co4ie Posted December 5, 2011 Report Posted December 5, 2011 I have set up many laptops and netbooks with linux and have always used either full-disk encryption or ~/ encrypted. Its really easy to do and ANY laptop/netbook/tablet/pad/whatever_next mobile device should be encrypted. I won’t get into the mechanics of why, just do it. The last article I wrote about this is no longer online (Maysville Linux Users Group, circa 2007) and it was much harder to accomplish back then, often requiring custom kernels to be compiled, etc. Backtrack has “nearly” everything it takes right on the live cd.Prerequisites A laptop bootable media (backtrack on usb stick, cdrom, some other distro, etc) Internet connection (backtracks only requirement is to download two files)So, on this new laptop, I don’t care about windows installed because I am going to simply blow it away. I don’t use windows, no need in it taking up space (really this is my employers laptop and I simply swapped out the oem laptops hard drive with a spare 500GB hard drive I had. The difference is, the oem drive is 160GB 7200 rpm and mine is 500GB 5400 rpm – slower yes but holds a lot more data and I need that space).If you are dual booting with windows, you will need to modify this tutorial. It assumes you are wiping out all data and installing on a blank drive.Boot the backtrack cdrom/usb stick. After you boot, you should be sitting at a root shell. First, make sure networking is up. If you are on a wired network, just issue the command:Source code ifconfigMine shows:Source code ifconfigeth0 Link encap:Ethernet HWaddr 00:26:55:40:7a:2e inet addr:10.10.10.13 Bcast:10.10.10.255 Mask:255.255.255.0 inet6 addr: fe80::226:55ff:fe40:7a2e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:346869 errors:0 dropped:0 overruns:0 frame:0 TX packets:294530 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:387443792 (387.4 MB) TX bytes:115635797 (115.6 MB) Interrupt:45 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:14162 errors:0 dropped:0 overruns:0 frame:0 TX packets:14162 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:938339 (938.3 KB) TX bytes:938339 (938.3 KB)wlan0 Link encap:Ethernet HWaddr 00:26:82:23:23:81 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 TX bytes:0 (0.0 If you are on a wireless network that uses WPA, here are some tips and what I usually do:Source code iwlist wlan0 scan | grep ESSID # this shows the essid of access points close by if you dont know the name of yourswpa_passphrase ESSID YOUR_WIRELESS_PASS > /etc/wpa_supplicant/temp.txt # this creates the correct wpa_supplicant filewpa_supplicatn -iwlan0 -c/etc/wpa_supplicant/temp.txt # this starts wpa_supplicant using that fileifconfig wlan0 # this makes sure we have an ip address nowdhclient wlan0 # if there is no ip address, use this to get one...skip if there was an ipping google.com # this makes sure we can communicate with the internetor if you are connecting to a WEP network…..Source code ifconfig wlan0 upiwconfig wlan0 essid "insertSSIDhere" key s:insert_password_hereAnd if none of the above work, try wicd-ncurses, or wicd-cli (not included by default, must be downloaded previously)So, assuming we now have a network connection, lets download two packages required for backtrack linux:Source code apt-get updateapt-get install hashalot lvm2Once that is done, lets repartition the hard drive. On this laptop, the first drive is /dev/sda. You can find yours by looking for sd or hd in dmesg:Source code dmesg | egrep sd.\|hd.Mine shows:Source code dmesg | egrep sd.\|hd.[ 4.242404] sd 2:0:0:0: Attached scsi generic sg0 type 0[ 4.243156] sd 2:0:0:0: [sda] 976773168 512-byte logical blocks: (500 GB/465 GiB)[ 4.243661] sd 2:0:0:0: [sda] Write Protect is off[ 4.243664] sd 2:0:0:0: [sda] Mode Sense: 2d 08 00 00[ 4.243666] sd 2:0:0:0: [sda] Assuming drive cache: write through[ 4.244911] sd 2:0:0:0: [sda] Assuming drive cache: write through[ 4.245544] sda: sda1So, it is showing the drive as sda and it currently has one partition, sda1 (with an old install of linux).Next, we want to delete any partitions on the drive – THIS WILL DELETE ALL THE DATA ON THE DRIVE! And create a small partition that will hold boot and the remainder that will be our encrypted drive containing everything else.Source code # use the appropriate drive letter for your system fdisk /dev/sda # delete existing partitions. # There may be more than one. # Make sure you delete all of them Command (m for help): d Partition number (1-4): 1 # create the first partition Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-60801, default 1): <enter> Using default value 1 Last cylinder, +cylinders or +size{K,M,G} (1-60801, default 60801): +500M #create the extended partition Command (m for help): n Command action e extended p primary partition (1-4) e Partition number (1-4): 2 First cylinder (66-60801, default 66): <enter> Using default value 66 Last cylinder, +cylinders or +size{K,M,G} (66-60801, default 60801): <enter> Using default value 60801 # Create the logical partition. Command (m for help): n Command action l logical (5 or over) p primary partition (1-4) l First cylinder (66-60801, default 66): <enter> Using default value 66 Last cylinder, +cylinders or +size{K,M,G} (66-60801, default 60801): <enter> Using default value 60801 # Setting the partition type for the first partition to ext3 Command (m for help): t Partition number (1-4): 1 Hex code (type L to list codes): 83 # Setting the first partition active Command (m for help): a Partition number (1-4): 1 Command (m for help): wAfter I have the drive partitioned, I always write random data to the partition that will be encrypted:Source code dd if=/dev/urandom of=/dev/sda5The above step for a 450GB (give or take) drive is many, many, many hours.When the above finally completes, you can begin setting up the encrypted partition.Source code cryptsetup -y --cipher aes-xts-plain --key-size 512 luksFormat /dev/sda5 WARNING! ======== This will overwrite data on /dev/sda5 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: (enter passphrase) [type passphrase] Verify passphrase: (repeat passphrase) [type passphase] Command successful. cryptsetup luksOpen /dev/sda5 pvcrypt Enter LUKS passphrase: [type passphrase] key slot 0 unlocked. Command successful.Once the above is done, we now create our logical volume with a / partition inside the logical volume on the encrypted partition.Source code pvcreate /dev/mapper/pvcryptPhysical "volume /dev/mapper/pvcrypt" successfully createdvgcreate vg /dev/mapper/pvcryptVolume group "vg" successfully createdlvcreate -n root -l 100%FREE vgLogical volume "root" created.A lot of people may disagree with me, but I don’t create a swap “partition”. Instead, what I do is create a swap file after the installation is completed inside the encrypted partition. That way, it is also encrypted and not mounted until after the encrypted partition is mounted. Too many traces of stuff can be left in a swap partition, even after a computer is shut off.Now we format our root partition:Source code mkfs.ext4 /dev/mapper/vg-rootOnce the above is done, we are now ready to startx and run the installer. So:Source code startxWhen the graphical desktop is loaded, double click on the Install Backtrack icon.I am not going to explain every step, just the ones that matter (in bold). The backtrack installer is only a seven step process anyways. Most of that you will simply accept the defaults, unless, for example, you don’t want English language as your installation language.So the first step, simply select your language. Then click forward.Step 2, select your timezone. Click forward.Step 3, select your keyboard layout and click forward.Step 4, this one is important and critical you select “Specify partitions manually (advanced). Click forward.Step 4b, select the row that says vg-root and click on the Change button.Step 4c: from the “use as:” drop-down list on the screen that appears, select Ext4 journaling filesystem. On the same screen, place a check mark next to Format the partition. Below that, enter / for the Mount point. Then select OK. You will be returned back to the previous screen.Step 4d: There will be a row that has the first partition we created, the 500M one. It will show up as 534MB if you are following this tutorial exactly. It will also be /dev/sda1. Highlight that partition and select Change button. For “use as:”, select Ext4 journaling filesystem again, select Format the partition, and enter /boot for the Mount point. Select ok.You will be returned back to the previous screen again. Click the forward button. You will receive a warning about not having a swap partition….see my note above and repeated next just