Encrypt Kali HD after installation?

Hi everyone, I am trying to Encrypt KALI LINUX hard drive after the installation (I forgot to set that option during set up). what I have searched so far, indicates I need to re-install the OS.
it is possible to Encrypt without having to reinstall Kali Linux?


Yes, it is possible, I’ve personally never tried to do it but this post seems to detail it clearly:

1 Like

Thanks, this post seems useful.:grinning:

while trying to install dependencies got this error.

has anyone experienced this with Kali?

This solution for ubuntu may work, since both are debian based:

1 Like

I never use Kali, only Debian or NixOS, but I always prefer to have everything encrypted: /boot, /, swap, LVMS volumes, etc.

The only passphrase, randomly generated according to @roaring-lamport guidelines, is asked by GRUB at the very beginning of the boot process. This step decrypts the entire disk even before the GRUB menu. Then the kernel decrypts again, but this time without any interaction using a key file stored on /boot. Finally, for X, I use autologin.

With this strategy, security and usability are maximized. A laptop, after all, is a single-user setup.

To go in this direction, I think you will need to reinstall. For full, fast, and cheap backups that easily enables reinstallation, I moved to restic and Backblaze (B2). Currently is operating better than the hacks needed for Dropbox, Google Drive, rclone, file sync utilities without deduplication or local encryption capabilities.

The exact conf needed to reach that in NixOS is:

$ cat ~/conf/os/conf.nix          
  boot.loader.grub = {
    enable = true;
    version = 2;
    enableCryptodisk = true; # ask passphrase
    extraInitrd = "/boot/initrd.keys.gz"; # key file needed for kernel decryption
    device = "/dev/nvme0n1";

  boot.initrd.luks = {
    devices = [ {
      name = "root";
      preLVM = true;
      keyFile = "/keyfile.bin"; # using key file, avoiding 2nd interaction
      fallbackToPassword = true;
      device = "/dev/nvme0n1p1";
    } ];

To configure X auto-login:

$ cat ~/conf/os/conf.nix          
  services.xserver = {
    enable = true;

    displayManager.auto = {
      enable = true; # avoiding third interacion
      user = ${secrets.username};

    windowManager = {
      default = "i3"; # required for autologin
      i3.enable = true; # dont delete / not redundat

    desktopManager.default = "none";

The commands for appropriate formatting and encryption are:

$ cryptsetup luksDump /dev/nvme0n1p1
(only one slot used)
$ dd if=/dev/urandom of=./keyfile.bin bs=1024 count=4
$ cryptsetup luksAddKey /dev/nvme0n1p1 ./keyfile.bin
(two slots used, 0 for passphrase, 1 for keyfile)
$ cryptsetup luksDump /dev/nvme0n1p1
$ sudo su - 
root$ echo ./keyfile.bin | cpio -o -H newc -R +0:+0 --reproducible | gzip -9 > /boot/initrd.keys.gz

To configure backups:

$ cat ~/conf/os/backup.nix 
{ pkgs, ... }:
  services.restic.backups = {
    home = {
      passwordFile = "/home/${secrets.username}/.secrets/restic";
      s3CredentialsFile = "/home/${secrets.username}/.secrets/b2";
      user = "${secrets.username}";
      paths = ["/home/${secrets.username}"];
      repository = "b2:XXXX:YYYY";
      extraOptions = ["b2.connections=25"];
      extraBackupArgs = [ "--exclude=/home/${secrets.username}/.cache"
                          "--verbose" ];
      timerConfig = {
        OnBootSec = "5m"; # backup 5 minutes after each boot 
        OnUnitActiveSec="60m"; # then, every 60min after the last one
  # journalctl --unit restic-backups-home.service -f

Soon, I will hope even the formatting will be functional and as code: