Results 1 to 3 of 3

Thread: Help! So close to whole disk crypto in BT3...

  1. #1
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    3

    Angry Help! So close to whole disk crypto in BT3...

    I'm trying to use whole-disk encryption in BT3, and once I figure it out write a howto. But I'm stuck at once frustrating part, so close to victory! Can anyway help?

    Here's what I've got. Start by booting to the BT3 livecd, open a terminal and download and install cryptsetup. (note: I've changed all the links to use hxxp instead of http, since it won't let me post links because I haven't made 15 posts yet)

    bt ~ # cd /usr/src
    bt src # wget hxxp://luks.endorphin.org/source/cryptsetup-1.0.5.tar.bz2
    bt src # tar -xvf cryptsetup-1.0.5.tar.bz2
    bt src # cd cryptsetup-1.0.5
    bt cryptsetup-1.0.5 # ./configure
    bt cryptsetup-1.0.5 # make
    bt cryptsetup-1.0.5 # make install

    Partition the hard drive with cfdisk so that sda1 is boot, sda2 is swap, sda3 is root, and write changes. Then format the swap and boot partitions.

    bt cryptsetup-1.0.5 # cd ~
    bt ~ # cfdisk
    bt ~ # mkswap /dev/sda2
    bt ~ # swapon /dev/sda2
    bt ~ # mkfs.ext3 /dev/sda1

    Make the encrypted root partition and format it as ext3.

    bt ~ # cryptsetup --verbose --verify-passphrase luksFormat /dev/sda3
    bt ~ # cryptsetup luksOpen /dev/sda3 cryptroot
    bt ~ # mkfs.ext3 /dev/mapper/cryptroot

    Now mount it all and install BT3.

    bt ~ # mkdir /mnt/backtrack
    bt ~ # mount /dev/mapper/cryptroot /mnt/backtrack/
    bt ~ # mkdir /mnt/backtrack/boot
    bt ~ # mount /dev/sda1 /mnt/backtrack/boot/
    bt ~ # cp --preserve -R -v /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,va r} /mnt/backtrack
    bt ~ # cp /boot/vmlinuz /mnt/backtrack/boot/
    bt ~ # mkdir /mnt/backtrack/{mnt,proc,sys,tmp}
    bt ~ # mount --bind /dev/ /mnt/backtrack/dev/
    bt ~ # mount -t proc proc /mnt/backtrack/proc/

    Chroot into your new backtrack install to configure it.

    bt ~ # chroot /mnt/backtrack/ /bin/bash
    bt / # echo "cryptroot /dev/sda3" > /etc/crypttab
    bt / # nano /etc/fstab

    Make your fstab look like this:

    /dev/mapper/cryptroot / auto defaults 0 0
    /dev/sda1 /boot auto defaults 0 0
    /dev/sda2 none swap sw 0 0
    devpts /dev/pts devpts gid=5,mode=620 0 0 # AutoUpdate
    proc /proc proc defaults 0 0 # AutoUpdate
    sysfs /sys sysfs defaults 0 0 # AutoUpdate
    /dev/hdc /mnt/hdc iso9660 noauto,users,exec 0 0 # AutoUpdate
    /dev/fd0 /mnt/floppy vfat noauto,noatime,users,suid,dev,exec 0 0 # AutoUpdate

    Now we need to make a new initrd.gz that loads stuff needed to boot to the encrypted partition. You can find the latest version of mkinitrd for slackware 12 here: hxxp://packages.slackware.it/package.php?q=current/mkinitrd-1.3.2-i486-3#download
    (I think this might have to do with my problem -- backtrack doesn't come with mkinitrd, and neither does slax, and I'm afraid using this slackware package for BT3 might be breaking things.)

    bt / # cd /
    bt / # wget hxxp://lmlinux.com/distros/slackware/slackware-current/slackware/a/mkinitrd-1.3.2-i486-3.tgz
    bt / # tar -xvf mkinitrd-1.3.2-i486-3.tgz
    bt / # rm mkinitrd-1.3.2-i486-3.tgz
    bt / # ln -s /usr/sbin/cryptsetup /sbin/cryptsetup.static
    bt / # mkinitrd -c -k 2.6.21.5 -m ext3 -f ext3 -C /dev/sda3 -r cryptroot -L
    bt / # nano /etc/lilo.conf

    Make your lilo.conf look like this:

    lba32 # Allow booting past 1024th cylinder with a recent BIOS
    boot = /dev/sda1
    prompt
    timeout = 1200
    change-rules
    reset
    vga = 791

    image = /boot/vmlinuz
    initrd = /boot/initrd.gz
    root = /dev/ram0
    label = Backtrack3
    read-only

    Then rewrite it, reboot, and pray it works. Ignore the warning when running lilo -v.

    bt / # lilo -v
    bt / # reboot

    This should do it, I think. I've also tried setting root = /dev/mapper/cryptroot in lilo.conf, to no avail. When I boot up, lilo tried to load bt3 but then I get this error:

    initrd.gz: Loading kernel modules from initrd image:
    input: AT Translated Set 2 keyboard as /class/input/input2
    Reading all physical volumes. This may take a while...
    No volume groups found
    No volume groups found
    No volume groups found
    mount: mounting cryptroot on /mnt failed: No such file or directory
    ERROR: No /sbin/init found on rootdev (or not mounted). Trouble ahead.
    You can try to fix it. Type 'exit' when things are done.

