Results 1 to 6 of 6

Thread: Encrypted Root Hard Drive Install - HOWTO

  1. #1
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    5

    Default Encrypted Root Hard Drive Install - HOWTO

    *** NOTE ***
    For those who didn't follow this link from my "BT3 on HP 2133 Mini Note - Findings" thread, please be aware that these instructions have been written for the HP 2133 mini-note. You can use them to setup BT3 with an encrypted root partition on any other machine, but you will need to be weary of the drive device names and partition numbers as they -WILL- be different. Substitute the below with your drive device names and partitions and you will be fine.
    I am unable to post URL's yet so I've substituted an X in the link, change it back to a T and they will work fine.

    First of all you need to make a USB boot BT3 from usb iso.

    Now you need to download these two files and put them in a dir called "extras" on your USB stick.

    cryptsetup-1.0.5 from:
    fxp://fxp.slackware.com/pub/slackware/slackware-12.0/slackware/a/cryptsetup-1.0.5-i486-2.tgz
    mkinitrd-1.1.2 from:
    fxp://fxp.slackware.com/pub/slackware/slackware-12.0/slackware/a/mkinitrd-1.1.2-i486-3.tgz
    This is extremely important! Make sure you get these two files!! I spent far too long mucking around with the source package from luks and it just doesn't work.

    Jam your USB stick into your HP 2133 and get ready to hit the F9 button. Select the USB stick from the boot menu and then boot the framebuffer text mode option. We don't need to run a KDE session!

    After boot check mount and unmount your hard disk if its mounted. BT3 usually automounts drive partitions in /mnt.

    Fire up fdisk on /dev/hda and setup your partitions. I setup mine as follows:

    100mb for /boot (hda1) (wont be encrypted)
    4gb for swap (hda2) (or double the size of your ram, this will be encrypted on the fly)
    remainder for / (hda3)

    *** REMINDER ***
    Make sure you set your boot partition active with option a, 1.

    *** NOTE ***
    When you boot your BT3 from USB, some users have reported not seeing their hard drives. There is a setting in the BIOS for your drive, I think it needs to be set to "compatibility mode". Ill check and let you know, but there are plenty of posts about it, just do a search.

    You may have to reboot for the partition changes to take effect. Be sure to check and do what fdisk says.

    Ok so if you needed to reboot and have done so, lets install cryptsetup so we can get started. Your USB drive should be mounted (mine is sda1) so lets install from there.
    # installpkg /mnt/sda1/extras/cryptsetup-1.0.5-i486-2.tgz
    Now we use cryptsetup to encrypt the root (hda3) partition. We will do the swap after BT3 has been installed.

    As quoted from the slackware 12 README_CRYPT.TXT file that I followed:

    "If you're not _too_ concerned with the possibility of an FBI agent confiscating your computer, you can skip this command:"

    You have no reason to worry about the feds do you?

    *** NOTE ***
    Make sure your partition is not mounted before running this command! Also you can use the VIA hardware RNG device if you've set it up.

    # dd if=/dev/urandom of=/dev/hda3
    Make sure you have plenty of coffee, as it will take quite a while!

    Lets enable kernel support for VIA Padlock which is part of the HP 2133's processor.. because we can:

    # modprobe padlock
    Prepare the partition for encryption. You will be asked to enter a passphrase twice, make it a good one!

    # cryptsetup -s 256 -y luksFormat /dev/hda3
    You can dump information about the encrypted partition to your console by running the following command:

    # cryptsetup luksDump /dev/hda3
    Now you have an encrypted partition with (hopefully) a strong passphrase. Lets map it to a block device. This device behaves like an ordinary block device and we will use it instead of /dev/hda* to create our filesystem on. The block device(s) exist in /dev/mapper. Get ready to use your passphrase

    # cryptsetup luksOpen /dev/hda3 crypt-root
    If you do an ls /dev/mapper you will see the crypt-root block device. So lets create a filesystem on it. I used ext3. We do this for hda1 (/boot) too.

