Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: BT4 Encrypted HDD install using LUKS and LVM

  1. #1
    Just burned his ISO
    Join Date
    Feb 2009
    Posts
    22

    Default Encrypted HD install using LUKS and LVM boot partition on HD

    This is my first tutorial here, I hope it is useful to you

    This will allow you to have an encrypted BT4-beta install with the boot partition located on the hard drive.
    I hope you find this easy to follow


    Remember to Replace /dev/sda* with your device.


    Preperation

    Bring network adapter up and obtain an ip address
    Code:
    ifconfig eth0 up
    dhclient eth0
    Install needed software
    Code:
    apt-get update && apt-get install hashalot lvm2

    Make sure the partitions you are going to use are unmounted
    Code:
    cat /proc/partitions
    Code:
    umount /dev/{sda1,sda2}



    Partitioning

    Partition the hard drive, create a new empty partition table first (o in fdisk), and remember to set the /boot partition bootable (a then 1 in fdisk)

    Create one small partition which will be the boot partition and one large partition which will be the encrypted partition.
    Code:
    fdisk /dev/sda
    Code:
    /boot  200m
    /btcrypt rest
    Make the filesystem on the boot partition and label it
    Code:
    mkfs.ext2 /dev/sda1
    e2label /dev/sda1 boot



    Encrypting the hard drive and creating the LVM's

    Encrypt the large partition
    Code:
    cryptsetup -v -y -c twofish-cbc-essiv:sha256 -h sha256 -s 256 luksFormat /dev/sda2
    Open the encrypted partition and create the physical volume and volume groups
    Code:
    cryptsetup luksOpen /dev/sda2 btcrypt
    pvcreate /dev/mapper/btcrypt
    vgcreate btcrypt /dev/mapper/btcrypt
    Create swap partition, change 4G to your swap size
    Code:
    lvcreate -L 4G -n swap btcrypt
    Create root partition, use all the free space
    Code:
    lvcreate -l 100%FREE -n root btcrypt
    Find and activate volume groups
    Code:
    vgscan --mknodes
    vgchange -ay
    Make filesystem on the root partition
    Code:
    mkfs.ext3 /dev/mapper/btcrypt-root
    Make and activate swap partition
    Code:
    mkswap /dev/mapper/btcrypt-swap
    swapon /dev/mapper/btcrypt-swap
    Mount the root and boot partition and continue with the install
    Code:
    mkdir /mnt/bt4
    mount /dev/mapper/btcrypt-root /mnt/bt4/
    mkdir /mnt/bt4/boot/
    mount /dev/sda1 /mnt/bt4/boot
    cp --preserve -R /{bin,dev,home,pentest,root,usr,boot,etc,lib,opt,sbin,var} /mnt/bt4/
    mkdir /mnt/bt4/{mnt,tmp,proc,sys}
    chmod 1777 /mnt/bt4/tmp/
    mount -t proc proc /mnt/bt4/proc/
    mount -o bind /dev /mnt/bt4/dev/
    chroot /mnt/bt4/ /bin/bash

  2. #2
    Just burned his ISO
    Join Date
    Feb 2009
    Posts
    22

    Default

    Setting up initramfs-tools preparing and creating the initrd image

    Add the encryption information to crypttab
    Code:
    echo "btcrypt      /dev/sda2       none luks,retry=1,lvm=btcrypt" >> /etc/crypttab
    Make fstab and lilo.conf look like the following

    Code:
    nano /etc/fstab
    Code:
    /dev/mapper/btcrypt-root / auto defaults 0 0
    /dev/mapper/btcrypt-swap none swap auto,defaults,pri=1 0 0 
    proc /proc proc defaults 0 0 
    sysfs /sys sysfs defaults 0 0 
    devpts /dev/pts devpts gid=5,mode=620 0 0 
    tmpfs /dev/shm tmpfs defaults 0 0 
    LABEL=boot /boot ext2 auto,noatime 0 0
    Code:
    nano /etc/lilo.conf
    Code:
    lba32
    boot=/dev/sda
    large-memory
    prompt
    timeout=50
    vga=0x317
    image=/boot/vmlinuz
            label="BT4"
            read-only
            initrd=/boot/initrd.img-2.6.28.1
            root= /dev/mapper/btcrypt-root
    Add the encryption modules to the initramfs-tools config file
    Code:
    nano /etc/initramfs-tools/modules
    Code:
    twofish
    sha256
    Check the initramfs config file for MODULES=most
    Code:
    nano /etc/initramfs-tools/initramfs.conf
    Create a blank modules.dep file, without which I have some errors on booting

    Code:
    mkdir -p /etc/initramfs-tools/lib/modules/2.6.28.1/
    touch /etc/initramfs-tools/lib/modules/2.6.28.1/modules.dep
    depmod -a
    Fix the default resume partition, so suspend can work
    Code:
    blkid /dev/mapper/btcrypt-swap
    add this to /etc/initramfs-tools/conf.d/resume
    replace /dev/sd* with the UUID from the previous command
    Code:
    nano /etc/initramfs-tools/conf.d/resume
    Code:
    RESUME=UUID=e0eb116b-b425-4896-8faa-279f18ca0341

    Ok let's make an initrd,
    Code:
    update-initramfs -k all -c
    ls -l /boot/

    You will see initrd.img-2.6.28.1 in your boot partition, this is our newly created initrd




    Checking the initrd image

    Code:
    cd /root/
    mkdir tmp
    cd tmp
    Decompress the initrd and pipe it through cpio
    Code:
    gzip -dc /boot/initrd.img-2.6.28.1 | cpio -id
    You can see the the file system of the initrd image laid out
    Code:
    ls
    First check that the encrypted partitions were being picked up properly by the update-initramfs script (Line should read as below)
    Code:
    cat conf/conf.d/cryptroot
    Code:
    target=btcrypt,source=/dev/sda2,key=none,lvm=btcrypt-root,lvm=btcrypt
    Then check the modules directory
    Code:
    ls -l lib/modules/2.6.28.1/

    If there is no modules.dep file in lib/modules/2.6.28.1/ then create it
    Code:
    touch lib/modules/2.6.28.1/modules.dep
    And repack the files
    Code:
    find ./ | cpio -H newc -o > /boot/initrd.img-2.6.28.1.new
    gzip and renamed the initrd
    Code:
    cd /boot/ 
    gzip initrd.img-2.6.28.1.new
    mv initrd.img-2.6.28.1.new.gz initrd.img-2.6.28.1


    Cleaning up

    Ran lilo, exit chroot and rebooted
    Code:
    lilo -v
    Code:
    exit
    Code:
    reboot

    Sources and Further Reading

    Code:
    hxxp://forums.remote-exploit.org/showthread.php?t=19550
    man cpio
    man initramfs-tools
    man initramfs.conf
    man update-initramfs
    man mkinitramfs
    man crypttab
    Thanks for the release guys.

  3. #3
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    15

    Thumbs up

    Thanks for this great Howto! It worked perfectly except for one small issue when installing lilo (or grub in my case). Before exiting chroot when I tried to run

    Code:
    lilo -v
    I got a write error from lilo, same with grub-install in my case. This can be fixed by updating the mtab in the chroot environment before installing lilo:

    Code:
    grep -v rootfs /proc/mounts > /etc/mtab
    After that lilo (or grub) was installed properly and everything worked fine.
    I love deadlines. I like the whooshing sound they make as they fly by.

    Douglas Adams

  4. #4
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    2

    Default Problem with encrypted HDD install

    _arc_

    Great posting, thanks for taking the time, I followed everything and had a problem and I was wondering if you had any thoughts.

    I am using an eee pc 1000 and I am running into an error when I reboot. After I am asked for my password to decrypt the partition I see the following (I completely erased the laptop and followed the steps again and received the same error message):

    Enter passphrase to unlock the disk /dev/sda2 (btcrypt):
    keyslot 0 unlocked
    Command successful
    Done
    Begin: Running /scripts/local-premount ...
    Begin: Waiting for resume device... ...
    Done
    Done
    mount: mounting /dev/root on /root failed: No such device
    Begin: Running /scripts/local-bottom ...
    Done
    Done
    Begin: Running /scripts/init-bottom ...
    mount: mounting /root/dev on /dev/.static/dev failed: No such device file or directory
    Done
    mount: mounting /sys on /root/sys failed: No such file or directory
    mount: mounting /proc on /root/proc failed: No such file or directory
    Target filesystem doesn't have /sbin/init
    No init found. Try passing init=bootarg

    BusyBox v1.10.2 yada yada yada
    (initramfs)


    I added the yada yada myself, I am essentially presented the initramfs prompt.

    Any thoughts on how to fix this? Is there anything else I can post that will help solve my problem?

    Thanks

  5. #5
    Just burned his ISO
    Join Date
    Feb 2009
    Posts
    22

    Default

    Thank you for your comments

    jojokoko
    I would double check fstab, lilo.conf and crypttab and make sure they tally with your partitions.
    Also check /etc/initramfs-tools/modules for the relevent crypto filesystem modules are there.

    Can you post the files above if you have any problems.

    Thanks


    RaginRob
    Thanks It should not be a problem installing lilo by hand or
    if you install grub by hand you should not have any problems either.

    grub
    root (hd0,0)
    setup (hd0)

    But grub-install reads mtab and will fail in a chroot environment
    unless the command you have posted is used.

  6. #6
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Quick question, haven't checked the encrypted setup with BT4 yet for myself:
    Does it result in the same unmount issue when shutting down as in BT3?
    Tiocfaidh ár lá

  7. #7
    Just burned his ISO
    Join Date
    Feb 2009
    Posts
    22

    Default

    Quote Originally Posted by KMDave View Post
    Quick question, haven't checked the encrypted setup with BT4 yet for myself:
    Does it result in the same unmount issue when shutting down as in BT3?
    Hi KMDave
    No problems with unmounting as with BT3.

  8. #8
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    22

    Default Changing Mount Points?

    Is there an easy way to modify this so that it either automatically senses what device the boot drive is tied to or where you can manually select at startup? I set it up as an sda but when I boot with another hard drive in the system it forces the USB drive to sdb and it can't find the encrypted partition. Do I have to make two images for this, or is there an easy way to have it either know or be told that it's on a different mount point?

    Other than that it works AWESOME. Thanks for the walkthrough!

  9. #9
    Senior Member Shatter's Avatar
    Join Date
    Jan 2010
    Posts
    192

    Default

    Interesting. I've had the same unmount issue in bt3 where the root partition would fail to unmount properly upon shutdown, citing it was busy. I didn't dive into the problem any deeper after writing the tutorial, but it still does interest me as to why it occurs. I haven't tried out your method yet, arc, but you say that there are no unmounting console errors with it on shutdown?

    EDIT: Just to be clear. I am talking about the encryption method described in my thread here.
    I have the card in me head, but you have the memory problems?

  10. #10
    Just burned his ISO
    Join Date
    Feb 2009
    Posts
    22

    Default

    Mexicant
    You can try specifying a UUID in crypttab instead of the device name.
    /dev/disk/by-uuid/<UUID>

    xCPPx
    I have read and used your tutorial for bt3, nice.
    No problem with unmounting here under ubuntu. I have a box running encrypted BT3 and had the same error but have not had a chance to look at the problem either. I suspect the shutdown script needs reordering or re-writing.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •