Page 1 of 5 123 ... LastLast
Results 1 to 10 of 49

Thread: HOWTO: BT4 Pre-Final Full Disk Encryption

  1. #1
    Member
    Join Date
    Jul 2007
    Posts
    104

    Cool HOWTO: BT4 Pre-Final Full Disk Encryption

    Hi all, I've been playing with the BT4 Pre-Final and my usual paranoia about my data got me wondering, how could I get full disk encryption working with BT4? Well, now that BT is based off of Ubuntu, this was easy to accomplish. If you want full disk encryption, read on.

    Note that I am not writing this for a newcomer to BT, or even Linux for that matter., to follow. Therefore, if there is something you don’t understand let me direct you towards google.com now. I’ll help where I can, but I’m not explaining what a UUID is for example.

    With that out of the way… unfortunately, we will need to reinstall BT from scratch so backup whatever data you need. We will also need a separate, unencrypted boot partition. I recommend popping in a gparted live cd now and partitioning you hdd as you see fit. As long as we have a boot partition and a partition for BT, we’re good.
    I’m writing this guide for a single boot BT install but I have my system set up with a dual, tri or even quad boot. Thus, what I did is slightly different from the guide. You can also add encrypted swap or separate home/root partitions. The commands are essentially the same, there's just a few more of them. I'm writing this more of a basic disk encryption guide, not an encyclopaedia of how to do every type of encryption line by line.

    Let’s get started. I assume you are running as root for all of these commands.

    1.) OPTIONAL – The first thing to do is to fill the partition you’re about to put BT on with random data. This step is optional but it will ensure that no data is left behind. Note that this can take a very long time depending on the size of your drive.
    Code:
    dd if=/dev/urandom of=/dev/sdXX
    Obviously, replace the sdXX with the appropriate letter and/or number. Depending on your level of paranoia you can use /dev/random which generates truly random data. This is considerably slower however and can lock up your system. Also, you can do dd if=/dev/zero… after filling the drive with random data to make it look like random data was never written to the drive. It’s all up to you and how secure you want to be.

    2.) You should have you hdd partitioned already so let’s boot up the BT4 live cd. We need to load a kernel module.
    Code:
    modprobe aes-i586
    3.) Now we’re going to encrypt the partition. Make sure you double check the block device before running this command. EVERYTHING in the partition WILL BE DELETED. I don’t think I need to discuss how to choose a good passPHRASE here (phrase, not word). It's completely pointless to encrypt everything and then choose a simple password.
    Code:
    cryptsetup luksFormat /dev/sdXX
    If you are familiar with luks or want some more security, modify the above command to increase the key length, etc. I’m not going into that.
    If you also use a swap or separate home partition, make sure you run that command on each of those if you want them encrypted. Again, this will delete all data on the specified partition.

    4.) We now have our encrypted partitions set up, now we need to format them. Just fyi, an encrypted partition is like an empty container that holds a filesystem. This is why we need to format them.
    So first, let’s open it so we can read it.
    Code:
    cryptsetup luksOpen /dev/sdXX root
    The root at the end of that command is just the name I want to refer to the opened encrypted partition by. It can be anything you want and it can also be changed in your crypttab file (we’ll get to that soon).
    Now that the partition is open, let’s format it as ext3. (If anyone tries ext4, let me know how it goes, I’m curious to see if it works or not.)
    Code:
    mkfs.ext3 –j –O extent /dev/mapper/root
    As you can see, the encrypted partition we just opened is located at /dev/mapper/root (or whatever you called it). Again, just fyi, -j specifies we want a journal and –O extent makes it faster or something, I’m not sure. Gparted used that command and it’s worked out for me so far.

    5.) So far so good. Now that everything is set up, run the BT installer and select /dev/mapper/root to be mounted as / and /dev/sdXX as /boot. Make sure you check the format box for /dev/mapper/root. Remember, we’re using ext3. When I was first trying this, it failed the installation if I did not tell it to format it again. I guess this kind of makes the previous step unnecessary but I feel it’s good practice to format it manually first.

    You will most likely receive a fatal error dealing with grub. Ignore it and exit the installer. We’ll fix this later.

    Just fyi, the reason I say to use the gui installer rather than doing a copy from the command line is simply that it would take more commands to fix what would get screwed up. However, for those that insist on installing their system via terminal, you can try the below commands. I have not tested these at all thus, I have no idea of they work or not. If you do do it this way you may skip step six. Thanks to floyd for posting the basis of these commands.