in case you forget:A lot of people may disagree with me, but I don’t create a swap “partition”. Instead, what I do is create a swap file after the installation is completed inside the encrypted partition. That way, it is also encrypted and not mounted until after the encrypted partition is mounted. Too many traces of stuff can be left in a swap partition, even after a computer is shut off.The next screen that appears says Ready to Install. Click the Advanced tab. Make sure you have the hard drive you are installing too select for the boot loader. Again, if following these instructions exactly, it will be /dev/sda Select ok.Click Install button.The install will take a while, about 30 minutes on my laptop.When it completes, you will be presented with the option to Continue testing or restart now, select Continue Testing.At this point, we have created the partitions, created an encrypted partition that is holding a logical volume, formatted the logical volume, and installed the operating system into the encrypted partition. But, we still are not done configuring it. First we will identify the block id of the hard drive we installed to, then we will have to chroot to the encrypted hard drive to finish up.Obtain the block id:Source code blkid /dev/sda5/dev/sda5: UUID="b049f4d0-7e6b-4fa6-acb3-6f4ef9a0e526" TYPE="crypto_LUKS"We will need the UUID later, so make sure you write it down, write it down correctly. Triple check…one more time won’t hurt….this step is critical!Chrooting the system:Source code mkdir /mnt/btmount /dev/mapper/vg-root /mnt/btmount /dev/sda1 /mnt/bt/bootchroot /mnt/btmount -t proc proc /procmount -t sysfs sys /sysWe now reinstall the same software we installed when running the live cd. We have to do this because that software was not part of the installation. When we install it this time, it installs it to the encrypted partition and is required for it to be accessed.Source code apt-get updateapt-get install hashalot lvm2Now we have to edit the /etc/crypttab file, which tells initramfs how to mount the encrypted partition. Use whatever editor you are comfortable with, I used vim. The format of the file is:Source code # <target device> <source device> <key file> <options>pvcrypt /dev/disk/by-uuid/b049f4d0-7e6b-4fa6-acb3-6f4ef9a0e526 none luksIf you notice in the above, the uuid of my drive is listed in /dev/disk/by-uuid/MY_UUID. Make sure you place your uuid there in place of mine!Next we have to edit the /etc/fstab file too. Open it in your favorite editor. If there is a line that has the UUID of your encrypted partition, it needs commented out and replaced by one that has /dev/mapper/vg-root like the example below.Source code # /etc/fstab: static file system information.## <file system> <mount point> <type> <options> <dump> <pass>proc /proc proc defaults 0 0# we want this next line/dev/mapper/vg-root / ext4 errors=remount-ro 0 1# we do not want this next line so add a # to the begining of it# UUID=c8d9b9a0-2198-4966-bc3a-39259df6a2c2 / ext4 relatime,errors=remount-ro 0 1# /dev/sdb1UUID=ab4cc15b-4dfe-483a-9d1f-17c8f2be84c9 /boot ext4 relatime 0 2When you have the file above finished, simply enter the following command to regenerate the initramfs image:Source code update-initramfs -uAt this point, you should be able to reboot. When backtrack appears to stall at the splash page, press F8 to get to the console where you enter your password required to access the encrypted partition and press enter.If you have issues: start back up with the bootable cd; restart the network (wired or wireless as previous); run the commands below:Source code apt-get updateapt-get instal hashalot lvm2blkid /dev/sda5 # replace /dev/sda5 with your encrypted partition and copy blkid UUID to a text filecryptsetup luksOpen /dev/sda5 pvcrypt # replace sda5 with your encrypted partitionmkdir /mnt/btmount /dev/mapper/vg-root /mnt/btmount /dev/[boot partition] /mnt/bt/bootchroot /mnt/btmount -t proc proc /procmount -t sysfs sys /sysThis will get you right back to where you left off and you can diagnose the issues from there.Things to check:* blkid matches your encrypted partitions UUID in /etc/crypttab* /etc/fstab has a line uncommented that contains /dev/mapper/vg-root* /etc/fstab has a line containing UUID=YOUR_ENCRYPTED_DRIVES_UUID commented out* run update-initramfs -u* reboot and try againSursa Quote