You will never get anything out of me: introducing Nuke My LUKS

Recently I wrote and published Nuke My LUKS, a fairly simple network-based panic button designed to overwrite the LUKS header with random data and shutdown the computer in case of an emergency situation. This code was inspired in the idea of panicbcast by Niklas Femerstrand.

This tool can be useful for activists, human right workers and others that face an adversary, such as law enforcement, that can coerce the subject to disclose encryption passwords for the computer’s hard drives.

IMPORTANT: This will make impossible to recover any data stored in the disk even if the password is known. It is recommended to store your backups, as well as your original LUKS header, encrypted and in a safe location. Use this code with precaution.

How it works

Nuke My LUKS is divided in four different small pieces of code:

  • client.py
  • server.py
  • generateconfig.py
  • nukemyluks.sh

In a nutshell, it works by sending a UDP broadcast message to port 1337 with a tag appended to a user-defined password. In case the password matches, the script for destroying the LUKS header is executed.

NOTE: Configure your firewall rules to allow UDP broadcast messages from your trusted computer running the client of Nuke My LUKS.

PS: Notice that it is possible to repurpose this code to use any shell script and perform other actions, but the original design is to destroy the LUKS header of the computer.

Limitations

PLEASE READ: As the script used to destroy the LUKS header with random data reads off /dev/urandom and writes its content into the beginning of a LUKS-capable device, such as /dev/sda1, there is no guarantee this action will work as intended in SSD drives, given the way these drives behave during write operations.

For more information about this topic see Data remanence on Wikipedia.

dm-crypt/LUKS version > 1.6.4 implements the option luksErase. However, in order to ensure it will also have a similar effect in older installations we’re using the old fashioned dd instead.

Usage

Generate a config file using generateconfig.py:

julio@trouble:~/programming/Python/security/nukemyluks$ ./generateconfig.py mysupersecretpassword
[+] Configuration file created successfully.

Copy the generated config.ini file, server.py and the LUKS header destruction script to the computers you want to have this code running:

julio@trouble:~/programming/Python/security/nukemyluks$ cat config.ini
[config]
password_hash = $2a$13$fFEVaVHalvesYhVMUJTrUOjGPdUUvxzLIJUIqU8.jc3PJFbbQ.vSe

Make sure the script nukemyluks.sh can run with root privileges. This is necessary to call dd on a device.

Now execute server.py and leave it running on the background.

In case of panic, pass your password to client.py:

julio@trouble:~/programming/Python/security/nukemyluks$ ./client.py mysupersecretpassword
Advertisements
You will never get anything out of me: introducing Nuke My LUKS

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s