    Code:
    mkdir /mnt/root
    mount /dev/mapper/root /mnt/root/
    mkdir /mnt/bt4/boot/
    mount /dev/sdXX /mnt/root/boot
    # Note that we are copying from /rofs instead of /. This _should_ avoid problems with updating the initrd in step 10.
    cp --preserve -R /rofs/{bin,dev,home,pentest,root,usr,boot,etc,lib,opt,sb in,var} /mnt/root/
    mkdir /mnt/root/{media,mnt,tmp,proc,sys}
    chmod 1777 /mnt/root/tmp/
    mount -t proc proc /mnt/root/proc/
    mount -o bind /dev /mnt/root/dev/
    chroot /mnt/root/ /bin/bash
    6.) Other than the grub issue, hopefully the installer completed successfully. If so, stay in the live cd; we have some more work to do. Let’s mount our new BT system and chroot to it so we can make it boot.
    Code:
    mkdir /mnt/root
    mount /dev/mapper/root /mnt/root
    mount /dev/sdXX /mnt/root/boot
    chroot /mnt/root
    mount –t proc proc /proc
    mount –t sysfs sys /sys
    Good. We should have pivoted our root to our new BT system and mounted a few things to make it somewhat useable. If you had problems with this step, floyd has posted the following workaround.
    Code:
    mkdir /mnt/root
    mount /dev/mapper/root /mnt/root
    mount /dev/sdXX /mnt/root/boot
    mount -t proc proc /mnt/root/proc/
    mount -o bind /dev /mnt/root/dev/
    chroot /mnt/root
    From here you can run apt-get update if you want. Also, they should already be installed but just to make sure you can do a “apt-get install cryptsetup initramfs-tools”. You'll get errors later if they aren't installed.

    7.) Moving on, we need to edit our /etc/crypttab file. This file tells the initrd what partitions to open at boot so the system can mount them and use them.
    I’m going to stick with my root name for / here.
    Code:
    root     /dev/sdXX     none     luks
    That’s it. If you did any other encrypted partitions, add them in here. If not, let’s move on.

    8.) We now need to edit our /etc/fstab file. (I won’t explain this file, you should know.) Comment out whatever line is in there already for /. We also need to add a line for our boot partition. We want it to look like this…
    Code:
    /dev/mapper/root    /               ext3 relatime,errors=remount-ro      0 1
    /dev/sdXX        /boot    ext3    defaults    0 0
    9.) Almost done. We need to add a few kernel modules into the /etc/initramfs-tools/modules file. This tells what kernel modules we want loaded at boot. Add these lines to that file…
    Code:
    aes-i586
    sha256
    dm-mod
    dm-crypt
    I don't believe these are all necessary but it doesn't hurt to have them in there.

    10.) Update your initrd file to represent the changes we just made.
    Code:
    update-initramfs –k all –c
    I get an error when it tries to create an initrd file for kernel 2.6.29.3 but BT4 comes with 2.6.29.4 so as long as you get no errors on the initrd for 2.6.29.4 you should be good. It may take a few seconds to do this.

    11.) Let’s fix that grub error now.
    Code:
    cd /boot/grub/
    nano menu.lst
    You’re going to want to edit the BT entry to look like this…
    Code:
    title           BackTrack 4
    uuid          [enter uuid of boot partition here]
    kernel       /vmlinuz-2.6.29.4 root=/dev/mapper/root ro
    initrd         /initrd.img-2.6.29.4
    quiet
    You can find the UUID of your boot partition by running “blkid /dev/sdXX”. Note that since we have a separate boot partition all paths are relative to / instead of /boot.
    Now we install grub to the drive…
    Code:
    grub-install /dev/sdX
    Note on the grub-install command, the end /dev/sdX is the drive, not the boot partition (eg, /dev/sda, not /dev/sda1).
    If you recieve the error "/dev/sdX does not have any corresponding BIOS devices" pivot back to the live cd and run this...
    Code:
    grub-install --root-directory=/mnt/root/ /dev/sdX
    Also note that I am using a slightly different set up on my system so I haven’t tested this step line by line personally; let me know if it doesn’t work exactly as I’ve written it. If you are doing a different setup, such as dual boot with another Linux distro, here’s your warning to watch very carefully what BT grub files you allow in your boot partition. You only need the kernel and the initrd file. I wasn’t paying attention to this and spent hours fixing grub errors that I had never encountered before.


    Alright. Pivot back to the live cd (type exit) and unmount /mnt/root/boot and /mnt/root and reboot. When BT starts it should ask you for a passphrase and continue booting. Good luck!


    I really don’t deserve credit for making this all work. I followed this guide from the Linux Mint forums and just made a few changes to get it working.

    My guide on encrypting a usb install of BT4 can be found here.

    I hope this helps someone. Any suggestions/feedback/corrections for this guide are very welcome. Also, if it doesn’t work, let me know, I’ll try my best to figure out why.

    -esc

  2. #2
    Just burned his ISO
    Join Date
    Dec 2008
    Posts
    6

    Default

    Interesting,
    I will try it soon.
    Thanks

  3. #3
    Member
    Join Date
    Jan 2010
    Posts
    332

    Default

    I really don’t deserve credit for making this all work.
    It's a nice effort nevertheless.
    Karma +1
    SecurityTube has two new sections. Questions & News

  4. #4
    Junior Member
    Join Date
    Dec 2007
    Posts
    76

    Default

    Nice work. I'll be trying this tomorrow

  5. #5
    Member
    Join Date
    Jul 2007
    Posts
    104

    Default

    Thanks for the positive feedback. I'm interested in hearing if anyone else gets it working or not.

