Backtrack 5R1 Full Disk Encryption (install to hard drive)

[co4ie]

I have set up many laptops and netbooks with linux and have always used either full-disk encryption or ~/ encrypted. Its really easy to do and ANY laptop/netbook/tablet/pad/whatever_next mobile device should be encrypted. I won’t get into the mechanics of why, just do it. The last article I wrote about this is no longer online (Maysville Linux Users Group, circa 2007) and it was much harder to accomplish back then, often requiring custom kernels to be compiled, etc. Backtrack has “nearly” everything it takes right on the live cd.

Prerequisites

    A laptop
    bootable media (backtrack on usb stick, cdrom, some other distro, etc)
    Internet connection (backtracks only requirement is to download two files)

So, on this new laptop, I don’t care about windows installed because I am going to simply blow it away. I don’t use windows, no need in it taking up space (really this is my employers laptop and I simply swapped out the oem laptops hard drive with a spare 500GB hard drive I had. The difference is, the oem drive is 160GB 7200 rpm and mine is 500GB 5400 rpm – slower yes but holds a lot more data and I need that space).

If you are dual booting with windows, you will need to modify this tutorial. It assumes you are wiping out all data and installing on a blank drive.

Boot the backtrack cdrom/usb stick. After you boot, you should be sitting at a root shell. First, make sure networking is up. If you are on a wired network, just issue the command:

Source code

ifconfig

Mine shows:

Source code

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:26:55:40:7a:2e
          inet addr:10.10.10.13  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::226:55ff:fe40:7a2e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:346869 errors:0 dropped:0 overruns:0 frame:0
          TX packets:294530 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:387443792 (387.4 MB)  TX bytes:115635797 (115.6 MB)
          Interrupt:45 Base address:0x2000 

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:14162 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14162 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:938339 (938.3 KB)  TX bytes:938339 (938.3 KB)

wlan0     Link encap:Ethernet  HWaddr 00:26:82:23:23:81
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0   TX bytes:0 (0.0 

If you are on a wireless network that uses WPA, here are some tips and what I usually do:

Source code

iwlist wlan0 scan | grep ESSID    # this shows the essid of access points close by if you dont know the name of yours
wpa_passphrase ESSID YOUR_WIRELESS_PASS > /etc/wpa_supplicant/temp.txt # this creates the correct wpa_supplicant file
wpa_supplicatn -iwlan0 -c/etc/wpa_supplicant/temp.txt # this starts wpa_supplicant using that file
ifconfig wlan0    # this makes sure we have an ip address now
dhclient wlan0    # if there is no ip address, use this to get one...skip if there was an ip
ping google.com   # this makes sure we can communicate with the internet

or if you are connecting to a WEP network…..

Source code

ifconfig wlan0 up
iwconfig wlan0 essid "insertSSIDhere" key s:insert_password_here

And if none of the above work, try wicd-ncurses, or wicd-cli (not included by default, must be downloaded previously)

So, assuming we now have a network connection, lets download two packages required for backtrack linux:

Source code

apt-get update
apt-get install hashalot lvm2

Once that is done, lets repartition the hard drive. On this laptop, the first drive is /dev/sda. You can find yours by looking for sd or hd in dmesg:

Source code

dmesg | egrep sd.\|hd.

Mine shows:

Source code

dmesg | egrep sd.\|hd.
[    4.242404] sd 2:0:0:0: Attached scsi generic sg0 type 0
[    4.243156] sd 2:0:0:0: [sda] 976773168 512-byte logical blocks: (500 GB/465 GiB)
[    4.243661] sd 2:0:0:0: [sda] Write Protect is off
[    4.243664] sd 2:0:0:0: [sda] Mode Sense: 2d 08 00 00
[    4.243666] sd 2:0:0:0: [sda] Assuming drive cache: write through
[    4.244911] sd 2:0:0:0: [sda] Assuming drive cache: write through
[    4.245544]  sda: sda1

So, it is showing the drive as sda and it currently has one partition, sda1 (with an old install of linux).

Next, we want to delete any partitions on the drive – THIS WILL DELETE ALL THE DATA ON THE DRIVE! And create a small partition that will hold boot and the remainder that will be our encrypted drive containing everything else.

Source code

# use the appropriate drive letter for your system

     fdisk /dev/sda

# delete existing partitions.

# There may be more than one.

# Make sure you delete all of them

   Command (m for help): d
    Partition number (1-4): 1

# create the first partition

    Command (m for help): n
    Command action
    e   extended
    p   primary partition (1-4)
    p
    Partition number (1-4): 1
    First cylinder (1-60801, default 1): <enter>
    Using default value 1
    Last cylinder, +cylinders or +size{K,M,G} (1-60801, default 60801): +500M

#create the extended partition

  Command (m for help): n
    Command action
    e   extended
    p   primary partition (1-4)
    e
    Partition number (1-4): 2
    First cylinder (66-60801, default 66): <enter>
    Using default value 66
    Last cylinder, +cylinders or +size{K,M,G} (66-60801, default 60801): <enter>
    Using default value 60801

# Create the logical partition.

   Command (m for help): n
    Command action
    l    logical (5 or over)
    p   primary partition (1-4)
    l
    First cylinder (66-60801, default 66): <enter>
    Using default value 66
    Last cylinder, +cylinders or +size{K,M,G} (66-60801, default 60801): <enter>
    Using default value 60801

# Setting the partition type for the first partition to ext3

    Command (m for help): t
    Partition number (1-4): 1
    Hex code (type L to list codes): 83

# Setting the first partition active

   Command (m for help): a
    Partition number (1-4): 1

    Command (m for help): w

After I have the drive partitioned, I always write random data to the partition that will be encrypted:

Source code

dd if=/dev/urandom of=/dev/sda5

The above step for a 450GB (give or take) drive is many, many, many hours.

When the above finally completes, you can begin setting up the encrypted partition.

Source code

cryptsetup -y --cipher aes-xts-plain --key-size 512 luksFormat /dev/sda5

    WARNING!
    ========
    This will overwrite data on /dev/sda5 irrevocably.

    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase: (enter passphrase) [type passphrase]
    Verify passphrase: (repeat passphrase) [type passphase]
    Command successful.

    cryptsetup  luksOpen /dev/sda5 pvcrypt
    Enter LUKS passphrase: [type passphrase]
    key slot 0 unlocked.
    Command successful.

Once the above is done, we now create our logical volume with a / partition inside the logical volume on the encrypted partition.

Source code

pvcreate /dev/mapper/pvcrypt
Physical "volume /dev/mapper/pvcrypt" successfully created
vgcreate vg /dev/mapper/pvcrypt
Volume group "vg" successfully created
lvcreate -n root -l 100%FREE vg
Logical volume "root" created.

A lot of people may disagree with me, but I don’t create a swap “partition”. Instead, what I do is create a swap file after the installation is completed inside the encrypted partition. That way, it is also encrypted and not mounted until after the encrypted partition is mounted. Too many traces of stuff can be left in a swap partition, even after a computer is shut off.

Now we format our root partition:

Source code

mkfs.ext4 /dev/mapper/vg-root

Once the above is done, we are now ready to startx and run the installer. So:

Source code

startx

When the graphical desktop is loaded, double click on the Install Backtrack icon.

I am not going to explain every step, just the ones that matter (in bold). The backtrack installer is only a seven step process anyways. Most of that you will simply accept the defaults, unless, for example, you don’t want English language as your installation language.

So the first step, simply select your language. Then click forward.

Step 2, select your timezone. Click forward.

Step 3, select your keyboard layout and click forward.

Step 4, this one is important and critical you select “Specify partitions manually (advanced). Click forward.

Step 4b, select the row that says vg-root and click on the Change button.

Step 4c: from the “use as:” drop-down list on the screen that appears, select Ext4 journaling filesystem. On the same screen, place a check mark next to Format the partition. Below that, enter / for the Mount point. Then select OK. You will be returned back to the previous screen.

Step 4d: There will be a row that has the first partition we created, the 500M one. It will show up as 534MB if you are following this tutorial exactly. It will also be /dev/sda1. Highlight that partition and select Change button. For “use as:”, select Ext4 journaling filesystem again, select Format the partition, and enter /boot for the Mount point. Select ok.

You will be returned back to the previous screen again. Click the forward button. You will receive a warning about not having a swap partition….see my note above and repeated next just in case you forget:

A lot of people may disagree with me, but I don’t create a swap “partition”. Instead, what I do is create a swap file after the installation is completed inside the encrypted partition. That way, it is also encrypted and not mounted until after the encrypted partition is mounted. Too many traces of stuff can be left in a swap partition, even after a computer is shut off.

The next screen that appears says Ready to Install. Click the Advanced tab. Make sure you have the hard drive you are installing too select for the boot loader. Again, if following these instructions exactly, it will be /dev/sda Select ok.

Click Install button.

The install will take a while, about 30 minutes on my laptop.

When it completes, you will be presented with the option to Continue testing or restart now, select Continue Testing.

At this point, we have created the partitions, created an encrypted partition that is holding a logical volume, formatted the logical volume, and installed the operating system into the encrypted partition. But, we still are not done configuring it. First we will identify the block id of the hard drive we installed to, then we will have to chroot to the encrypted hard drive to finish up.

Obtain the block id:

Source code

blkid /dev/sda5
/dev/sda5: UUID="b049f4d0-7e6b-4fa6-acb3-6f4ef9a0e526" TYPE="crypto_LUKS"

We will need the UUID later, so make sure you write it down, write it down correctly. Triple check…one more time won’t hurt….this step is critical!

Chrooting the system:

Source code

mkdir /mnt/bt
mount /dev/mapper/vg-root /mnt/bt
mount /dev/sda1 /mnt/bt/boot
chroot /mnt/bt
mount -t proc proc /proc
mount -t sysfs sys /sys

We now reinstall the same software we installed when running the live cd. We have to do this because that software was not part of the installation. When we install it this time, it installs it to the encrypted partition and is required for it to be accessed.

Source code

apt-get update
apt-get install hashalot lvm2

Now we have to edit the /etc/crypttab file, which tells initramfs how to mount the encrypted partition. Use whatever editor you are comfortable with, I used vim. The format of the file is:

Source code

# <target device>   <source device>   <key file>   <options>
pvcrypt      /dev/disk/by-uuid/b049f4d0-7e6b-4fa6-acb3-6f4ef9a0e526    none         luks

If you notice in the above, the uuid of my drive is listed in /dev/disk/by-uuid/MY_UUID. Make sure you place your uuid there in place of mine!

Next we have to edit the /etc/fstab file too. Open it in your favorite editor. If there is a line that has the UUID of your encrypted partition, it needs commented out and replaced by one that has /dev/mapper/vg-root like the example below.

Source code

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# we want this next line
/dev/mapper/vg-root / ext4 errors=remount-ro 0       1
# we do not want this next line so add a # to the begining of it
# UUID=c8d9b9a0-2198-4966-bc3a-39259df6a2c2 / ext4 relatime,errors=remount-ro 0 1
# /dev/sdb1
UUID=ab4cc15b-4dfe-483a-9d1f-17c8f2be84c9 /boot   ext4    relatime 0       2

When you have the file above finished, simply enter the following command to regenerate the initramfs image:

Source code

update-initramfs -u

At this point, you should be able to reboot. When backtrack appears to stall at the splash page, press F8 to get to the console where you enter your password required to access the encrypted partition and press enter.

If you have issues: start back up with the bootable cd; restart the network (wired or wireless as previous); run the commands below:

Source code

apt-get update
apt-get instal hashalot lvm2
blkid /dev/sda5    # replace /dev/sda5 with your encrypted partition and copy blkid UUID to a text file
cryptsetup luksOpen /dev/sda5 pvcrypt # replace sda5 with your encrypted partition
mkdir /mnt/bt
mount /dev/mapper/vg-root /mnt/bt
mount /dev/[boot partition] /mnt/bt/boot
chroot /mnt/bt
mount -t proc proc /proc
mount -t sysfs sys /sys

This will get you right back to where you left off and you can diagnose the issues from there.

Things to check:

* blkid matches your encrypted partitions UUID in /etc/crypttab

* /etc/fstab has a line uncommented that contains /dev/mapper/vg-root

* /etc/fstab has a line containing UUID=YOUR_ENCRYPTED_DRIVES_UUID commented out

* run update-initramfs -u

* reboot and try again

Sursa