BACKTRACK Encrypted HDD installation

[yo20063]

In primul rand am cautat pe forum si nu am gasit nimic despre asta, si mie mi se pare o chestie normala sa vrei sa-ti protejezi informatiile de pe HDD, mai ales cand faci greyhat, blackhat. Iar aruncatul HDD-ului in rau nu este cea mai buna optiune!

Stiu ca este cam lung, dar pentru cine are nevoie poate fi diferenta dintre libertate si inchisoare! Mai ales cu o parola de 60+ caractere.

Encrypted HDD installation with pre-boot authentication using LUKS and LVM

v1.01

************************************************** **************************************************

* 0. Introduction

************************************************** **************************************************

This tutorial will show you how to install Backtrack 3 final to your hard drive on an encrypted partition. We will be using cryptsetup with LUKS support to encrypt the main disk partition and LVM to further divide the encrypted space into two sub-partitions (root and swap). Backtrack will then be installed to the root partition and configured accordingly. Finally, a custom initrd image will be created on the unencrypted /boot partition to enable system decryption with a pre-boot authentication. The installation was originally performed using the Backtrack 3 Final live CD, but the USB image has been found to work just as well.

NOTICE: Certain things may have changed since the time of this writing. Be sure to keep an eye out for any changes (e.g. there may be newer versions of some mentioned packages available or perhaps certain packages are no longer available on specified websites).

This tutorial assumes the following things:

You have a spare laptop (or another computer) capable of running Backtrack.

Backtrack is going to be the only operating system on your machine.

Your computer has a single hard drive that is still running and has enough space for this installation.

You kow how to manually partition a hard disk and flag a partition as bootable.

You have a working internet connection on your target computer after booting a live BT3 image.

You have heard of a shell and know how to get one going.

You have at least 2 neurons in your brain and that there is not to much tar built up between them from smoking weed.

NOTICE: Sorry, guys. I'm not going to cover a dual-boot setup here. If your goal isn't quite the same as mine (single-boot setup) then you'll have to adapt the changes on your own. Dual-booting isn't covered by this article.

************************************************** **************************************************

* 1. Prepearing the hard disk for installation

************************************************** **************************************************

Alright, so let's begin. Assuming, you have a live BT3 image running on the target computer, fire up a new shell.

NOTICE: You need to know the device name of your hard disk. The name of the disk on my machine was labeled /dev/hda. So, if your disk is named /dev/sda, be sure to adapt the commands accordingly.

WARNING: The following actions will irrecoverably erase all data on your hard disk. If you have any valuable data left on your hard drive then be sure to back it up *before* proceeding!

Step 1.1 - Fill the disk with random data (optional)

----------------------------------------------------------------------------------------------------

The first thing we should probably do before encrypting a hard drive is fill it with random data. This step is optional, but it will help us slow down potential attacks on the encryption. It also erases any data left behind by a previous installation. You can skip this step down to the next one, if you don't want to wait.

NOTICE: Please note that the following operations may take up to several hours to complete, depending on how fast your computer is. Run the command and let the computer do the job. Watch television meanwhile, go for a walk outside, have a meal with your friends, go to work, or even better - let the computer work overnight.

It's probably a good idea to check your hard disk for defects before proceeding. The "badblocks" method will scan your hdd for any bad blocks while also filling it with random data in the process.

bt ~ # badblocks -s -w -t random -v /dev/hda
Checking for bad blocks in read-write mode
From block 0 to 39070080
Testing with random pattern: done
Reading and comparing: done
Pass completed, 0 bad blocks found.
bt ~ #

Certain sources say that badblocks uses a lower quality random data generator. For this reason the more paranoid users should use the "dd" method to overwrite the contents of the HDD with a higher quality random data from /dev/urandom. The drawback is that dd doesn't show any progress bar. It's done "when it's done" and it usually takes a long time.

bt ~ # dd if=/dev/urandom of=/dev/hda
(wait a very long time)
dd: writing to `/dev/hda': No space left on device
78140161+0 records in
78140160+0 records out
40007761920 bytes (40 GB) copied, 25485.8 s, 1.6 MB/s
bt ~ #

Step 1.2 - Partition the hard disk

----------------------------------------------------------------------------------------------------

Next, we will have to partition the hard disk. Use the ©fdisk utility or any other partitioning tool of your choice to create two partitions on the HDD. The first one should be about 256MB while the other can use the rest of the disk space. Personally, I used the GParted on the Ubuntu Live CD to do the partitioning and I had to reboot back into BT3 to continue the setup.

CAUTION: While you're still partitioning the HDD, make sure that you flag the first partition as bootable or else the system will fail to boot properly.

Here's how the final partition table looked like on my 40GB HDD:

/dev/hda1, 256MB, bootable

/dev/hda2, 39.7GB

You don't have to assign any file systems at this point. Should you choose to do so, then the first partition (/dev/hda1) should use ext2. The file system on the other partition doesn't really matter since we are going to ovewrite it later. Now make sure that none of our new partitions are currently mounted. If they are, then unmount them first.

bt ~ # mount
aufs on / type aufs (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/hda1 on /mnt/hda1 type ext2 (rw,noatime)
/dev/hda2 on /mnt/hda2 type ext3 (rw,noatime)
bt ~ # umount /mnt/hda1
bt ~ # umount /mnt/hda2
bt ~ #

************************************************** **************************************************

* 2. Setting up LUKS encryption

************************************************** **************************************************

Step 2.1 - Install Cryptsetup

----------------------------------------------------------------------------------------------------

Here we have to install our binary that we are going to use to encrypt the main partition. You guessed it, it's cryptsetup with LUKS support. While still in your shell, create a new folder named "sources" in the /root directory and cd to it.

bt ~ # mkdir /root/sources
bt ~ # cd /root/sources
bt sources #

Backtrack doesn't have cryptsetup installed. We will have to download it, compile it from source and install it manually. At the time of this writing, the LUKS website (http://luks.endorphin.org/) seems to be unavailable and we'll download the latest version of cryptsetup from googlecode instead.

bt sources # wget http://cryptsetup.googlecode.com/files/cryptsetup-1.0.6.tar.bz2
--09:10:20--  http://cryptsetup.googlecode.com/files/cryptsetup-1.0.6.tar.bz2
           => `cryptsetup-1.0.6.tar.bz2'
Resolving cryptsetup.googlecode.com... 74.125.47.82
Connecting to cryptsetup.googlecode.com|74.125.47.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 405,713 (396K) [application/x-bzip2]

100%[===========================================================>] 405,713      139.50K/s

09:10:23 (139.16 KB/s) - `cryptsetup-1.0.6.tar.bz2' saved [405713/405713]

bt sources #

Next, we have to extract the package, cd to the extraction folder and compile the binary by using the standard "configure && make && make install" routine.

bt sources # tar -xf cryptsetup-1.0.6.tar.bz2
bt sources # cd cryptsetup-1.0.6
bt cryptsetup-1.0.6 # configure
(lots of configuration output)
bt cryptsetup-1.0.6 # make
(lots of compiler lines)
bt cryptsetup-1.0.6 # make install
(some more output)
bt cryptsetup-1.0.6 #

Step 2.2 - Create an encrypted partition

----------------------------------------------------------------------------------------------------

Cryptsetup should be working now. You can check by typing "cryptsetup" in your shell and you should get a quick "Usage" message displayed. Our next step is to create an encrypted space on the second HDD partition (dev/hda2) by passing a number of parameters to the cryptsetup binary. We must also choose our password that has to be entered each time we'd like to boot the system (pre-boot authentication). Personally, I used "asd" for the sake of simplicity, but you may want to choose a stronger passphrase. I typically use the initials of words in a sentence that is well known to me. Add a few numbers at the end (like your birth year in reverse) and some punctuation and you've got a nice strong password, easy to remember. For example, the sentence "The quieter you become, the more you are able to hear." would result in "tQyBtMyAtH*7331" (that's not my birth date btw).

CAUTION: When entering a passphrase, keep an eye out for which keyboard layout you're using. If you're not using the US layout, some keys are likely to change the next time we boot the system - the keyboard layout changes back to default and your pass phrase might not work the way you wanted. There is an option later to add a correct keyboard layout to initrd, but you could also avoid this problem by not using any keys that might change as a result of different keyboard layouts. Also, be sure to choose a password that you can remember. Losing your password means losing all data on the encrypted partition.

bt cryptsetup-1.0.6 # cryptsetup -v -y -c aes-cbc-essiv:sha256 -h sha256 -s 256 luksFormat /dev/hda2

WARNING!
========
This will overwrite data on /dev/hda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: (enter your secret password here)
Verify passphrase: (repeat the password you have just typed)
Command successful.
bt cryptsetup-1.0.6 #

Our encrypted partition is now created and ready to be used. All that's left to do is open it and make it available to the system for r/w. After issuing the following command, you should see a new device appear: /dev/mapper/btcrypt

bt cryptsetup-1.0.6 # cryptsetup luksOpen /dev/hda2 btcrypt
Enter LUKS passphrase: (enter your secret password here)
key slot 0 unlocked.
Command successful.
bt cryptsetup-1.0.6 #

************************************************** **************************************************

* 3. Creating volumes with LVM

************************************************** **************************************************

Step 3.1 - Make sub-partitions with LVM

----------------------------------------------------------------------------------------------------

Why use LVM, you ask? Well... Instead of creating two or more encrypted partitions on the HDD and having to decrypt them all, we are going to use only one encrypted partition. And LVM will be used to divide the encrypted space into a number sub-partitions, each with its own file system. This makes the setup a bit more secure as we aren't leaking the inner partition data to an outsider. For more information on LVM, please see the sources section (#7). Setting up LVM is easy. First we will create a physical volume (pv) for our encrypted partition. This tells the kernel that all the space in our encrypted partition may be used for logical volumes. Let's make a physical volume now.

bt cryptsetup-1.0.6 # cd /root
bt ~ # pvcreate /dev/mapper/btcrypt
  Physical volume "/dev/mapper/btcrypt" successfully created
bt ~ #

You can now view your physical volume(s) by using the "pvdisplay" command. Let's move on to creating a volume group. A volume group (vg) is basically a given region of space where logical volumes reside. A vg may extend over several physical volumes, but for this tutorial, we're only going to use one. Let's make a volume group now and feed it with a physical volume we just created.

bt ~ # vgcreate btcrypt /dev/mapper/btcrypt
  Volume group "btcrypt" successfully created
bt ~ #

You can view your volume group(s) by using the "vgdisplay" command. The final step in setting up LVM is creating some logical volumes a.k.a. our secret partitions. For this installation we will need a swap and a root partition. I will let you decide how much space to use for each partition. Personally, I have a 40GB HDD on this laptop and I used about 1GB for the swap partition and the rest of the disk space for the root partition where BT3 is going to be installed. So let's make the two logical volumes now, yes?

NOTICE: I got some errors while creating the logical volumes (see below). I am not sure what these mean, but they didn't seem to interfere with LVM setup.

NOTICE: The LVM that comes with Backtrack doesn't seem to accept the 100%FREE parameter, which allocates the rest of free space to a given lv. For this reason, I had to manually specify the size when creating the root lv. The "vgdisplay" shows how much free space there is left (extents). All you have to do is pass that number to lvcreate.

bt ~ # lvcreate -L 1G -n swap btcrypt
  /dev/cdr: open failed: Read-only file system
  Logical volume "swap" created
bt ~ # vgdisplay
  --- Volume group ---
  VG Name               btcrypt
  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  4
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                1
  Open LV               0
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               37.00 GB
  PE Size               4.00 MB
  Total PE              9473
  Alloc PE / Size       256 / 1.00 GB
  Free  PE / Size       9217 / 36.00 GB
  VG UUID               HLVoWV-UJGR-c2q6-ldW0-kNRK-yriF-pwglxA

bt ~ # lvcreate -l 9217 -n root btcrypt
  /dev/cdr: open failed: Read-only file system
  Logical volume "root" created
bt ~ #

Let's run a few more things to activate the volumes...

bt ~ # vgscan --mknodes
  Reading all physical volumes.  This may take a while...
  Found volume group "btcrypt" using metadata type lvm2
bt ~ # vgchange -ay
  2 logical volume(s) in volume group "btcrypt" now active
bt ~ #

Phew! We now have two logical volumes ready to go - /dev/btcrypt/swap and /dev/btcrypt/root.

Step 3.2 - Add some file systems

----------------------------------------------------------------------------------------------------

The volumes we just created aren't really useful by themselves, they need a file system ontop. If you haven't done so already, you can now create an ext2 file system on our boot partition (/dev/hda1).

bt ~ # mkfs.ext2 /dev/hda1
(some info and progress output)
bt ~ #

Remember that this partition is going to remain unencrypted. Some readable space is required to store the kernel and other data needed to boot the system. In this article it's going to be the first partition on the HDD, but it's also possible to store the /boot partition on a separate usb key. The latter approach is not discussed here. So let's finish this file system stuff already and create an appropriate file systems on our two logical volumes.

bt ~ # mkfs.ext3 /dev/btcrypt/root
(some info and progress output)
bt ~ # mkswap /dev/btcrypt/swap
Setting up swapspace version 1, size = 1073737 kB
no label, UUID=84342ed9-4716-4ab0-8e86-89698f1f11fc
bt ~ # swapon /dev/btcrypt/swap
bt ~ #

************************************************** **************************************************

* 4. Installing Backtrack 3

************************************************** **************************************************

Step 4.1 - Installation

----------------------------------------------------------------------------------------------------

It's time we finally install Backtrack 3. We will use the standard command-line installation. Instead of installing directly to a partition on the HDD we are going to install it to our encrypted root LVM volume.

bt ~ # mkdir /mnt/backtrack
bt ~ # mount /dev/btcrypt/root /mnt/backtrack
bt ~ # mkdir /mnt/backtrack/boot
bt ~ # mount /dev/hda1 /mnt/backtrack/boot
bt ~ # cp --preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,var} /mnt/backtrack
(wait some time and let the computer finish)
bt ~ # mkdir /mnt/backtrack/{mnt,proc,sys,tmp}
bt ~ # mount --bind /dev/ /mnt/backtrack/dev
bt ~ # mount -t proc proc /mnt/backtrack/proc
bt ~ # cp /boot/vmlinuz /mnt/backtrack/boot
bt ~ #

Chroot into your new installation folder and we can move on to configuring and customizing this installation of BT3.

bt ~ # chroot /mnt/backtrack /bin/bash
bt / #

CAUTION: It's important to keep this "chroot-ed" shell up and running until the installation is fully finished. All commands as of now should only be entered into this shell.

************************************************** **************************************************

* 5. Creating initrd.gz with mkinitrd

************************************************** **************************************************

Step 5.1 - Install the mkinitrd script

----------------------------------------------------------------------------------------------------

The standard BT3 kernel doesn't know how to boot a system with an encrypted root partition. We have to tell it by creating and adding an initrd image. To create our image we will use the mkinitrd script. Since Backtrack doesn't come with mkinitrd, we will have to download a slackware version. You should be able to download the script from a slackware mirror. Go to Slackware website and pick a mirror (any mirror should do). Navigate into /slackware-current/slackware/a/ and download a package named mkinitrd-1.3.3-i486-1.tgz. I used the command line to download from a mirror in Germany. After downloading, run the "installpkg" command to install the package.

bt / # cd /root/sources
bt sources # wget ftp://ftp.gwdg.de/pub/linux/slackware/slackware-current/slackware/a/mkinitrd-1.3.3-i486-1.tgz
(wait for the download to finish)
bt sources # installpkg mkinitrd-1.3.3-i486-1.tgz
Installing package mkinitrd-1.3.3-i486-1...
PACKAGE DESCRIPTION:
mkinitrd: mkinitrd (make an initial ramdisk)
mkinitrd:
mkinitrd: mkinitrd is a script to create an initial ramdisk that is loaded at
mkinitrd: the same time as the kernel.  The initial ramdisk may be responsible
mkinitrd: for loading kernel modules (such a filesystem or SCSI controller
mkinitrd: module) that are needed to mount the root filesystem.
mkinitrd:
mkinitrd: The "initrd" is implemented as an initramfs.  See the kernel
mkinitrd: documentation for more information on this, if you are interested.
mkinitrd:
Executing install script for mkinitrd-1.3.3-i486-1...

bt sources #

Step 5.2 - Compiling a static cryptsetup

----------------------------------------------------------------------------------------------------

Well, we've used cryptsetup to encrypt our partition, but we also need it to decrypt it at boot. Unfortunately, the cryptsetup binary we've installed earlier is located on our encrypted partition, which will be inaccessable. For this reason we need another cryptsetup binary, one that is capable of running on its own and doesn't need any shared libraries or other junk. We need to compile a static binary. Fortunately, we already have the source code for cryptsetup-1.0.6 that we've downloaded earlier and we can use it to compile our cryptsetup.static.

