Full HD encryption with Luks and LVM

[Ulrick13]

Hello,

Is there any guide or plan to guide on how to install BT4 final with full HD encryption ?

I tried to follow an older "how to" made for BT4-beta BT4 Encrypted HDD install using LUKS and LVM - Remote Exploit Forums

but something is wrong as when i finish my "root' partition in only accessible in read only.

So, would any one have already perform such full HD encryption on BT4 final and would like to share its method ? or would anyone have an idea on how could my root partition only seen as "read-only" partition.

Thanks a lot in advance
Ulrick

[brtw2003]

hi,

if you play around with full-hard disk encryption be very carefully and only do it if you are absolutely sure
what you are doing; at least if you are trying to do it on your 'productive' bt4!

In many cases it's much better to use container-based encryption, like using truecrypt (containers are
exchangeable with all known OS !) and easy to backup&restore.

Especially for customer pentest engagements, I'd recommend container-based encryption to protect
sensitive data.

/brtw2003

[Ulrick13]

hi,

Especially for customer pentest engagements, I'd recommend container-based encryption to protect
sensitive data.

/brtw2003

Hello,
Thanks for the reply and i also use truecrypt for shared partitions (between other Linux and Windows(safeboot))

My problem with only using container-based encryption for my pentests are that i have the bad feeling of leaving un-protected traces of the pentest behind me ... for example, the various logs, Nessus temp files/profiles, screenshots, temp files,... i know it would be possible to clear everything behind each time, but it's seems to me kind of time-cousuming when they could be protected always with the full disk encryption solution.

[brtw2003]

hi,

you are absolutely right, therefore I always use one log directory for all my tools I use during
the pentest - of course this one is also in the crypted container.

In my case I always use some global shell variables to export my default logdir and any tool
with an optional log paramater I point to this directory; anything terminal related I redirect
with tee to this log folder.

Anything left in temp folders is far away from 'sensitive data'.

If you do a serious Pentest, you have to provide all your file (incl. logs) to your client anyway,
therefore much easier to setup a proper environment (one destination folder) in the first phase.
I also can highly recommend to use dradis as THE documentation frontend through your pentest - just awesome!

Another recommendation if you use a persistent BT4 installation, is to create a custom folder
in /opt/ where you have some structured folders with any custom tools you've developed
or any additional tools I compiled manually. First you can easiely setup a complete BT4 backup/restore and
also nothting will be overwritten during any repo updates you perform through apt.

I use unison to keep my customer folders under /opt synchronized with my NAS.


/brtw2003

[Ulrick13]

Thanks for the advices, i will take a closer look at some of them (such as Dradis which i'm never used so far).

Otherwise, for those interested by the full HD encryption with Luks and LVM, i find that this "how to" for the USB full encryption solution also works for the HD install, so give it a try if you want:
Backtrack 4 – Bootable USB Thumb Drive with “Full” Disk Encryption | Infosec Ramblings

Regards