Skip to content
WARNING: The content here only serves educational purpose. You are fully responsible for your actions.
We do not encourage any kind of sensitive activity or crime.

Desktop Duress Mechanism (Kicksecure + CryptKill + Detached LUKS Header + Duress password)

TLDR: if you are forced to open your computer, you can set up a special passphrase that will render all data on your disk irrecoverable using a simple bashscript.

Introduction

Destructive Deniability

The ideal method for deniability is having a hidden VeraCrypt volume. But what if, for example, your court already knows about VeraCrypt having a hidden volume feature and forces you to unlock your "nonexistent" volume? Here is where Destructive Deniability comes in.

Destructive means that ALL the data has to be destroyed with zero means to recover it, so you can safely declare that you have no means to restore data on your disk.

This can be done using LUKS (Linux Unified Key Setup) disk encryption instead of VeraCrypt. It is present by default in Kicksecure, and most of Linux distributions.

LUKS Header

Since LUKS lacks a VeraCrypt-like hidden container feature, it cannot be used for deniability purposes on a default setup. But, LUKS works in a way that makes the destruction of data inside the container easier.

LUKS Header is a small 16 MiB zone of a LUKS container that stores all keys and metadata about the LUKS container. It is required to decrypt and mount the device. Without the LUKS Header, the LUKS container has random meaningless data, and is recognized like a disk without a partition table and FS.

Imagine the encrypted disk as a bank vault, the passphrase a key, and the header as a metal door. If there is no door, there is nowhere you can insert the key.

Luckily you can have the LUKS header stored separately from the device (on a USB drive), and you can destroy it in case of an emergency.

CryptKill Duress Passphrase setup

You can also set up the USB drive in a way that enables a GrapheneOS-like Duress Password feature. At boot stage during the decryption of the system drive, entering a specified Duress Passphrase will trigger the destruction of the LUKS header, therefore erasing ALL data on the system drive.

This is made possible using a small bashscript (CryptKill). It downloads systemd source code, applies a patch to systemd-cryptsetup and injects it into initramfs. If the entered passphrase's SHA256 hash matches the duress passphrase hash, it executes a user-specified command. We will set it up to override the LUKS header of the system drive with /dev/urandom, which will destroy it permanently.

Kicksecure Installation

WARNING: this tutorial is for advanced users. (What is an advanced user?)

Prerequisites

For this tutorial, you need 2 USB drives. One will be used for the installation, and other one will be used to keep the header and our /boot partition.

Additionally, you can get a 3rd USB drive or a MicroSD card to back up your header and boot partition. This is highly recommended because duress password will wipe the header partition permanently.

However for deniability purposes make sure that you can hide it in a place far enough from areas you're associated to such as your house, and that you won't be recorded by cameras in the process of hiding the backup drive.

1. Preparation

Use our tutorial or the Kicksecure wiki to create a bootable Kicksecure installation media.

Boot it in UNRESTRICTED mode.

Open a terminal and enter superuser mode since all of the commands below have to be executed with root rights.

sudo su

List your block devices with lsblk:

Overwrite all data on your flash drive and system drive with /dev/urandom.

WARNING: this will destroy all data on the disks and will take a long time (hours) to finish depending on the size of your system drive. For the flash drive, it takes about 15-30 minutes.

dd if=/dev/urandom of=/dev/sda bs=1M status=progress
dd if=/dev/urandom of=/dev/nvme0n1 bs=1M status=progress

Format your system drive and open it:

cryptsetup luksFormat /dev/nvme0n1 --header /header.img
YES

cryptsetup open /dev/nvme0n1 luks --header /header.img

We will create a logical volume as our root partition, since Kicksecure install fails with rsync error 10/11 when trying to install Kicksecure directly in LUKS container.

pvcreate /dev/mapper/luks 
vgcreate vg /dev/mapper/luks
lvcreate -n root -l +100%FREE vg

mkfs.ext4 /dev/vg/root # FS doesn't matter, we will format it later in the installation process.
Open the Kicksecure installer: 
calamares

2. Installation

Proceed with the installation until the Partitions step, here we stop and choose our vg volume group as the system drive, click on Manual Partitioning, and then click Next.

Click Edit, and format our root LVM:

  • Size: default
  • Content: Format (Not formatting results in rsync error 10/11)
  • FS: Any preferred filesystem (We will use ext4 for its reliability)
  • Mount Point: /

Click OK.

Choose your flash drive (/dev/sda) in the dropdown, create a new GPT partition table:

Click on Free Space and create a new EFI partition:

  • Size: 1024 MiB (the minimum is 550)
  • FS: fat32
  • Mount Point: /boot/efi
  • Flags: boot

Click OK.

Click on Free Space again and create a boot partition:

  • Size: 2048 MiB
  • FS: ext2
  • Mount Point: /boot
  • Flags: No flags

Click OK, then click Next.

Your summary should look like this:

If it matches the image, click Install.

The installation will take some time, make yourself some coffee.

3. Post-installation

Uncheck Restart now and click Done.

Open your terminal again, and create a LUKS header partition on your flash drive:

gdisk /dev/sda
n        # new partition
3        # number 3
<enter>  # starting at first available sector
+16M     # 16MiB size
<enter>  # linux filesystem

w        # write changes to disk
Y        # yes

dd if=/header.img of=/dev/sda3

List block devices with lsblk again. Find where your vg-root is mounted to and declare it.

Mount boot, EFI, etc. to your sysroot, and chroot into it:

mount /dev/sda2 $r/boot/
mount /dev/sda1 $r/boot/efi

mount --bind /dev $r/dev
mount --bind /dev/pts $r/dev/pts
mount --bind /sys $r/sys
mount --bind /proc $r/proc
mount --bind /tmp $r/tmp

chroot $r/

Modify crypttab, then modify dracut to use UUID of /dev/sda3 for our system drive. This is done because the header inherits the LUKS container's UUID, and it needs to be manually assigned before decryption.

uuid=$(blkid -o value -s UUID /dev/sda3) && echo $uuid
Copy the outputs of this command.

echo "luks-$uuid /dev/nvme0n1 none luks,discard,header=/dev/sda3" >> /etc/crypttab

vim /usr/lib/dracut/modules.d/90crypt/module-setup.sh

Here comment line 122, and at line 123, insert:

echo "/dev/nvme0n1 copieduuid" > "${initdir}/etc/block_uuid.map"

It should look like this:

At line 160, above the two lines starting with inst_simple, insert:

echo "luks-copieduuid /dev/nvme0n1 none luks,discard,header=/dev/sda3" > "$initdir"/etc/crypttab

It should look like this:

Save and close the file, then regenerate dracut and exit chroot

dracut -v -f --regenerate-all

exit

Unmount everything and reboot:

umount $r/boot/efi
umount $r/boot/
umount $r -l
vgchange -a n vg

cryptsetup luksClose luks

shutdown now

Setting up Kicksecure

Enabling sudo

Discard the installation media, boot again in REMOVE user-sysmaint-split mode:

Type "yes" and click OK

Close the terminal window. It will automatically reboot.

Boot in PERSISTENT Mode

Setting up CryptKill & killusb.sh

Copy the UUID of your header partition

blkid -s UUID -o value /dev/sda3

Integration with USB Dead Man's Switch

  1. Setup killusb.sh using our tutorial

  2. Edit your reboot.sh

vim reboot.sh
cat reboot.sh

#!/bin/bash

/usr/bin/sudo /usr/bin/dd if=/dev/urandom of=/dev/disk/by-uuid/<paste UUID here> bs=1M
/usr/bin/sudo /usr/sbin/reboot now

Setting up CryptKill

Open a terminal again, update your system and clone cryptkill source:

sudo apt update
sudo apt install git

torsocks git clone http://gdatura24gtdy23lxd7ht3xzx6mi7mdlkabpvuefhrjn4t5jduviw5ad.onion/UserSurname/cryptkill.git

cd cryptkill

ALWAYS inspect any script before executing it

vim cryptkill.sh
vim cryptkill.patch

Setup CryptKill, you have to execute the script as root

sudo ./cryptkill.sh setup

Exec line: dd if=/dev/urandom of=/dev/disk/by-uuid/<paste UUID here> bs=1M
[1/3] Enter new password: <duress password>
[1/3] Re-enter new password: <duress password>

...

Setup finished. Reboot your system.

Reboot

reboot

(Optional) Change passphrase/Remove duress password

If you want to change your duress passphrase, just execute:

sudo ./cryptkill.sh change-pass

[1/3] Enter new password: <duress password>
[1/3] Re-enter new password: <duress password>

If you want to change the exec line, execute setup script again:

sudo ./cryptkill.sh setup

Or if you want to remove the duress password feature, execute:

sudo ./cryptkill.sh remove

This will revert all changes made by the setup script.

Showcase

In GRUB, choose any mode to boot into the system:

You will be met with the initramfs passphrase entry prompt:

Please enter passphrase for disk /dev/nvme0n1 (luks-55dc3a91-1df2-458a-9c75-799624cf04e8): *********

After entering the duress passphrase, you will be requested for a passphrase again, like when entering a wrong passphrase:

Please enter passphrase for disk /dev/nvme0n1 (luks-55dc3a91-1df2-458a-9c75-799624cf04e8): *********
Please enter passphrase for disk /dev/nvme0n1 (luks-55dc3a91-1df2-458a-9c75-799624cf04e8): (press TAB for no echo)

Even entering the real passphrase won't unlock your disk:

Please enter passphrase for disk /dev/nvme0n1 (luks-55dc3a91-1df2-458a-9c75-799624cf04e8): *********
Please enter passphrase for disk /dev/nvme0n1 (luks-55dc3a91-1df2-458a-9c75-799624cf04e8): *******
Please enter passphrase for disk /dev/nvme0n1 (luks-55dc3a91-1df2-458a-9c75-799624cf04e8): (press TAB for no echo)

After 3 failed attempts, systemd-cryptsetup will fail and systemd will be stuck.

Please enter passphrase for disk /dev/nvme0n1 (luks-55dc3a91-1df2-458a-9c75-799624cf04e8): *********
Please enter passphrase for disk /dev/nvme0n1 (luks-55dc3a91-1df2-458a-9c75-799624cf04e8): *******
Please enter passphrase for disk /dev/nvme0n1 (luks-55dc3a91-1df2-458a-9c75-799624cf04e8): *******
[FAILED] Failed to start systemd-cryptsetup@luks\x2d55dc3a91\x2d1df2\x2d458a\x2d9c75\x2d799624cf04e8.service.
[DEPEND] Dependency failed for cryptsetup.target.

This is the exact same output as when you enter the wrong passphrase 3 times in a row.

On the next reboot, after the GRUB screen, you will be met with the same error again, since the header at /dev/sda3 is not recognized and cryptsetup systemd service fails:

[FAILED] Failed to start systemd-cryptsetup@luks\x2d55dc3a91\x2d1df2\x2d458a\x2d9c75\x2d799624cf04e8.service.
[DEPEND] Dependency failed for cryptsetup.target.

Conclusion

In this tutorial, we set up Kicksecure in a way that it won't boot without a USB flash drive inserted.

If a specified passphrase is entered in the boot stage, or if an emergency reboot is triggered, all data on the computer will be destroyed permanently.


Suggest changes
UserSurname 2025-12-03
Donate XMR to the author:
82jqKSrZsUQBP8uEbzj23AhTyvh6hsoXRhvg4xsiNH8cajiUwhhqqvS9TCDac5PiAHUEYv9GYGgEKUw6GRngAxjQHSfvMQ7