Nov 302011
 

I have set up many laptops and netbooks with linux and have always used either full-disk encryption or ~/ encrypted.  Its really easy to do and ANY laptop/netbook/tablet/pad/whatever_next mobile device should be encrypted.  I won’t get into the mechanics of why, just do it.  The last article I wrote about this is no longer online (Maysville Linux Users Group, circa 2007) and it was much harder to accomplish back then, often requiring custom kernels to be compiled, etc.  Backtrack has “nearly” everything it takes right on the live cd.

Prerequisites

  1. A laptop
  2. bootable media (backtrack on usb stick, cdrom, some other distro, etc)
  3. Internet connection (backtracks only requirement is to download two files)

So, on this new laptop, I don’t care about windows installed because I am going to simply blow it away.  I don’t use windows, no need in it taking up space (really this is my employers laptop and I simply swapped out the oem laptops hard drive with a spare 500GB hard drive I had.  The difference is, the oem drive is 160GB 7200 rpm and mine is 500GB 5400 rpm – slower yes but holds a lot more data and I need that space).

If you are dual booting with windows, you will need to modify this tutorial.  It assumes you are wiping out all data and installing on a blank drive.

Boot the backtrack cdrom/usb stick.  After you boot, you should be sitting at a root shell.  First, make sure networking is up.  If you are on a wired network, just issue the command:

ifconfig

Mine shows:

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:26:55:40:7a:2e
          inet addr:10.10.10.13  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::226:55ff:fe40:7a2e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:346869 errors:0 dropped:0 overruns:0 frame:0
          TX packets:294530 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:387443792 (387.4 MB)  TX bytes:115635797 (115.6 MB)
          Interrupt:45 Base address:0x2000 
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:14162 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14162 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:938339 (938.3 KB)  TX bytes:938339 (938.3 KB)
 
wlan0     Link encap:Ethernet  HWaddr 00:26:82:23:23:81
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

If you are on a wireless network that uses WPA, here are some tips and what I usually do:

iwlist wlan0 scan | grep ESSID    # this shows the essid of access points close by if you dont know the name of yours
wpa_passphrase ESSID YOUR_WIRELESS_PASS > /etc/wpa_supplicant/temp.txt # this creates the correct wpa_supplicant file
wpa_supplicatn -iwlan0 -c/etc/wpa_supplicant/temp.txt # this starts wpa_supplicant using that file
ifconfig wlan0    # this makes sure we have an ip address now
dhclient wlan0    # if there is no ip address, use this to get one...skip if there was an ip
ping google.com   # this makes sure we can communicate with the internet

or if you are connecting to a WEP network…..

ifconfig wlan0 up
iwconfig wlan0 essid "insertSSIDhere" key s:insert_password_here

And if none of the above work, try wicd-ncurses, or wicd-cli (not included by default, must be downloaded previously)

So, assuming we now have a network connection, lets download two packages required for backtrack linux:

apt-get update
apt-get install hashalot lvm2

Once that is done, lets repartition the hard drive.  On this laptop, the first drive is /dev/sda.  You can find yours by looking for sd or hd in dmesg:

dmesg | egrep sd.\|hd.

Mine shows:

dmesg | egrep sd.\|hd.
[    4.242404] sd 2:0:0:0: Attached scsi generic sg0 type 0
[    4.243156] sd 2:0:0:0: [sda] 976773168 512-byte logical blocks: (500 GB/465 GiB)
[    4.243661] sd 2:0:0:0: [sda] Write Protect is off
[    4.243664] sd 2:0:0:0: [sda] Mode Sense: 2d 08 00 00
[    4.243666] sd 2:0:0:0: [sda] Assuming drive cache: write through
[    4.244911] sd 2:0:0:0: [sda] Assuming drive cache: write through
[    4.245544]  sda: sda1

So, it is showing the drive as sda and it currently has one partition, sda1 (with an old install of linux).

Next, we want to delete any partitions on the drive – THIS WILL DELETE ALL THE DATA ON THE DRIVE!  And create a small partition that will hold boot and the remainder that will be our encrypted drive containing everything else.