    # mkfs.ext3 /dev/mapper/crypt-root
    # mkfs.ext3 /dev/hda1
    Ok now we need to mount the partition and start our BT3 "install". The following has been adopted and butchered from the Messin with Backtrack PDF file.
    # mkswap /dev/hda2
    # swapon /dev/hda2
    # mkdir /mnt/backtrack
    This is the point we will mount our encrypted physical device.
    # mount /dev/mapper/crypt-root /mnt/backtrack
    # mkdir /mnt/backtrack/boot
    # mount /dev/hda1 /mnt/backtrack/boot
    Remember, the /boot (hda1) partition is not encrypted.
    # df
    Filesystem 1K-blocks Used Available Use% Mounted on
    aufs 539548 6480 533068 2% /
    /dev/sda1 1002052 880752 121300 88% /mnt/sda1
    /dev/mapper/crypt-root
    115171908 192676 109128816 1% /mnt/backtrack
    /dev/hda1 101086 20827 75040 22% /mnt/backtrack/boot

    As recommended by the Messin' with Backtrack PDF. make sure everything is mounted and correct otherwise things will bork.

    Code:
    # cp --preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,var} /mnt/backtrack
    Preserve maintains all permissions and -R makes the command recursive.

    This command will copy all the dirs in the curly brackets from the current working system (which came from the USB stick) to your hard drive. All of it will be encrypted. Now is a great time to get another coffee as it may take a while!

    # mkdir /mnt/backtrack/{mnt,proc,sys,temp}
    # mount --bind /dev/ /mnt/backtrack/dev/
    This creates mnt,proc,sys and temp with one command. Then we remount the /dev directory (which holds the addresses for all physical devices) to our new mount point.

    # mount -t proc proc /mnt/backtrack/proc/
    Same for proc. This will provide an interface with the kernel in our new mount point.

    # cp /boot/vmlinuz /mnt/backtrack/boot/vmlinuz
    This is our kernel, we need it

    Ok lets move into our new home!

    # chroot /mnt/backtrack/
    Ahh, we're off the stinking USB device and on a real drive now

    Oh, before I forget:
    # e2label /dev/hda1 /boot
    # e2label /dev/mapper/crypt-root /
    This will come in handy for /etc/fstab

    Lets create our crypttab file. This file contains information cryptsetup needs for unlocking your encrypted volume and mapping it to the correct device name. The file '/etc/crypttab' contains lines of the format: "mappedname devicename password options".

    # echo "crypt-root /dev/hda3" > /etc/crypttab
    We don't enter the password (for obvious reasons), cryptsetup will ask for it when the mini-note boots.

    Now we can setup the encrypted swap.

    # echo "crypt-swap /dev/hda2 none swap" >> /etc/crypttab
    At shutdown of the machine, the encrypted swap partition will be reformatted as a normal unencrypted swap, so that any other OSs you run in a multi-boot configuration will have no problems in using this swap partition as well. Iz Naice!

    *** NOTE ***
    The swap partition is encrypted with a new randomly generated key every time your computer boots, so there is no need to ever enter a passphrase!

    Lets setup our fstab so things work properly...

    # nano /etc/fstab
    and make it look like this:

    /dev/mapper/crypt-root / ext3 defaults 0 0
    devpts /dev/pts devpts gid=5,mode=620 0 0
    proc /proc proc defaults 0 0
    sysfs /sys sysfs defaults 0 0
    /dev/mapper/crypt-swap swap swap defaults 0 0
    LABEL=/boot /boot ext3 defaults 0 0
    now we can install mkinitrd so the system boots properly. We need to re-mount the USB stick to get access to the file first.
    # mount /dev/sda1 /mnt/sda1
    # installpkg /mnt/sda1/extras/mkinitrd-1.1.2-i486-3.tgz
    now lets make a new initrd!

    Code:
    # /sbin/mkinitrd -c -k 2.6.21.5 -m ext3:sha1:sha256:padlock_aes:padlock_sha -f ext3 -r crypt-root -C /dev/hda3
    This writes a file to /boot/initrd.gz and creates a tree of things we need for the ramdisk.

    *** NOTE ***
    Remember, these instructions are specific for the HP 2133 which has VIA Padlock. You wont need to load padlock_aes and padlock_sha if you don't have a VIA C7-M processor, it wont work, you will need to load aes instead.
    So the module part would be : "-m ext3:sha1:sha256:aes"

    Now we need to setup lilo to use all the new settings.

