PDA

View Full Version : Help! So close to whole disk crypto in BT3...



m0untainrebel
09-13-2008, 07:06 PM
I'm trying to use whole-disk encryption in BT3, and once I figure it out write a howto. But I'm stuck at once frustrating part, so close to victory! Can anyway help?

Here's what I've got. Start by booting to the BT3 livecd, open a terminal and download and install cryptsetup. (note: I've changed all the links to use hxxp instead of http, since it won't let me post links because I haven't made 15 posts yet)

bt ~ # cd /usr/src
bt src # wget hxxp://luks.endorphin.org/source/cryptsetup-1.0.5.tar.bz2
bt src # tar -xvf cryptsetup-1.0.5.tar.bz2
bt src # cd cryptsetup-1.0.5
bt cryptsetup-1.0.5 # ./configure
bt cryptsetup-1.0.5 # make
bt cryptsetup-1.0.5 # make install

Partition the hard drive with cfdisk so that sda1 is boot, sda2 is swap, sda3 is root, and write changes. Then format the swap and boot partitions.

bt cryptsetup-1.0.5 # cd ~
bt ~ # cfdisk
bt ~ # mkswap /dev/sda2
bt ~ # swapon /dev/sda2
bt ~ # mkfs.ext3 /dev/sda1

Make the encrypted root partition and format it as ext3.

bt ~ # cryptsetup --verbose --verify-passphrase luksFormat /dev/sda3
bt ~ # cryptsetup luksOpen /dev/sda3 cryptroot
bt ~ # mkfs.ext3 /dev/mapper/cryptroot

Now mount it all and install BT3.

bt ~ # mkdir /mnt/backtrack
bt ~ # mount /dev/mapper/cryptroot /mnt/backtrack/
bt ~ # mkdir /mnt/backtrack/boot
bt ~ # mount /dev/sda1 /mnt/backtrack/boot/
bt ~ # cp --preserve -R -v /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,va r} /mnt/backtrack
bt ~ # cp /boot/vmlinuz /mnt/backtrack/boot/
bt ~ # mkdir /mnt/backtrack/{mnt,proc,sys,tmp}
bt ~ # mount --bind /dev/ /mnt/backtrack/dev/
bt ~ # mount -t proc proc /mnt/backtrack/proc/

Chroot into your new backtrack install to configure it.

bt ~ # chroot /mnt/backtrack/ /bin/bash
bt / # echo "cryptroot /dev/sda3" > /etc/crypttab
bt / # nano /etc/fstab

Make your fstab look like this:

/dev/mapper/cryptroot / auto defaults 0 0
/dev/sda1 /boot auto defaults 0 0
/dev/sda2 none swap sw 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0 # AutoUpdate
proc /proc proc defaults 0 0 # AutoUpdate
sysfs /sys sysfs defaults 0 0 # AutoUpdate
/dev/hdc /mnt/hdc iso9660 noauto,users,exec 0 0 # AutoUpdate
/dev/fd0 /mnt/floppy vfat noauto,noatime,users,suid,dev,exec 0 0 # AutoUpdate

Now we need to make a new initrd.gz that loads stuff needed to boot to the encrypted partition. You can find the latest version of mkinitrd for slackware 12 here: hxxp://packages.slackware.it/package.php?q=current/mkinitrd-1.3.2-i486-3#download
(I think this might have to do with my problem -- backtrack doesn't come with mkinitrd, and neither does slax, and I'm afraid using this slackware package for BT3 might be breaking things.)

bt / # cd /
bt / # wget hxxp://lmlinux.com/distros/slackware/slackware-current/slackware/a/mkinitrd-1.3.2-i486-3.tgz
bt / # tar -xvf mkinitrd-1.3.2-i486-3.tgz
bt / # rm mkinitrd-1.3.2-i486-3.tgz
bt / # ln -s /usr/sbin/cryptsetup /sbin/cryptsetup.static
bt / # mkinitrd -c -k 2.6.21.5 -m ext3 -f ext3 -C /dev/sda3 -r cryptroot -L
bt / # nano /etc/lilo.conf

Make your lilo.conf look like this:

lba32 # Allow booting past 1024th cylinder with a recent BIOS
boot = /dev/sda1
prompt
timeout = 1200
change-rules
reset
vga = 791

image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/ram0
label = Backtrack3
read-only

Then rewrite it, reboot, and pray it works. Ignore the warning when running lilo -v.

bt / # lilo -v
bt / # reboot

This should do it, I think. I've also tried setting root = /dev/mapper/cryptroot in lilo.conf, to no avail. When I boot up, lilo tried to load bt3 but then I get this error:

initrd.gz: Loading kernel modules from initrd image:
input: AT Translated Set 2 keyboard as /class/input/input2
Reading all physical volumes. This may take a while...
No volume groups found
No volume groups found
No volume groups found
mount: mounting cryptroot on /mnt failed: No such file or directory
ERROR: No /sbin/init found on rootdev (or not mounted). Trouble ahead.
You can try to fix it. Type 'exit' when things are done.

/bin/sh: can't access tty: job control turned off
/ $

And it spits me into the initrd shell. Once I'm there, I try mounting it manually:

/ $ cryptsetup luksOpen /dev/sda3 cryptroot
/bin/sh: cryptsetup: not found
/ $ ls -l /sbin/crypt*
lrwxrwxrwx 1 0 0 17 Sep 13 18:53 /sbin/cryptsetup -> cryptsetup.static
-rwxr-xr-x 1 0 0 26968 Sep 13 18:53 /sbin/cryptsetup.static
/ $ /sbin/cryptsetup.static
/bin/sh: /sbin/cryptsetup.static: not found

Obviosly, the cryptsetup binary is there, it's just not working. I even tried copying a separate cryptsetup binary that I compiled myself (and works fine in the booted BT3) in my boot partition, /dev/sda1, so when I get to this initrd shell I can mount it run it. It still says "not found". Why?!

The only thing I can think of is the mkinitrd script, which generates the ramdisk and puts cryptsetup.static there, doesn't include something that cryptsetup needs to run under BT3, but that slackware 12 doesn't need. If anyone else wants to help tackle this it would be wonderful. I think a lot of people would be interested in having this work.

These were useful resources in getting this far:
hxxp://forums.remote-exploit.org/showpost.php?p=87694&postcount=1
hxxp://slackware.osuosl.org/slackware-12.0/README_CRYPT.TXT

Please help!

fredl
12-25-2008, 07:01 PM
Hi,
As this is a fairly old posting I'm not quite sure if anyone is still interested, but anyway the mistake is here:


The only thing I can think of is the mkinitrd script, which generates the ramdisk and puts cryptsetup.static there, doesn't include something that cryptsetup needs to run under BT3

What's missing in the initrd are a couple of libs if you compile cryptsetup from source as you described. It doesn't help to create a symlink, you need to compile a statically linked binary instead. ./configure --help tells you how. I think this produces cryptsetup.static by itself, but I'm not really sure about that.
Also you have to add "sha1:sha256" to the modules list so that cryptsetup can complete its job at boot time.
I've done it this way, and it unlocks the drive (but for me it then fails to cooperate with LVM...)
Hope that helps,
Fredl

The MoD
01-06-2009, 06:26 AM
Hi,

I've managed to encrypt my root partition on a USB thumb drive using cryptsetup. I've installed BT3 on a (USB) hard disk and installed additionally cryptsetup, mkinitrd and got busybox 1.13.1.

Details you can find in a previous post:

hxxp://forums.remote-exploit.org/showthread.php?t=17233&highlight=UUID

1) install mkinitrd
2) build your new busybox with support for UUIDs and LABELs, but don't install it
3) install cryptsetup
4) copy your new busybox executably to the initrd
5) copy cryptsetup.static to the initrd
(found in /sbin, renamed it to cryptsetup)
6) edit the init file in the initrd
I've commented out everything that deals with encrypted partitions and insterted
the following lines

# explanation of the concept:
# luksFormat assigns an UUID when the encrypted partition is created
# this UUID is passed during system boot-up to the kernel
# initrd reads /proc/cmdline and saves the root=UUID=uuid as $ROOTDEV
# findfs is used to find the real partition
# cryptsetup is used to encrypt the disk

CRYPTDEV="crypt-root" # will be mounted under /dev/mapper/crypt-root
LUKSDEV=$(findfs $ROOTDEV) # findfs returns the real device name

if /sbin/cryptsetup isLuks $LUKSDEV 1>/dev/null 2>/dev/null ; then # check that we are really on a LUKS device
/sbin/cryptsetup luksOpen $LUKsDEV $CRYPTDEV # ask for the passphrase and mount it
ROOTDEV="dev/mapper/$CRYPTDEV" # adapt the ROOTDEV, used my the following mount command
fi

SORRY. Left it out the first time: you also need to implement the changes to 'command line parsing' section described in thread linked
above. Otherwise it will not work.

7) build your initrd

8) adapt your fstab
/dev/mapper/crypt-root / ext3 ...

9) adapt your lilo.conf
image = /boot/vmlinuz
append = "root=UUID=your LUKS UUID"
initrd = /boot/initrd.gz"

10) lilo -v