# use the appropriate drive letter for your system
     fdisk /dev/sda
 
    # delete existing partitions.
    # There may be more than one.
    # Make sure you delete all of them
    Command (m for help): d
    Partition number (1-4): 1
 
    # create the first partition
    Command (m for help): n
    Command action
    e   extended
    p   primary partition (1-4)
    p
    Partition number (1-4): 1
    First cylinder (1-60801, default 1): <enter>
    Using default value 1
    Last cylinder, +cylinders or +size{K,M,G} (1-60801, default 60801): +500M
 
    #create the extended partition
    Command (m for help): n
    Command action
    e   extended
    p   primary partition (1-4)
    e
    Partition number (1-4): 2
    First cylinder (66-60801, default 66): <enter>
    Using default value 66
    Last cylinder, +cylinders or +size{K,M,G} (66-60801, default 60801): <enter>
    Using default value 60801
 
    # Create the logical partition.
    Command (m for help): n
    Command action
    l    logical (5 or over)
    p   primary partition (1-4)
    l
    First cylinder (66-60801, default 66): <enter>
    Using default value 66
    Last cylinder, +cylinders or +size{K,M,G} (66-60801, default 60801): <enter>
    Using default value 60801
 
    # Setting the partition type for the first partition to ext3
    Command (m for help): t
    Partition number (1-4): 1
    Hex code (type L to list codes): 83
 
    # Setting the first partition active
    Command (m for help): a
    Partition number (1-4): 1
 
    Command (m for help): w

After I have the drive partitioned, I always write random data to the partition that will be encrypted:

dd if=/dev/urandom of=/dev/sda5

The above step for a 450GB (give or take) drive is many, many, many hours.

When the above finally completes, you can begin setting up the encrypted partition.

cryptsetup -y --cipher aes-xts-plain --key-size 512 luksFormat /dev/sda5
 
    WARNING!
    ========
    This will overwrite data on /dev/sda5 irrevocably.
 
    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase: (enter passphrase) [type passphrase]
    Verify passphrase: (repeat passphrase) [type passphase]
    Command successful.
 
    cryptsetup  luksOpen /dev/sda5 pvcrypt
    Enter LUKS passphrase: [type passphrase]
    key slot 0 unlocked.
    Command successful.

Once the above is done, we now create our logical volume with a / partition inside the logical volume on the encrypted partition.

pvcreate /dev/mapper/pvcrypt
Physical "volume /dev/mapper/pvcrypt" successfully created
vgcreate vg /dev/mapper/pvcrypt
Volume group "vg" successfully created
lvcreate -n root -l 100%FREE vg
Logical volume "root" created.

A lot of people may disagree with me, but I don’t create a swap “partition”.  Instead, what I do is create a swap file after the installation is completed inside the encrypted partition.  That way, it is also encrypted and not mounted until after the encrypted partition is mounted.  Too many traces of stuff can be left in a swap partition, even after a computer is shut off.

Now we format our root partition:

mkfs.ext4 /dev/mapper/vg-root

Once the above is done, we are now ready to startx and run the installer.  So:

startx

When the graphical desktop is loaded, double click on the Install Backtrack icon.

I am not going to explain every step, just the ones that matter (in bold).  The backtrack installer is only a seven step process anyways.  Most of that you will simply accept the defaults, unless, for example, you don’t want English language as your installation language.

So the first step, simply select your language.  Then click forward.

Step 2, select your timezone.  Click forward.

Step 3, select your keyboard layout and click forward.

Step 4, this one is important and critical you select “Specify partitions manually (advanced).  Click forward.

Step 4b, select the row that says vg-root and click on the Change button.

Step 4c: from the “use as:” drop-down list on the screen that appears, select Ext4 journaling filesystem.  On the same screen, place a check mark next to Format the partition.  Below that, enter / for the Mount point.  Then select OK.  You will be returned back to the previous screen.

Step 4d:  There will be a row that has the first partition we created, the 500M one.  It will show up as 534MB if you are following this tutorial exactly.  It will also be /dev/sda1.  Highlight that partition and select Change button.  For “use as:”, select Ext4 journaling filesystem again, select Format the partition, and enter /boot for the Mount point.  Select ok.

You will be returned back to the previous screen again.  Click the forward button.  You will receive a warning about not having a swap partition….see my note above and repeated next just in case you forget:

A lot of people may disagree with me, but I don’t create a swap “partition”.  Instead, what I do is create a swap file after the installation is completed inside the encrypted partition.  That way, it is also encrypted and not mounted until after the encrypted partition is mounted.  Too many traces of stuff can be left in a swap partition, even after a computer is shut off.

The next screen that appears says Ready to Install.  Click the Advanced tab.  Make sure you have the hard drive you are installing too select for the boot loader.  Again, if following these instructions exactly, it will be /dev/sda   Select ok.

Click Install button.

The install will take a while, about 30 minutes on my laptop.

When it completes, you will be presented with the option to Continue testing or restart now, select Continue Testing.

At this point, we have created the partitions, created an encrypted partition that is holding a logical volume, formatted the logical volume, and installed the operating system into the encrypted partition.  But, we still are not done configuring it.  First we will identify the block id of the hard drive we installed to, then we will have to chroot to the encrypted hard drive to finish up.

Obtain the block id:

blkid /dev/sda5
/dev/sda5: UUID="b049f4d0-7e6b-4fa6-acb3-6f4ef9a0e526" TYPE="crypto_LUKS"

We will need the UUID later, so make sure you write it down, write it down correctly.  Triple check…one more time won’t hurt….this step is critical!

Chrooting the system:

mkdir /mnt/bt
mount /dev/mapper/vg-root /mnt/bt
mount /dev/sda1 /mnt/bt/boot
chroot /mnt/bt
mount -t proc proc /proc
mount -t sysfs sys /sys

We now reinstall the same software we installed when running the live cd.  We have to do this because that software was not part of the installation.  When we install it this time, it installs it to the encrypted partition and is required for it to be accessed.

apt-get update
apt-get install hashalot lvm2

Now we have to edit the /etc/crypttab file, which tells initramfs how to mount the encrypted partition.  Use whatever editor you are comfortable with, I used vim.  The format of the file is:

# <target device>   <source device>   <key file>   <options>
pvcrypt      /dev/disk/by-uuid/b049f4d0-7e6b-4fa6-acb3-6f4ef9a0e526    none         luks

If you notice in the above, the uuid of my drive is listed in /dev/disk/by-uuid/MY_UUID.  Make sure you place your uuid there in place of mine!

Next we have to edit the /etc/fstab file too.  Open it in your favorite editor.  If there is a line that has the UUID of your encrypted partition, it needs commented out and replaced by one that has /dev/mapper/vg-root like the example below.

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# we want this next line
/dev/mapper/vg-root / ext4 errors=remount-ro 0       1
# we do not want this next line so add a # to the begining of it
# UUID=c8d9b9a0-2198-4966-bc3a-39259df6a2c2 / ext4 relatime,errors=remount-ro 0 1
# /dev/sdb1
UUID=ab4cc15b-4dfe-483a-9d1f-17c8f2be84c9 /boot   ext4    relatime 0       2

When you have the file above finished, simply enter the following command to regenerate the initramfs image:

update-initramfs -u

At this point, you should be able to reboot.  When backtrack appears to stall at the splash page,  press F8 to get to the console where you enter your password required to access the encrypted partition and press enter.

If you have issues: start back up with the bootable cd;  restart the network (wired or wireless as previous); run the commands below:

apt-get update
apt-get instal hashalot lvm2
blkid /dev/sda5    # replace /dev/sda5 with your encrypted partition and copy blkid UUID to a text file
cryptsetup luksOpen /dev/sda5 pvcrypt # replace sda5 with your encrypted partition
mkdir /mnt/bt
mount /dev/mapper/vg-root /mnt/bt
mount /dev/[boot partition] /mnt/bt/boot
chroot /mnt/bt
mount -t proc proc /proc
mount -t sysfs sys /sys

This will get you right back to where you left off and you can diagnose the issues from there.

Things to check:

* blkid matches your encrypted partitions UUID in /etc/crypttab

* /etc/fstab has a line uncommented that contains /dev/mapper/vg-root

* /etc/fstab has a line containing UUID=YOUR_ENCRYPTED_DRIVES_UUID commented out

* run update-initramfs -u

* reboot and try again

  14 Responses to “Administration: Backtrack 5R1 Full Disk Encryption (install to hard drive)”

  1. […] setup Backtrack 5r1 with full-disk encryption. (http://www.edwiget.name/2011/11/admi…to-hard-drive/) I have to manually enter the password. If computer is difficult to reach – it is in the data […]

  2. Followed directions to the character. Did not work.

    Additionally, what modifications must be made to install on a specific partition? For example, if one wanted to have 3 different operating systems and a storage partition on the same drive? Would you have to move the /mapper? Would you need one per drive?

    • The instructions have worked for numerous people so they do work (one person even emailed me to let me know it worked for arch linux). However, the instructions are not for a multi-boot system. I would first validate you can get just one linux os to work this way. For windows encryption, you have to use Truecrypt. I don’t use windows at all, so all I can do is recommend this link without having actually done it myself (which shows how to dual boot windows and linux both with full disk encryption): http://forums.linuxmint.com/viewtopic.php?f=42&t=91676

  3. Nice guide, thanks.
    Is there a way to create and auto enable a swap file at login?

    • Also, there seems to be some kind of mount error after entering the passkey
      http://i.imgur.com/CwCzf.jpg
      Selecting skip will continue booting, with the shown pipe error.
      I’ve double checked fstab, & it matches your example.
      Any suggestions?

      • I am guessing that maybe the uuid does not match your uuid for your drive? You will need to make sure the part that says

        “UUID=ab4cc15b-4dfe-483a-9d1f-17c8f2be84c9”

        does not match my fstab file….it was only an example. That string of numbers and characters should match your drive.

        • The UUID (mine was used 😉 ) is correct, I saved it out to a text file on usb, as i suspected writing it down would be inviting errors.
          Plus, if the UUID was incorrect, surely it wouldn’t boot at all?
          Cheers, Wiget

        • Ha, as always, user error 🙁
          Clearly I need to pay more attention to what I’m doing, I had inserted the encrypted volume UUID as the /boot volume…
          Thanks for your helps, and guide!

          • glad you got it resolved. Sorry for the slow replies on my part….been crazy lately where I work.

    • What I normally do is add to my /etc/init.d/rc.local file something like:
      swapon /path/to/swapfile

  4. Image after skipping mount.
    http://i.imgur.com/mKrkA.jpg

  5. There is a patch here
    http://www.backtrack-linux.org/forums/showthread.php?t=40541&p=196408&viewfull=1#post196408

    That will fix the password input box bug, where you get repeated lines as you type in the pass.

  6. Thanks. I don’t know that I recall having seen that bug….I have been using this encrypted laptop daily for at least a year or longer but always nice that I know where to go if I do come across it.

  7. My install failed, “Sorry, an error occured and it was not possible to install the bootloader at the specified location.”

    I’ve tried them all. Do you think this might have something to do with not mounting it with cryptsetup -v luksOpen?

    Evidently, I tried to mount sda1 to see whether that was the problem. I think the problem is that the filesystem is not recognized; when you try to mount without using cryptsetup you get ” unknown filesystem type: crypto_LUKS” and when I try to manually run grub-install I get /usr/sbin/grub-probe: error: cannot find a device for /boot/grub (is /dev mounted?).
    No path or device is specified. Try ‘usr/sbin/grub-probe’ –help for more information.

    So, the install fails with Backtrack 5 R3, it fails at 93% when the bootloader is installing..