NOTICE: This is the part where I had the most trouble and the going was very rough. While trying to compile a static cryptsetup binary, I ended up having make spit out some errors on my screen. Apparently there were a few missing static libraries needed to compile cryptsetup.static. We will install these libs first and then recompile cryptsetup. There's another error that I wasn't able to get past by normal means - see below.

So let's install the missing libs. The two libraries in question are libgcrypt.a and libgpg-error.a. You can download both from the GnuPG website. After downloading, extract them and install using the same as always "configure && make && make install".

First, let's install libgcrypt.a...

bt sources # wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.3.tar.bz2
(wait for the download to finish)
bt sources # tar -xf libgcrypt-1.4.3.tar.bz2
bt sources # cd libgcrypt-1.4.3
bt libgcrypt-1.4.3 # configure
(lots of configuration output)
bt libgcrypt-1.4.3 # make
(lots more compiler lines)
bt libgcrypt-1.4.3 # make install
(some more output)
bt libgcrypt-1.4.3 #

And second, libgpg-error.a...

bt libgcrypt-1.4.3 # cd ..
bt sources # wget ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.7.tar.bz2
(wait for the download to finish)
bt sources # tar -xf libgpg-error-1.7.tar.bz2
bt sources # cd libgpg-error-1.7
bt libgpg-error-1.7 # configure
(lots of configuration output)
bt libgpg-error-1.7 # make
(lots more compiler lines)
bt libgpg-error-1.7 # make install
(some more output)
bt libgpg-error-1.7 #

Now that we have all neccessary files, it's time to compile our cryptsetup.static binary that we are going to use for the initrd image. We're not going to install this binary, but instead we will manually copy it to the destination folder - so *don't* run "make install" when "make" finishes, *if* it finishes.

bt libgpg-error-1.7 # cd ..
bt sources # cd cryptsetup-1.0.6
bt cryptsetup-1.0.6 # configure --enable-static=yes --enable-shared=no
(lots of configuration output)
bt cryptsetup-1.0.6 # make clean
(cleaner output)
bt cryptsetup-1.0.6 # make
(lots of compiler output that ends in an error)

NOTICE: I'm not quite sure why this happens. Either I am doing something wrong or there is a bug in the compiler script. But when compiling the final binary with "make", gcc tries to link against a shared library despite having a static version available. This results in an error and termination of the "make" script (see the bold line below, error marked in red). I took the liberty to modify the compiler sentence and remove the shared module from the list. This resulted in a binary being compiled successfully.

The resulting error looks like this:

gcc -g -O2 -o cryptsetup -static cryptsetup.o  /usr/lib/libpopt.a ../lib/.libs/libcryptsetup.a -ldevmapper -L/usr/local/lib /usr/local/lib/libgcrypt.a /usr/lib/libgpg-error.so /usr/local/lib/libgpg-error.a -luuid
/usr/lib/gcc/i486-slackware-linux/4.1.2/../../../../i486-slackware-linux/bin/ld: attempted static link of dynamic object `/usr/lib/libgpg-error.so'
collect2: ld returned 1 exit status
make[2]: *** [cryptsetup] Error 1
make[2]: Leaving directory `/root/sources/cryptsetup-1.0.6/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/sources/cryptsetup-1.0.6'
make: *** [all] Error 2
bt cryptsetup-1.0.6 #

If you get this error then do the following. If not, skip this code segment. This is basically the same compiler line as the one from the make script, but I removed the reference to the shared library. It should compile without any errors.

bt cryptsetup-1.0.6 # cd src
bt src # gcc -g -O2 -o cryptsetup -static cryptsetup.o  /usr/lib/libpopt.a ../lib/.libs/libcryptsetup.a -ldevmapper -L/usr/local/lib /usr/local/lib/libgcrypt.a /usr/local/lib/libgpg-error.a -luuid
bt src #

Now that the static binary is finished, let's move it to its destination.

bt src # mv /root/sources/cryptsetup-1.0.6/src/cryptsetup /sbin/cryptsetup.static
bt src #

All done. We are now ready to create an initrd image.

