Backup the LUKS Header

Always back up the LUKS header before adding a nuke key.

# Back up header to external media
cryptsetup luksHeaderBackup /dev/sda5 --header-backup-file /media/usb/luks-header-backup.img

# Restore header (if needed)
cryptsetup luksHeaderRestore /dev/sda5 --header-backup-file /media/usb/luks-header-backup.img

Key Slot Management

# View key slots
cryptsetup luksDump /dev/sda5

# Add a new passphrase
cryptsetup luksAddKey /dev/sda5

# Remove a passphrase (by slot)
cryptsetup luksKillSlot /dev/sda5 1

# Change a passphrase
cryptsetup luksChangeKey /dev/sda5

Encrypt a New Drive

# Format with LUKS
cryptsetup luksFormat /dev/sdb

# Open the encrypted volume
cryptsetup luksOpen /dev/sdb encrypted_data

# Create filesystem
mkfs.ext4 /dev/mapper/encrypted_data

# Mount
mount /dev/mapper/encrypted_data /mnt/data

# Close
umount /mnt/data
cryptsetup luksClose encrypted_data