    /bin/sh: can't access tty: job control turned off
    / $

    And it spits me into the initrd shell. Once I'm there, I try mounting it manually:

    / $ cryptsetup luksOpen /dev/sda3 cryptroot
    /bin/sh: cryptsetup: not found
    / $ ls -l /sbin/crypt*
    lrwxrwxrwx 1 0 0 17 Sep 13 18:53 /sbin/cryptsetup -> cryptsetup.static
    -rwxr-xr-x 1 0 0 26968 Sep 13 18:53 /sbin/cryptsetup.static
    / $ /sbin/cryptsetup.static
    /bin/sh: /sbin/cryptsetup.static: not found

    Obviosly, the cryptsetup binary is there, it's just not working. I even tried copying a separate cryptsetup binary that I compiled myself (and works fine in the booted BT3) in my boot partition, /dev/sda1, so when I get to this initrd shell I can mount it run it. It still says "not found". Why?!

    The only thing I can think of is the mkinitrd script, which generates the ramdisk and puts cryptsetup.static there, doesn't include something that cryptsetup needs to run under BT3, but that slackware 12 doesn't need. If anyone else wants to help tackle this it would be wonderful. I think a lot of people would be interested in having this work.

    These were useful resources in getting this far:
    hxxp://forums.remote-exploit.org/showpost.php?p=87694&postcount=1
    hxxp://slackware.osuosl.org/slackware-12.0/README_CRYPT.TXT

    Please help!

  2. #2
    Just burned his ISO
    Join Date
    Dec 2008
    Posts
    1

    Default

    Hi,
    As this is a fairly old posting I'm not quite sure if anyone is still interested, but anyway the mistake is here:
    Quote Originally Posted by m0untainrebel View Post
    The only thing I can think of is the mkinitrd script, which generates the ramdisk and puts cryptsetup.static there, doesn't include something that cryptsetup needs to run under BT3
    What's missing in the initrd are a couple of libs if you compile cryptsetup from source as you described. It doesn't help to create a symlink, you need to compile a statically linked binary instead. ./configure --help tells you how. I think this produces cryptsetup.static by itself, but I'm not really sure about that.
    Also you have to add "sha1:sha256" to the modules list so that cryptsetup can complete its job at boot time.
    I've done it this way, and it unlocks the drive (but for me it then fails to cooperate with LVM...)
    Hope that helps,
    Fredl

  3. #3
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    12

    Default

    Hi,

    I've managed to encrypt my root partition on a USB thumb drive using cryptsetup. I've installed BT3 on a (USB) hard disk and installed additionally cryptsetup, mkinitrd and got busybox 1.13.1.

    Details you can find in a previous post:

    hxxp://forums.remote-exploit.org/showthread.php?t=17233&highlight=UUID

    1) install mkinitrd
    2) build your new busybox with support for UUIDs and LABELs, but don't install it
    3) install cryptsetup
    4) copy your new busybox executably to the initrd
    5) copy cryptsetup.static to the initrd
    (found in /sbin, renamed it to cryptsetup)
    6) edit the init file in the initrd
    I've commented out everything that deals with encrypted partitions and insterted
    the following lines

    # explanation of the concept:
    # luksFormat assigns an UUID when the encrypted partition is created
    # this UUID is passed during system boot-up to the kernel
    # initrd reads /proc/cmdline and saves the root=UUID=uuid as $ROOTDEV
    # findfs is used to find the real partition
    # cryptsetup is used to encrypt the disk

    CRYPTDEV="crypt-root" # will be mounted under /dev/mapper/crypt-root
    LUKSDEV=$(findfs $ROOTDEV) # findfs returns the real device name

    if /sbin/cryptsetup isLuks $LUKSDEV 1>/dev/null 2>/dev/null ; then # check that we are really on a LUKS device
    /sbin/cryptsetup luksOpen $LUKsDEV $CRYPTDEV # ask for the passphrase and mount it
    ROOTDEV="dev/mapper/$CRYPTDEV" # adapt the ROOTDEV, used my the following mount command
    fi

    SORRY. Left it out the first time: you also need to implement the changes to 'command line parsing' section described in thread linked
    above. Otherwise it will not work.

    7) build your initrd

    8) adapt your fstab
    /dev/mapper/crypt-root / ext3 ...

    9) adapt your lilo.conf
    image = /boot/vmlinuz
    append = "root=UUID=your LUKS UUID"
    initrd = /boot/initrd.gz"

    10) lilo -v

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •