BT5 R3; Encrypted HDD

Tools and Supplies

  • HDD – Backtrack Install Target
  • Backtrack 5 Live Disk/USB (DVD or USB +8GB)
  • Working internet connection once Backtrack 5 is booted.

Disclaimer: Most of this adapted from Kevin over at www.infosecramblings.com and has been adjusted to for HDD install, as well as a few changes and additions that I found he was missing. Everything is shared under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

For my tests, I used the 32-bit Gnome build Backtrack 5 r3. I have not tested this how-to with all versions of Backtrack 5, but they should all behave similarly with the possible exception of the ARM build. I have no experience with Backtrack on that platform.

This tutorial is based on booting Backtrack 5 first. That means that you need some form of bootable Backtrack media. It can be a virtual machine, DVD, or USB drive. Use your favorite method of creating a DVD or USB drive or you can use UNetBootin to create the thumb drive.  Below is a screenshot of using UnetBootin to install Backtrack on a USB drive.

UNetBootin_01

 

The USB drive should be wipe, and formatted as FAT32. UNetBootin doesn’t let you know if it worked or not, what it will do however is get a little past 39% done, then take what seems like forever to copy the filesystem.squashfs part. That is how you know it’s working, otherwise it will act like it is done in 5 secs and lie to you telling you it’s ready.

UNetBootin_02

It is as simple as selecting the image we want to write to the USB drive, the drive to write it to, and then clicking the ‘OK’ button.

Warning: Make sure you pick the correct destination drive. You don’t want to shoot yourself in the foot. 

Partitioning

The first step is the physical partitioning of the drive. Boot up Backtrack from your DVD or USB drive. If you boot with the default menu item “Backtrack Text”, you will not need to start networking as it will have started automatically. You can verify that networking is up and running by executing:

ifconfig

and checking that your interface is up and has an IP address assigned. If networking isn’t configured, the following commands will start it.

/etc/init.d/networking start

We do need to start the graphical interface, but I found its helpful to boot and use a terminal as even in screen backtrack will dump errors into this session. Which can be a lot of errors if you have really bad USB drives like my netbook.

startx

We will also need to figure out which drive is our target drive.  The following command will show the drives available and you can determine from that which is the new USB drive. Open a terminal windows and execute the following.

fdisk -l

We need to physically partition the target drive as follows:

The first partition needs to be a primary partition, 500 MB in size, set to type ext4. Also remember to make this partition active when you are creating it. Otherwise you might have some boot problems.

The rest of the drive should be configured as an extended partition and then a logical partition created on top of it.

Below are the steps to take to get the drive partitioned.  A ‘# blah blah’ indicates a comment and is not part of the command and user typed commands are bolded. One note, we will need to delete any existing partitions on the drive. Also, the cylinder numbers below are specific to my test machines/thumb drives, yours may be different.

fdisk /dev/sda # use the appropriate drive letter for your system

# delete existing partitions. There may be more than one.
Command (m for help): d
Partition number (1-4): 1

# create the first partition
Command (m for help): n
Command action e   extended p   primary partition (1-4) p
Partition number (1-4): 1
First cylinder (1-2022, default 1): <enter>
Using default value 1 Last cylinder, +cylinders or +size{K,M,G} (1-2022, default 2022): +500M

# create the extended partition
Command (m for help): n
Command action e   extended p   primary partition (1-4) e
Partition number (1-4): 2
First cylinder (66-2022, default 66): <enter>
Using default value 66 Last cylinder, +cylinders or +size{K,M,G} (66-2022, default 2022): <enter>
Using default value 2022

# Create the logical partition.
Command (m for help): n
Command action l    logical (5 or over) p   primary partition (1-4) l
First cylinder (66-2022, default 66): <enter>
Using default value 66 Last cylinder, +cylinders or +size{K,M,G} (66-2022, default 2022): <enter>
Using default value 2022

# Setting the partition type for the first partition to ext3 Command (m for help): t
Partition number (1-4): 1
Hex code (type L to list codes): 83

# Setting the first partition active
Command (m for help): a
Partition number (1-4): 1
Command (m for help): w

If you happen to get an error that mentions something like “..the partition table failed with error 16:…”, you need to reboot before continuing with the how-to. After rebooting, you will need to re-execute the Partitioning section of this tutorial.

If you happen to get an error with mentions something like “..the partition table failed with error 22:…” you can run partprobe to re-read things. At least, this worked in my case.

It is now time to get a couple additional packages installed that we need for LVM and encryption. First we need to update the local repositories and then install hashalot. Output has been ommitted.

apt-get update
apt-get install hashalot

Our next step is to enable encryption on the logical partition we created above and make it available for use. Before we do that though, there is an optional step we can take if we want to make sure no one can tell where our data is on the drive. It isn’t really necessary since anything written will be encrypted, but if we want to be thorough and make sure no one can see where our data even sits on the drive, we can fill the logical partition with random data before enabling encryption on it. This will take some time, as much as a couple hours or more. Execute the following command:

dd if=/dev/urandom of=/dev/sda5 & pid=$!

Then use the fallowing to check the write speed, and progress.
kill –USR1 $pid

To do my full 250GB hdd, it was going to take 24 hours. I let it go over night it got to 150GB then I just killed the process,  and continued on with my life.

kill $pid

The following commands will setup encryption services for the partition and open it for use. There are several ciphers that can be used, but the one indicated in the command is supposed to be the most secure and quickest for Ubuntu 8.10. Please note that the case of the command luksFormat is required.

cryptsetup -y --cipher aes-xts-plain --key-size 512 luksFormat /dev/sda5

WARNING! ======== This will overwrite data on /dev/sda5 irrevocably. Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: (enter passphrase) [type passphrase]
Verify passphrase: (repeat passphrase) [type passphase]

Command successful.
cryptsetup  luksOpen /dev/sda5 pvcrypt
Enter LUKS passphrase: [type passphrase]
key slot 0 unlocked. Command successful.

If you should happen to get a “cannot access device” error when trying to perform the cryptsetup setup commands above, make sure the drive has not been mounted. That can happen sometimes. Now that that’s all done, we can create our root and swap partitions using LVM.

pvcreate /dev/mapper/pvcrypt
Physical "volume /dev/mapper/pvcrypt" successfully created
vgcreate vg /dev/mapper/pvcrypt
Volume group "vg" successfully created

lvcreate -n root -l 100%FREE vg Logical volume "root" created.

The final step is to format the logical volumes we just created. I have not included the output below for brevity’s sake.

mkfs.ext4 /dev/mapper/vg-root

Installation

Believe it or not, we are finally ready to start installing Backtrack. To do, double-click on the install.sh icon on the desktop. This will start the graphical installer.

Select you language of choice and click the ‘Forward’ button.

The next step is to select our keyboard layout. Pick yours and click the ‘Forward’ button. I cannot vouch for any keyboard layout other than English.

Click on ‘Specify partitions manually’ and click the ‘Forward’ button.

Install4

We are not going to indicate the mount points for our partitions. First let’s setup our root partition. Click on the row with vg-root in it and click the ‘Change’ button.

Install5

Select ext4 from the dropdown menu for ‘Use as:’, click ‘Format the partition:’, enter ‘/’ without the quotes for the mount point and click the ‘OK’ button. The system will re-read the partition table and redisplay it.

Install6

Now for the boot partition. Click the row with you boot partition in it, /dev/sdb1 in my case, and click the ‘Change’ button.

Install7

Again, select ext4 and click the format checkbox. Enter ‘/boot’ without the quotes for the mount point and click the ‘OK’ button. The disk partition will be re-read and the display updated.

Install8

Click the ‘Forward’ button.

Install9

You will get this message if you are installing to a USB drive and not using a swap partition. Click the ‘Continue’ button.

Install10

WARNING: You must click on the advanced tab on the next page and select your USB drive as the target for installing the boot loader. You will break your system if you do not.

Install11

Don’t forget! Make sure you select the target disk for your install as the device for the boot loader to be installed on or you run the risk of making the system you are doing this on non-bootable. Then click on the ‘OK’ button.

Install12

This will take some time. Go get a coke or beverage or your choice and relax for a bit.  More waiting.  and…more waiting. If it seems like the system is stuck at 99% forever, that’s normal, at least in every case where I have done the install.

Install14

Finally! Important! Click on the ‘Continue Testing’ button. DO NOT click on the ‘Restart Now’ button or you have to redo a bunch of stuff.

Install16

We have now installed the main distribution to our thumb drive. The next step is to configure the newly installed system to use LVM and open the encrypted partition. However, before we do that we need to figure out the UUID of our encrypted volume. We want to do this so that we don’t run into problems if the device name of the drive changes from machine to machine. The command we used to use to do this was vol_id. This has changed with Backtrack 5. We now use blkid. So execute blkidas below.

blkid /dev/sda5
/dev/sda5: UUID="2c133ec5-2eb2-4261-b8ee-5f6924b24ee4" TYPE="crypto-LUKS"

Make a note of the ID_FS_UUID value which is in italics above. We will need it later. Note: your output will be different than mine. Now time to configure our newly installed system. The first thing we have to do is make the newly installed system active so we can make changes to it. We do that by mounting the partitions and chrooting to it.

mkdir /mnt/backtrack5
mount /dev/mapper/vg-root /mnt/backtrack5
mount /dev/sda1 /mnt/backtrack5/boot
chroot /mnt/backtrack5
mount -t proc proc /proc
mount -t sysfs sys /sys

To make everything truly operational, we can mount /dev/pts, but every time I try I have problems unless I reboot first. That is a real pain, so I just don’t mount /dev/pts. We will get a couple warnings/errors as we go along, but they do not affect our install. The magic to making all this work is to rebuild the initrd image that is used to boot our system. We need to include some things, load some modules, and tell it to open the encrypted volume, but first we have to go through the whole process of installing software again. We have to do this because we are essentially right back where we started when we booted the live cd. Do the following again.

apt-get update
apt-get install hashalot

The next step is to configure how initramfs-tools will create our initrd file. This involves editing one files, the /etc/crypttab file. follow the directions below to correct it. I use the vi editor, but you can use  your favorite editor.

vi /etc/crypttab

We need to add the following line to the file. If you are new to vi, hit the o key and the type the following:

pvcrypt      /dev/disk/by-uuid/<uuid from above>         none         luks

When you are done typing that line, hit the esc key and then type ‘:wq’ without the quotes to save and exit vi. The file should look like this. The uuid is unique to my case. Make sure yours matches your system.

# <target device>   <source device>   <key file>   <options>
pvcrypt      /dev/disk/by-uuid/09330b5a-5659-4efd-8e9d-0abc404c5162    none         luks

Ok, with all of that you are now mostly done. There are a few more things we will do to make your life easier and better, but first you should reboot onto your fresh install and make sure everything is kosher.

Fixing the Passphrase Entry Bug

If you would like to do it the manual way, see the original tutorial.

Warning: You can make your system unbootable if the cryptroot script gets corrupted.

cd ~
wget http://www.infosecramblings.com/cryptroot.patch
patch -u /usr/share/initramfs-tools/scripts/local-top/cryptroot ./cryptroot.patch
update-initramfs –u

Fixing the Auto-Remove Suicide Button

 

Note: I do not use aptitude, while aptitude safe upgrade will do the same thing, this is a fix for the use of apt-get, and I do not know how it will effect aptitude.

When you installed everything we needed for the crypto it installed some dependency that are marked as auto installed, which means if you auto remove and anything fancy they will be removed. And you NEED them to boot. These fallowing commands will mark them as manually installed, and will keep them whenever you change things.

apt-mark unmarkauto cryptsetup
apt-mark unmarkauto ecryptfs-utils
apt-mark unmarkauto keyutils

 

Adding Swap Space

 

As you have most likely noticed by now, things tend to run a bit slow. This is due to a few things, namely we installed the OS without having any swap space. Swap space normally isn’t encrypted and data could be pulled from it, so we are adding in the swap space, but it will be inside our encrypted volume.

dd if=/dev/zero of=/swapfile1 bs=1M count=8192
# Where count=8192 is 8GB
mkswap /swapfile1
chown root:root /swapfile1
chmod 0600 /swapfile1
swapon /swapfile1
nano /etc/fstab
/swapfile1 swap swap defaults 0 0

Then reboot the system.

 

Editors note: Weirdly my template does not show authors of a post, this guest post is brought to you by sirwolfgang.

Posted in Backtrack Tagged with: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*