Step 5.3 - Making an initrd image

----------------------------------------------------------------------------------------------------

This step couldn't be easier. All we need to do is pass a few parameters to the mkinitrd script and let it do its job.

NOTICE: The following command will create an initrd image with a default US keyboard layout. So, if you want to use a different layout while being asked for a password during the pre-boot authentication then you must also pass a "-l <your keyboard layout>" parameter to the mkinitrd script. See the mkinitrd man page for more details (man mkinitrd).

bt src # mkinitrd -c -k 2.6.21.5 -m ext3:sha1:sha256:aes -f ext3 -C /dev/hda2 -r /dev/btcrypt/root -L
OK: /lib/modules/2.6.21.5/kernel/crypto/sha1.ko added.
OK: /lib/modules/2.6.21.5/kernel/crypto/sha256.ko added.
OK: /lib/modules/2.6.21.5/kernel/crypto/aes.ko added.
9138 blocks
bt src #

Done. If you now cd to your /boot partition, you will notice a bunch of new entries including a README.initrd@, a directory named initrd-tree and finally, our much-desired initrd.gz image! You may want to clean this up a bit by removing the readme and the initrd-tree entries, but if you are curious about how the interior of an initrd image looks like then cd to the initrd-tree folder and explore a bit.

************************************************** **************************************************

* 6. Finalizing

************************************************** **************************************************

Step 6.1 - Adapt the fstab

----------------------------------------------------------------------------------------------------

It's almost over, but a couple more things have to be addressed. We have to modify our fstab a little bit. Open up /etc/fstab with your favorite text editor and make it look like this. I cleaned up a few unneccessary lines and added three new on the bottom.

NOTICE: If you're using a GUI text editor or an editor outside our chrooted shell then keep in mind that the real fstab is located in /mnt/backtrack/etc/fstab, not /etc/fstab. The same goes for other config files.

NOTICE: This is how the configuration appears on my system. You may have to adapt the changes to reflect your own setup (/dev/hda1 => /dev/sda1).

devpts /dev/pts devpts gid=5,mode=620 0 0 # AutoUpdate
proc /proc proc defaults 0 0 # AutoUpdate
sysfs /sys sysfs defaults 0 0 # AutoUpdate
/dev/hdb /mnt/hdb iso9660 noauto,users,exec 0 0 # AutoUpdate
/dev/fd0 /mnt/floppy vfat noauto,noatime,users,suid,dev,exec 0 0 # AutoUpdate

/dev/hda1 /boot auto defaults 0 0
/dev/btcrypt/swap none swap sw 0 0
/dev/btcrypt/root / auto defaults 0 0

Step 6.2 - Configure and install lilo

----------------------------------------------------------------------------------------------------

Time to configure the bootloader. Open up /etc/lilo.conf with your favorite text editor and make it look like this:

lba32
boot = /dev/hda
prompt
timeout = 60
change-rules
reset
vga=791
image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/ram0
label = Linux
read-only

NOTICE: Again, this is how lilo.conf looked like on my laptop. Be sure to adapt your vga mode and any other changes that apply to your own setup e.g. /dev/hda => /dev/sda. I also erased all comments from the config file so that settings are clearly visible. And make sure you're editing the correct lilo.conf!

Now let's put lilo to work.

bt src # lilo -v
(some output with a couple of warnings)
bt src #

You should get 3 warnings, the first one being that '/proc/partitions' does not match '/dev' directory structure. Two and three are probably about name changes for our logical volumes. You can safely ignore these and proceed.

Step 6.3 - Reboot

----------------------------------------------------------------------------------------------------

And now... the moment we've all been waiting for. All that is left to do is reboot and pray it works. On the next boot you should be prompted for a LUKS passphrase. Enter the one you used above to create the encrypted root partition. You still remember it, don't you?

Congrats! Enjoy your new encrypted installation of Backtrack 3!

NOTICE: Be sure to set your computer to boot from your hard drive next time so that you don't accidentally boot from a CD or an USB key and wonder why there was no password prompt!

SURSA!