    I'm currently working on encrypting the live cd / usb version of BT4. As I'm trying this, it's slowly booting up on my netbook. If I get it working, I'll make another how to as the process is significantly different (it requires some initrd hacking). Another challenge is to encrypt the changes made to the usb version...

    EDIT: I have filesystem.squashfs encrypted and booting up. It seems like the boot time is slightly slower than its unencrypted counterpart (I'm talking about thirty seconds here). Changes are also working but those aren't encrypted yet. I'm trying different ways to encrypt them but keep getting kernel panics during boot. Again, I'll write a how to if/when I get it working.

  6. #6
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Encrypting all your data is cool and all but I have one little question:

    How does it affect performance? Is disk access notably slower?

    If disc access is the same speed, or within 3% of the same speed, I'd definitely get this going.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  7. #7
    Member
    Join Date
    Jul 2007
    Posts
    104

    Default

    Quote Originally Posted by Virchanza View Post
    Encrypting all your data is cool and all but I have one little question:

    How does it affect performance? Is disk access notably slower?

    If disc access is the same speed, or within 3% of the same speed, I'd definitely get this going.
    I've been running all my systems under luks-based full disk encryption for some time now. On my main desktop system I run compiz and play full HD videos at the same time as I have my typical twenty other Firefox, Nautilus and terminal windows open, and this all runs (noticeably) at the same speed as if it unencrypted.

    As for BT, I haven't noticed any difference at all so far. But then again, I haven't compared john, aircrack, etc speeds with an unencrypted system yet (it's on my list). I would recommend trying this out on a spare drive or such and seeing if the performance is up to par for you. Encryption certainly makes disk access slower and increases cpu cycles; I'm interested in knowing if it's noticeable for anyone.

  8. #8
    Member floyd's Avatar
    Join Date
    Mar 2009
    Posts
    231

    Default

    Quote Originally Posted by ESC201 View Post
    Thanks for the positive feedback. I'm interested in hearing if anyone else gets it working or not.
    Thanks for the tutorial, it's great.

    I tried it and added an encrypted swap partition. I know there is the possibility to type in the password only once (and not for root partition and swap partition). But it didn't work for me and i was too lazy to try again, so I have to type it in twice now. I think the difference is I have 2 encrypted containers (real partitions) and not 1 encrypted container with 2 partitions.

    I don't have time to fix it this week and didn't put in much effort, but on my first try I couldn't start kde and the root partition was mounted read only. And as usual there is the modules.dep issue.

    Yes I was a lazy bastard last week hopefuly I can fix these things next week and give some more feedback
    Auswaertsspiel

  9. #9
    Member
    Join Date
    Jul 2007
    Posts
    104

    Default

    Quote Originally Posted by floyd View Post
    Thanks for the tutorial, it's great.

    I tried it and added an encrypted swap partition. I know there is the possibility to type in the password only once (and not for root partition and swap partition). But it didn't work for me and i was too lazy to try again, so I have to type it in twice now. I think the difference is I have 2 encrypted containers (real partitions) and not 1 encrypted container with 2 partitions.

    I don't have time to fix it this week and didn't put in much effort, but on my first try I couldn't start kde and the root partition was mounted read only. And as usual there is the modules.dep issue.

    Yes I was a lazy bastard last week hopefully I can fix these things next week and give some more feedback
    One of the pitfalls with encrypting multiple drives/partitions is that you need to enter the password for each of them at boot even it is the same for all of them. (Someone once told me you could circumvent this and only be required to enter it once by using an LVM but I've never investigated that.)

    As for encrypyting a swap partition, you could use a keyfile to auto-mount it. Nothing is saved in it so it doesn't pose a security risk. A quick, example crypttab file I just typed up can be seen below.

    Code:
    # name to give opened partition    partition block device      key file    encryption type
    root                             /dev/sda1               /home/user/key.file    luks
    This guide can explain how to set up an encrypted swap much better than I could.

    As for it not working for you, a good place to start troubleshooting would be to post your crypttab and fstab files. I might be able to help.



    If anyone is following my updates with encrypting the live cd / usb version of BT4, I've figured out how to encrypt the filesystem.squashfs file and the changes partition so it is still persistent. I have a few more things to test out and I need to go back and clean up the code I put in the initrd then I'll write a how to for it. I have yet to hear anyone express any interest in this so it isn't at the top of my priority list; I'm just taking my time.

  10. #10
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    1

    Default

    Quote Originally Posted by ESC201 View Post
    If anyone is following my updates with encrypting the live cd / usb version of BT4, I've figured out how to encrypt the filesystem.squashfs file and the changes partition so it is still persistent. I have a few more things to test out and I need to go back and clean up the code I put in the initrd then I'll write a how to for it. I have yet to hear anyone express any interest in this so it isn't at the top of my priority list; I'm just taking my time.
    Thanks for the great tutorial. And I am definitely interested in your USB how-to once you've got the wrinkles ironed out.

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •