Results 1 to 2 of 2

Thread: BT4 Encrypted HDD install using LUKS and LVM booting from usb stick

  1. #1
    Just burned his ISO
    Join Date
    Feb 2009
    Posts
    22

    Default BT4 Encrypted HDD install using LUKS and LVM booting from usb stick

    This is a similar tutorial to the one I posted previously, this one enables you to have
    the boot partition on a usb stick rather than have it reside on the hard drive.
    I hope you find this easy to follow

    I am using /dev/sda as my hard drive and /dev/sdb as my usb stick
    Remember to Replace /dev/sd* with your devices.




    Preparation

    Bring network adaptor up and obtain an ip address
    Code:
    ifconfig eth0 up
    dhclient eth0
    Install needed software
    Code:
    apt-get update && apt-get install hashalot lvm2

    Make sure the partitions you are going to use are unmounted

    Code:
    cat /proc/partitions
    Code:
    umount /dev/{sda*,sdb*}



    Partitioning

    Partition the hard drive, create a new empty partition table first (o in fdisk) and create one large partition the size of you hard drive
    Code:
    fdisk /dev/sda
    Code:
    /btcrypt ALL
    Partition the usb stick, create a new empty partition table first (o in fdisk) and remember to set the /boot partition bootable (a then 1 in fdisk) and
    Code:
    fdisk /dev/sdb
    Code:
    /boot 200m
    Make the filesystem on the usb stick and label it
    Code:
    mkfs.ext2 /dev/sdb1
    e2label /dev/sda1 boot



    Encrypting the hard drive and creating the LVM's

    Encrypt the large partition
    Code:
    cryptsetup -v -y -c twofish-cbc-essiv:sha256 -h sha256 -s 256 luksFormat /dev/sda1
    Open the encrypted partition and create the physical volume and volume groups
    Code:
    cryptsetup luksOpen /dev/sda1 btcrypt
    pvcreate /dev/mapper/btcrypt
    vgcreate btcrypt /dev/mapper/btcrypt
    Create swap partition, change 4G to your swap size
    Code:
    lvcreate -L 4G -n swap btcrypt
    Create root partition, use all the free space
    Code:
    lvcreate -l 100%FREE -n root btcrypt
    Find and activate volume groups
    Code:
    vgscan --mknodes
    vgchange -ay
    Make filesystem on the root partition
    Code:
    mkfs.ext3 /dev/mapper/btcrypt-root
    Make and activate swap partition
    Code:
    mkswap /dev/mapper/btcrypt-swap
    swapon /dev/mapper/btcrypt-swap
    Mount the root and boot partition and continue with the install
    Code:
    mkdir /mnt/bt4
    mount /dev/mapper/btcrypt-root /mnt/bt4/
    mkdir /mnt/bt4/boot/
    mount /dev/sdb1 /mnt/bt4/boot
    cp --preserve -R /{bin,dev,home,pentest,root,usr,boot,etc,lib,opt,sbin,var} /mnt/bt4/
    mkdir /mnt/bt4/{mnt,tmp,proc,sys}
    chmod 1777 /mnt/bt4/tmp/
    mount -t proc proc /mnt/bt4/proc/
    mount -o bind /dev /mnt/bt4/dev/
    chroot /mnt/bt4/ /bin/bash

  2. #2
    Just burned his ISO
    Join Date
    Feb 2009
    Posts
    22

    Default

    Setting up initramfs-tools preparing and creating the initrd image


    Add the encryption information to crypttab
    Code:
    echo "btcrypt      /dev/sda1       none luks,retry=1,lvm=btcrypt" >> /etc/crypttab

    Make fstab and lilo.conf look like the following

    Code:
    nano /etc/fstab
    Code:
    /dev/mapper/btcrypt-root / auto defaults 0 0
    /dev/mapper/btcrypt-swap none swap auto,defaults,pri=1 0 0 
    proc /proc proc defaults 0 0 
    sysfs /sys sysfs defaults 0 0 
    devpts /dev/pts devpts gid=5,mode=620 0 0 
    tmpfs /dev/shm tmpfs defaults 0 0 
    LABEL=boot /boot ext2 auto,noatime 0 0

    Code:
    nano /etc/lilo.conf
    Code:
    lba32
    boot=/dev/sdb
    large-memory
    prompt
    timeout=50
    vga=0x317
    image=/boot/vmlinuz
            label="BT4"
            read-only
            initrd=/boot/initrd.img-2.6.28.1
            root= /dev/mapper/btcrypt-root

    Add encryption and usb modules to the initramfs-tools config file
    Code:
    nano /etc/initramfs-tools/modules
    Code:
    twofish
    sha256
    ehci-mod
    usb-storage
    scsi_mod
    sm_mod
    Check the initramfs config file for MODULES=most and add WAIT=12 to allow for detection of devices
    Code:
    nano /etc/initramfs-tools/initramfs.conf
    Code:
    MODULES=most
    WAIT=12
    Create a blank modules.dep file, without which I have some errors on booting
    Code:
    mkdir -p /etc/initramfs-tools/lib/modules/2.6.28.1/
    touch /etc/initramfs-tools/lib/modules/2.6.28.1/modules.dep
    depmod -a
    Fix the default resume partition, so suspend can work
    Code:
    blkid /dev/mapper/btcrypt-swap
    Add this to /etc/initramfs-tools/conf.d/resume replace /dev/sd* with the UUID from the previous command
    Code:
    nano /etc/initramfs-tools/conf.d/resume
    Code:
    RESUME=UUID=e0eb116b-b425-4896-8faa-279f18ca0341
    Ok let's make an initrd,
    Code:
    update-initramfs -k all -c
    ls -l /boot/


    You will see initrd.img-2.6.28.1 in your boot partition, this is our newly created initrd image




    Checking the initrd image

    Code:
    cd /root/
    mkdir tmp
    cd tmp
    Decompress the initrd and pipe it through cpio
    Code:
    gzip -dc /boot/initrd.img-2.6.28.1 | cpio -id
    You can see the file system of the initrd image laid out
    Code:
    ls
    First check that the encrypted partitions were being picked up properly by the update-initramfs script (Line should read as below)
    Code:
    cat conf/conf.d/cryptroot
    Code:
    target=btcrypt,source=/dev/sda1,key=none,lvm=btcrypt-root,lvm=btcrypt
    then check the modules directory
    Code:
    ls -l lib/modules/2.6.28.1/
    If there is no modules.dep file in lib/modules/2.6.28.1/ then create it
    Code:
    touch lib/modules/2.6.28.1/modules.dep

    and repack the files
    Code:
    find ./ | cpio -H newc -o > /boot/initrd.img-2.6.28.1.new
    gzip and renamed the initrd
    Code:
    cd /boot/ 
    gzip initrd.img-2.6.28.1.new
    mv initrd.img-2.6.28.1.new.gz initrd.img-2.6.28.1



    Cleaning Up

    Run lilo, exit chroot and reboot
    Code:
    lilo -v
    Code:
    exit
    Code:
    reboot



    Sources and Further Reading

    Code:
    hxxp://forums.remote-exploit.org/showthread.php?t=19550
    man cpio
    man initramfs-tools
    man initramfs.conf
    man update-initramfs
    man mkinitramfs
    man crypttab

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •