PDA

View Full Version : Encrypted Root Hard Drive Install - HOWTO



interspective
11-02-2008, 07:23 AM
*** NOTE ***
For those who didn't follow this link from my "BT3 on HP 2133 Mini Note - Findings" thread, please be aware that these instructions have been written for the HP 2133 mini-note. You can use them to setup BT3 with an encrypted root partition on any other machine, but you will need to be weary of the drive device names and partition numbers as they -WILL- be different. Substitute the below with your drive device names and partitions and you will be fine.
I am unable to post URL's yet so I've substituted an X in the link, change it back to a T and they will work fine.

First of all you need to make a USB boot BT3 from usb iso.

Now you need to download these two files and put them in a dir called "extras" on your USB stick.

cryptsetup-1.0.5 from:

fxp://fxp.slackware.com/pub/slackware/slackware-12.0/slackware/a/cryptsetup-1.0.5-i486-2.tgz

mkinitrd-1.1.2 from:

fxp://fxp.slackware.com/pub/slackware/slackware-12.0/slackware/a/mkinitrd-1.1.2-i486-3.tgz

This is extremely important! Make sure you get these two files!! I spent far too long mucking around with the source package from luks and it just doesn't work.

Jam your USB stick into your HP 2133 and get ready to hit the F9 button. Select the USB stick from the boot menu and then boot the framebuffer text mode option. We don't need to run a KDE session!

After boot check mount and unmount your hard disk if its mounted. BT3 usually automounts drive partitions in /mnt.

Fire up fdisk on /dev/hda and setup your partitions. I setup mine as follows:

100mb for /boot (hda1) (wont be encrypted)
4gb for swap (hda2) (or double the size of your ram, this will be encrypted on the fly)
remainder for / (hda3)

*** REMINDER ***
Make sure you set your boot partition active with option a, 1.

*** NOTE ***
When you boot your BT3 from USB, some users have reported not seeing their hard drives. There is a setting in the BIOS for your drive, I think it needs to be set to "compatibility mode". Ill check and let you know, but there are plenty of posts about it, just do a search.

You may have to reboot for the partition changes to take effect. Be sure to check and do what fdisk says.

Ok so if you needed to reboot and have done so, lets install cryptsetup so we can get started. Your USB drive should be mounted (mine is sda1) so lets install from there.


# installpkg /mnt/sda1/extras/cryptsetup-1.0.5-i486-2.tgz

Now we use cryptsetup to encrypt the root (hda3) partition. We will do the swap after BT3 has been installed.

As quoted from the slackware 12 README_CRYPT.TXT file that I followed:

"If you're not _too_ concerned with the possibility of an FBI agent confiscating your computer, you can skip this command:"

You have no reason to worry about the feds do you?

*** NOTE ***
Make sure your partition is not mounted before running this command! Also you can use the VIA hardware RNG device if you've set it up.


# dd if=/dev/urandom of=/dev/hda3

Make sure you have plenty of coffee, as it will take quite a while!

Lets enable kernel support for VIA Padlock which is part of the HP 2133's processor.. because we can:


# modprobe padlock

Prepare the partition for encryption. You will be asked to enter a passphrase twice, make it a good one!


# cryptsetup -s 256 -y luksFormat /dev/hda3

You can dump information about the encrypted partition to your console by running the following command:


# cryptsetup luksDump /dev/hda3

Now you have an encrypted partition with (hopefully) a strong passphrase. Lets map it to a block device. This device behaves like an ordinary block device and we will use it instead of /dev/hda* to create our filesystem on. The block device(s) exist in /dev/mapper. Get ready to use your passphrase :)


# cryptsetup luksOpen /dev/hda3 crypt-root

If you do an ls /dev/mapper you will see the crypt-root block device. So lets create a filesystem on it. I used ext3. We do this for hda1 (/boot) too.


# mkfs.ext3 /dev/mapper/crypt-root
# mkfs.ext3 /dev/hda1

Ok now we need to mount the partition and start our BT3 "install". The following has been adopted and butchered from the Messin with Backtrack PDF file.


# mkswap /dev/hda2
# swapon /dev/hda2
# mkdir /mnt/backtrack

This is the point we will mount our encrypted physical device.


# mount /dev/mapper/crypt-root /mnt/backtrack
# mkdir /mnt/backtrack/boot
# mount /dev/hda1 /mnt/backtrack/boot

Remember, the /boot (hda1) partition is not encrypted.


# df
Filesystem 1K-blocks Used Available Use% Mounted on
aufs 539548 6480 533068 2% /
/dev/sda1 1002052 880752 121300 88% /mnt/sda1
/dev/mapper/crypt-root
115171908 192676 109128816 1% /mnt/backtrack
/dev/hda1 101086 20827 75040 22% /mnt/backtrack/boot


As recommended by the Messin' with Backtrack PDF. make sure everything is mounted and correct otherwise things will bork.


# cp --preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,va r} /mnt/backtrack

Preserve maintains all permissions and -R makes the command recursive.

This command will copy all the dirs in the curly brackets from the current working system (which came from the USB stick) to your hard drive. All of it will be encrypted. Now is a great time to get another coffee as it may take a while!


# mkdir /mnt/backtrack/{mnt,proc,sys,temp}
# mount --bind /dev/ /mnt/backtrack/dev/

This creates mnt,proc,sys and temp with one command. Then we remount the /dev directory (which holds the addresses for all physical devices) to our new mount point.


# mount -t proc proc /mnt/backtrack/proc/

Same for proc. This will provide an interface with the kernel in our new mount point.


# cp /boot/vmlinuz /mnt/backtrack/boot/vmlinuz

This is our kernel, we need it :)

Ok lets move into our new home!


# chroot /mnt/backtrack/

Ahh, we're off the stinking USB device and on a real drive now :)

Oh, before I forget:


# e2label /dev/hda1 /boot
# e2label /dev/mapper/crypt-root /

This will come in handy for /etc/fstab

Lets create our crypttab file. This file contains information cryptsetup needs for unlocking your encrypted volume and mapping it to the correct device name. The file '/etc/crypttab' contains lines of the format: "mappedname devicename password options".


# echo "crypt-root /dev/hda3" > /etc/crypttab

We don't enter the password (for obvious reasons), cryptsetup will ask for it when the mini-note boots.

Now we can setup the encrypted swap.


# echo "crypt-swap /dev/hda2 none swap" >> /etc/crypttab

At shutdown of the machine, the encrypted swap partition will be reformatted as a normal unencrypted swap, so that any other OSs you run in a multi-boot configuration will have no problems in using this swap partition as well. Iz Naice! :)

*** NOTE ***
The swap partition is encrypted with a new randomly generated key every time your computer boots, so there is no need to ever enter a passphrase!

Lets setup our fstab so things work properly...


# nano /etc/fstab

and make it look like this:


/dev/mapper/crypt-root / ext3 defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
/dev/mapper/crypt-swap swap swap defaults 0 0
LABEL=/boot /boot ext3 defaults 0 0

now we can install mkinitrd so the system boots properly. We need to re-mount the USB stick to get access to the file first.


# mount /dev/sda1 /mnt/sda1
# installpkg /mnt/sda1/extras/mkinitrd-1.1.2-i486-3.tgz


now lets make a new initrd!


# /sbin/mkinitrd -c -k 2.6.21.5 -m ext3:sha1:sha256:padlock_aes:padlock_sha -f ext3 -r crypt-root -C /dev/hda3

This writes a file to /boot/initrd.gz and creates a tree of things we need for the ramdisk.

*** NOTE ***
Remember, these instructions are specific for the HP 2133 which has VIA Padlock. You wont need to load padlock_aes and padlock_sha if you don't have a VIA C7-M processor, it wont work, you will need to load aes instead.
So the module part would be : "-m ext3:sha1:sha256:aes"

Now we need to setup lilo to use all the new settings.


# mv /etc/lilo.conf /etc/lilo.conf.old
# nano /etc/lilo.conf

make it look like this:


# LILO global section
lba32 # Allow booting past 1024th cylinder with a recent BIOS
boot = /dev/hda
initrd = /boot/initrd.gz
#message = /boot/boot_message.txt
prompt
timeout = 1200
# Override dangerous defaults that rewrite the partition table:
change-rules
reset
# VESA framebuffer console @ 1024x768x256
vga = 773
# End LILO global section
# Linux bootable partition config begins
image = /boot/vmlinuz
root = /dev/mapper/crypt-root
label = BackTrack
read-only
# Linux bootable partition config ends

Now we can run lilo. This command will spit back a couple of warnings about devices not matching up, but don't stress it will work anyway.


# lilo -v
# exit
# reboot

When your machine boots, you should be asked for your passphrase. Hopefully you can remember what it is ;)

zing-a ding ding our mini-note has some bling :)

Xan

ilovenugz
11-04-2008, 10:00 AM
Thanks a bunch for posting this message. I have attempted to follow the instructions onto my ThinkPad x61s but ran into some issues along the way. And I am familiar with Linux and have used it for quite sometime; however, I have never dabbled into Linux encryption.

First of all, I have /dev/sda1 as Vista -- I then resized it using GParted so I can have the 100mb boot partition (/dev/sda2), the swap (/dev/sda3), and the root (/dev/sda4). I then switched /dev/sda2 as the boot partition and then saved changes. After everything was done, I booted from my BT USB to verify the fdisk looked well--it did. After creating the partition, I performed the dreadfully long 'dd if=/dev/urandom of=/dev/sda4'--this went on for a few hours and then eventually said:

dd: writing to '/dev/sda4' : Input/output error
89610569+0 records in
89610568+0 records out
45880610816 bytes (46GB) copied, 14245.6 s, 2.3 MB/s
bt ~ # EXT3-fs error (device sda4): htree_dirblock_to_tree: bad entry in directory #2: rec_len % 4 != 0 - offset=0, inode=4282461833, rec_len=20019, name_len=227

Not knowing if it looked like it performed the task ok, I decided to proceed with your next step (just for the hell of it, I guess).

The ThinkPad comes with the integrated TPM so I see you did the 'modprobe padlock' for your device so I did the 'modprobe tpm' instead. Next, I did the cryptsetup command and it asked for the passphrase, etc. Then I got the following:

Failed to setup dm-crypt key mapping
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda4 contains at least 258 sectors.
Failed to write to key storage.
Command failed.

I did a 'modprobe dm-crypt' to see if it was loaded and it said it was not found. I did install your cryptsetup package that was linked in your message.

Any ideas?

terminal86
11-04-2008, 10:18 AM
After creating the partition, I performed the dreadfully long 'dd =/dev/urandom of=/dev/sda4'--this went on for a few hours and then eventually said:


Typo in your post , or in your command?


dd if=/dev/urandom of=/dev/hda3

ilovenugz
11-04-2008, 10:20 AM
Apparently I had the partition mounted while attempting to run the command...

terminal: typo in post

interspective
11-04-2008, 10:58 AM
ilovenugz: im not sure about tpm, but try "modprobe aes" and "modprobe sha256" before the cryptsetup command. Also, I'm not sure, but your dd command may have borked your partition if it was mounted when run. Maybe try removing the partition and creating it again.

Xan

ilovenugz
11-04-2008, 09:22 PM
The problem was that I did have the partition mounted when trying to perform the cryptsetup command. Once I umounted the partition, it worked just fine.

Due to following this guide, I was able to properly install BT3 on my 128GB SSD hdd with encrypted OS and swap partitions--thanks!