Hi all, I've been playing with the BT4 Pre-Final and my usual paranoia about my data got me wondering, how could I get full disk encryption working with BT4? Well, now that BT is based off of Ubuntu, this was easy to accomplish. If you want full disk encryption, read on.

Note that I am not writing this for a newcomer to BT, or even Linux for that matter., to follow. Therefore, if there is something you don’t understand let me direct you towards google.com now. I’ll help where I can, but I’m not explaining what a UUID is for example.

With that out of the way… unfortunately, we will need to reinstall BT from scratch so backup whatever data you need. We will also need a separate, unencrypted boot partition. I recommend popping in a gparted live cd now and partitioning you hdd as you see fit. As long as we have a boot partition and a partition for BT, we’re good.
I’m writing this guide for a single boot BT install but I have my system set up with a dual, tri or even quad boot. Thus, what I did is slightly different from the guide. You can also add encrypted swap or separate home/root partitions. The commands are essentially the same, there's just a few more of them. I'm writing this more of a basic disk encryption guide, not an encyclopaedia of how to do every type of encryption line by line.

Let’s get started. I assume you are running as root for all of these commands.

1.) OPTIONAL – The first thing to do is to fill the partition you’re about to put BT on with random data. This step is optional but it will ensure that no data is left behind. Note that this can take a very long time depending on the size of your drive.
Code:
dd if=/dev/urandom of=/dev/sdXX
Obviously, replace the sdXX with the appropriate letter and/or number. Depending on your level of paranoia you can use /dev/random which generates truly random data. This is considerably slower however and can lock up your system. Also, you can do dd if=/dev/zero… after filling the drive with random data to make it look like random data was never written to the drive. It’s all up to you and how secure you want to be.

2.) You should have you hdd partitioned already so let’s boot up the BT4 live cd. We need to load a kernel module.
Code:
modprobe aes-i586
3.) Now we’re going to encrypt the partition. Make sure you double check the block device before running this command. EVERYTHING in the partition WILL BE DELETED. I don’t think I need to discuss how to choose a good passPHRASE here (phrase, not word). It's completely pointless to encrypt everything and then choose a simple password.
Code:
cryptsetup luksFormat /dev/sdXX
If you are familiar with luks or want some more security, modify the above command to increase the key length, etc. I’m not going into that.
If you also use a swap or separate home partition, make sure you run that command on each of those if you want them encrypted. Again, this will delete all data on the specified partition.

4.) We now have our encrypted partitions set up, now we need to format them. Just fyi, an encrypted partition is like an empty container that holds a filesystem. This is why we need to format them.
So first, let’s open it so we can read it.
Code:
cryptsetup luksOpen /dev/sdXX root
The root at the end of that command is just the name I want to refer to the opened encrypted partition by. It can be anything you want and it can also be changed in your crypttab file (we’ll get to that soon).
Now that the partition is open, let’s format it as ext3. (If anyone tries ext4, let me know how it goes, I’m curious to see if it works or not.)
Code:
mkfs.ext3 –j –O extent /dev/mapper/root
As you can see, the encrypted partition we just opened is located at /dev/mapper/root (or whatever you called it). Again, just fyi, -j specifies we want a journal and –O extent makes it faster or something, I’m not sure. Gparted used that command and it’s worked out for me so far.

5.) So far so good. Now that everything is set up, run the BT installer and select /dev/mapper/root to be mounted as / and /dev/sdXX as /boot. Make sure you check the format box for /dev/mapper/root. Remember, we’re using ext3. When I was first trying this, it failed the installation if I did not tell it to format it again. I guess this kind of makes the previous step unnecessary but I feel it’s good practice to format it manually first.

You will most likely receive a fatal error dealing with grub. Ignore it and exit the installer. We’ll fix this later.

Just fyi, the reason I say to use the gui installer rather than doing a copy from the command line is simply that it would take more commands to fix what would get screwed up. However, for those that insist on installing their system via terminal, you can try the below commands. I have not tested these at all thus, I have no idea of they work or not. If you do do it this way you may skip step six. Thanks to floyd for posting the basis of these commands.

Code:
mkdir /mnt/root
mount /dev/mapper/root /mnt/root/
mkdir /mnt/bt4/boot/
mount /dev/sdXX /mnt/root/boot
# Note that we are copying from /rofs instead of /. This _should_ avoid problems with updating the initrd in step 10.
cp --preserve -R /rofs/{bin,dev,home,pentest,root,usr,boot,etc,lib,opt,sb in,var} /mnt/root/
mkdir /mnt/root/{media,mnt,tmp,proc,sys}
chmod 1777 /mnt/root/tmp/
mount -t proc proc /mnt/root/proc/
mount -o bind /dev /mnt/root/dev/
chroot /mnt/root/ /bin/bash
6.) Other than the grub issue, hopefully the installer completed successfully. If so, stay in the live cd; we have some more work to do. Let’s mount our new BT system and chroot to it so we can make it boot.
Code:
mkdir /mnt/root
mount /dev/mapper/root /mnt/root
mount /dev/sdXX /mnt/root/boot
chroot /mnt/root
mount –t proc proc /proc
mount –t sysfs sys /sys
Good. We should have pivoted our root to our new BT system and mounted a few things to make it somewhat useable. If you had problems with this step, floyd has posted the following workaround.
Code:
mkdir /mnt/root
mount /dev/mapper/root /mnt/root
mount /dev/sdXX /mnt/root/boot
mount -t proc proc /mnt/root/proc/
mount -o bind /dev /mnt/root/dev/
chroot /mnt/root
From here you can run apt-get update if you want. Also, they should already be installed but just to make sure you can do a “apt-get install cryptsetup initramfs-tools”. You'll get errors later if they aren't installed.

7.) Moving on, we need to edit our /etc/crypttab file. This file tells the initrd what partitions to open at boot so the system can mount them and use them.
I’m going to stick with my root name for / here.
Code:
root     /dev/sdXX     none     luks
That’s it. If you did any other encrypted partitions, add them in here. If not, let’s move on.

8.) We now need to edit our /etc/fstab file. (I won’t explain this file, you should know.) Comment out whatever line is in there already for /. We also need to add a line for our boot partition. We want it to look like this…
Code:
/dev/mapper/root    /               ext3 relatime,errors=remount-ro      0 1
/dev/sdXX        /boot    ext3    defaults    0 0
9.) Almost done. We need to add a few kernel modules into the /etc/initramfs-tools/modules file. This tells what kernel modules we want loaded at boot. Add these lines to that file…
Code:
aes-i586
sha256
dm-mod
dm-crypt
I don't believe these are all necessary but it doesn't hurt to have them in there.

10.) Update your initrd file to represent the changes we just made.
Code:
update-initramfs –k all –c
I get an error when it tries to create an initrd file for kernel 2.6.29.3 but BT4 comes with 2.6.29.4 so as long as you get no errors on the initrd for 2.6.29.4 you should be good. It may take a few seconds to do this.

11.) Let’s fix that grub error now.
Code:
cd /boot/grub/
nano menu.lst
You’re going to want to edit the BT entry to look like this…
Code:
title           BackTrack 4
uuid          [enter uuid of boot partition here]
kernel       /vmlinuz-2.6.29.4 root=/dev/mapper/root ro
initrd         /initrd.img-2.6.29.4
quiet
You can find the UUID of your boot partition by running “blkid /dev/sdXX”. Note that since we have a separate boot partition all paths are relative to / instead of /boot.
Now we install grub to the drive…
Code:
grub-install /dev/sdX
Note on the grub-install command, the end /dev/sdX is the drive, not the boot partition (eg, /dev/sda, not /dev/sda1).
If you recieve the error "/dev/sdX does not have any corresponding BIOS devices" pivot back to the live cd and run this...
Code:
grub-install --root-directory=/mnt/root/ /dev/sdX
Also note that I am using a slightly different set up on my system so I haven’t tested this step line by line personally; let me know if it doesn’t work exactly as I’ve written it. If you are doing a different setup, such as dual boot with another Linux distro, here’s your warning to watch very carefully what BT grub files you allow in your boot partition. You only need the kernel and the initrd file. I wasn’t paying attention to this and spent hours fixing grub errors that I had never encountered before.


Alright. Pivot back to the live cd (type exit) and unmount /mnt/root/boot and /mnt/root and reboot. When BT starts it should ask you for a passphrase and continue booting. Good luck!


I really don’t deserve credit for making this all work. I followed this guide from the Linux Mint forums and just made a few changes to get it working.

My guide on encrypting a usb install of BT4 can be found here.

I hope this helps someone. Any suggestions/feedback/corrections for this guide are very welcome. Also, if it doesn’t work, let me know, I’ll try my best to figure out why.

-esc