Friday, May 16, 2014

Full Disk Encrypted Kali™ AWS Instance


This post will detail instructions on how to create  a full disk encrypted Kali instance running on AWS EC2.
The gist of what we'll do is spin up a Kali instance from the Offensive Security official AWS AMI (unencrypted) as a build server, optionally install the tools we want, copy the "/" partition, then run some scripts from the build server. This will launch a separate EC2 instance with the "/" partition fully encrypted. The "/boot" partition will not be encrypted, and will launch a web server via an initramfs hook and script combo. The web server will run from /boot and listen on the external IP address for that instance, and accept the disk decryption password. Once you browse to the web server and enter your password, the "/" partition is unlocked and the boot process continues.

For the sake of this tutorial it will be assumed that the reader has a solid understanding of using AWS and starting instances, etc. This is not a tutorial on how to launch instances, or an introduction to using AWS EC2.

The Tools and Prep

  1. You need to create an AWS EC2 build instance based on the official Kali AMI by Offensive Security. You can use the free tier (t1.micro).
  2. Log in to your build instance (don't forget the default username is "kali") and install cryptesetup and some necessary tools:
    apt-get update && apt-get install cryptsetup perl curl kali-linux
    It's simpler to use the handy Kali metapackages (e.g. kali-linux) to install common tools. I accept all the default values and just hit enter on the prompts for locale info when installing cryptsetup. NOTE: You can ignore the warnings from cryptsetup about not reading fstab (more info here).

  3. You'll need a a fantastic tool called encroot that a co-worker of mine (thanks Matt!) brought to my attention. The author of encroot has written his own API wrapper in Perl for AWS API calls. NOTE: I've been in touch with the author of encroot and he may be releasing an update that allows users more flexibility. In the meantime we'll work with this rough write up of mine. From /root I run
    wget && tar -xvzf encroot_2013-06-20.tgz
  4. You'll need to follow the instructions provided in the encroot set of tools in the README.txt file (and the SSL.txt file if you need it). These files are very well written and clear, so for brevity's sake we'll not repeat the steps in this post. If you're not familiar with using the AWS API, one step that may stump you is step 4 in README.txt. That is creating the "/root/.awsapirc" file which will contain the credentials to access your AWS account. You can learn how to create the access ID and secret key here if you haven't already done it. NOTE: You only get one chance to copy down the secret key and access ID (once you create the user), so be sure to do so. You cannot retrieve them after the fact. Also, give the user permissions to your AWS account.

  5. I have modified two files within the encroot suite to suit our needs to get a Kali instance rather than Ubuntu. There are enough modifications that it makes more sense for you to just use the two files and I found that it's safest to use git to pull the files down, to ensure spacing is maintained.
    git clone
  6. Copy the two .sh files beneath the  sunera-ap-team/encroot_kali dir to the same directory you extracted the other encroot tools. If you're curious about the changes feel free to diff them against the originals. 

  7. Allocate an elastic IP address.  Be sure, if you're using a VPC (virtual private cloud, I recommend this) to add the elastic IP to that VPC. I like to use VPCs for AWS networking, because they allow more flexibility and control in my opinion.

Do It

Since this is Kali, and we know what we're doing, run this all as root on your EC2 instance, or use sudo.
  1. On your build server create a directory called "/kali" then rsync the entire "/" to it:
    mkdir /kali
    rsync -avh --exclude={kcore,/sys/*,/tmp/*,/run/*,/mnt/*,/media/*,/lost+found,/root/encroot*,/kali} / /kali
  2. Now run the script with the appropriate arguments. This is all detailed in the README.txt file and man page for encroot.  You can find the ID numbers for the switches below from your AWS dashboard. The IP address in the below example is the un-associated elastic IP address that you provisioned earlier. The "group" is the group id of a security group (think firewall rules). Make sure you have one that allows 22 and 443 TCP in. The "subnet" option is the subnet ID you want to use, and the "vpc" option is the vpc ID. Again, you can get all these from your AWS dashboard. You can also look to the encroot man page if you need to customize the command line string to match your setup.
    ./ --group "abcd123" --subnet "abcd123" --vpc "abcd123"
  3. Now just follow the prompts. You should be prompted for passwords for keyslots 0 and 1 for the LUKS volume.

  4. When it's done you'll have a new instance waiting for you. Simply browse to the IP address using https and enter your disk decryption password.

  5. If anything goes wrong, the Cleanup() function will be called, which will remove the newly create volumes. The most common issue I've seen is if your build server does not have a tool or program needed by one of the encroot scripts. I had some issues with initramfs hooks not running properly if I hadn't installed the myriad of tools the kali-linux metapackage offers. When I had installed the bare minimum tools I thought was needed (e.g. curl, wget, perl, cryptsetup, git) the encroot scripts would fail. It was only after installing more tools (and their various dependencies) that the scripts would run. I found it easier to simply install the kali-linux metapackage than to figure out what was missing.

No comments:

Post a Comment