    # mv /etc/lilo.conf /etc/lilo.conf.old
    # nano /etc/lilo.conf
    make it look like this:

    # LILO global section
    lba32 # Allow booting past 1024th cylinder with a recent BIOS
    boot = /dev/hda
    initrd = /boot/initrd.gz
    #message = /boot/boot_message.txt
    prompt
    timeout = 1200
    # Override dangerous defaults that rewrite the partition table:
    change-rules
    reset
    # VESA framebuffer console @ 1024x768x256
    vga = 773
    # End LILO global section
    # Linux bootable partition config begins
    image = /boot/vmlinuz
    root = /dev/mapper/crypt-root
    label = BackTrack
    read-only
    # Linux bootable partition config ends
    Now we can run lilo. This command will spit back a couple of warnings about devices not matching up, but don't stress it will work anyway.

    # lilo -v
    # exit
    # reboot
    When your machine boots, you should be asked for your passphrase. Hopefully you can remember what it is

    zing-a ding ding our mini-note has some bling

    Xan

  2. #2
    Just burned his ISO
    Join Date
    Jun 2007
    Posts
    8

    Default Thinkpad X61s - TPM

    Thanks a bunch for posting this message. I have attempted to follow the instructions onto my ThinkPad x61s but ran into some issues along the way. And I am familiar with Linux and have used it for quite sometime; however, I have never dabbled into Linux encryption.

    First of all, I have /dev/sda1 as Vista -- I then resized it using GParted so I can have the 100mb boot partition (/dev/sda2), the swap (/dev/sda3), and the root (/dev/sda4). I then switched /dev/sda2 as the boot partition and then saved changes. After everything was done, I booted from my BT USB to verify the fdisk looked well--it did. After creating the partition, I performed the dreadfully long 'dd if=/dev/urandom of=/dev/sda4'--this went on for a few hours and then eventually said:
    dd: writing to '/dev/sda4' : Input/output error
    89610569+0 records in
    89610568+0 records out
    45880610816 bytes (46GB) copied, 14245.6 s, 2.3 MB/s
    bt ~ # EXT3-fs error (device sda4): htree_dirblock_to_tree: bad entry in directory #2: rec_len % 4 != 0 - offset=0, inode=4282461833, rec_len=20019, name_len=227
    Not knowing if it looked like it performed the task ok, I decided to proceed with your next step (just for the hell of it, I guess).

    The ThinkPad comes with the integrated TPM so I see you did the 'modprobe padlock' for your device so I did the 'modprobe tpm' instead. Next, I did the cryptsetup command and it asked for the passphrase, etc. Then I got the following:
    Failed to setup dm-crypt key mapping
    Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda4 contains at least 258 sectors.
    Failed to write to key storage.
    Command failed.
    I did a 'modprobe dm-crypt' to see if it was loaded and it said it was not found. I did install your cryptsetup package that was linked in your message.

    Any ideas?

  3. #3
    Member
    Join Date
    Sep 2008
    Posts
    306

    Default

    Quote Originally Posted by ilovenugz View Post
    After creating the partition, I performed the dreadfully long 'dd =/dev/urandom of=/dev/sda4'--this went on for a few hours and then eventually said:
    Typo in your post , or in your command?

    Code:
    dd if=/dev/urandom of=/dev/hda3
    Be sensitive in choosing where you ask your question. You are likely to be ignored, or written off as a loser, if you:

    * post your question to a forum where it's off topic
    * post a very elementary question to a forum where advanced technical questions are expected, or vice-versa
    * cross-post to too many different newsgroups
    * post a personal e-mail to somebody who is neither an acquaintance of yours nor personally responsible for solving your problem

  4. #4
    Just burned his ISO
    Join Date
    Jun 2007
    Posts
    8

    Default

    Apparently I had the partition mounted while attempting to run the command...

    terminal: typo in post

  5. #5
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    5

    Default

    ilovenugz: im not sure about tpm, but try "modprobe aes" and "modprobe sha256" before the cryptsetup command. Also, I'm not sure, but your dd command may have borked your partition if it was mounted when run. Maybe try removing the partition and creating it again.

    Xan

  6. #6
    Just burned his ISO
    Join Date
    Jun 2007
    Posts
    8

    Default

    The problem was that I did have the partition mounted when trying to perform the cryptsetup command. Once I umounted the partition, it worked just fine.

    Due to following this guide, I was able to properly install BT3 on my 128GB SSD hdd with encrypted OS and swap partitions--thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •