|
|||||||
| BackTrack 4 Howto Tutorials and Howtos about BackTrack 4 (NOT for requesting tutorials or how to do anything) |
 |
|
|
LinkBack | Thread Tools | Display Modes |
08-16-2009, 10:02 PM
|
|||
|
|||
HOWTO: BT4 Pre-Final USB Encryption
HI all, I recently wrote a guide on full disk encryption with hard drive installs on BT4 (It can be found here). Due to my usual paranoia about my data, it was great that I had my hdd install of BT4 encrypted but what about the copy I keep on my usb drive? I feel that usb drives are more at risk for having data stolen considering how easy they are to lose are leave somewhere.
I've been working with an encrypted usb BT4 for around a week now and I have noticed that performance is slightly slower. It is still perfectly usable for me but you might feel different. For me, the pros outweigh the cons. It is possible to backup your changes partition before starting and you will not lose any of your changes to your current usb BT4. I will not cover this extensively however; there may be one or two little notes in the guide below regarding this. If you want to give it a try, read on. As with my other guide, this is not written for a newcomer to BT or Linux for that matter to follow. We will be setting up encrypted partitions and loop devices and editing the initrd. If you have no idea what that stuff is, let me direct you towards Google now. Additionally, all commands in this guide should be run as root, not sudo. You will need to partition your flash drive the same way as you would with an unencrypted usb BT install. I will not be going over how to do that. That being said, let's get started. 1.) OPTIONAL – The first thing you should do is overwrite your usb drive with random data. This step is optional but it will ensure that no data is left behind. Note that this can take a very long time depending on the size of your drive. Code:
dd if=/dev/urandom of=/dev/sdXX 2.) I performed most of this under an encrypted Fedora 11 but if you are using BT (or any other distro) you may have to load a kernel module. It doesn't hurt anything if it is already loaded. Code:
modprobe aes-i586 Code:
mount -o loop /path/to/iso /mnt/bt4/ 4.) Now we can start encrypting things.The first thing we need to encrypt is the filesystem.squashfs file. To do this we will create a luks container that is slightly bigger than the filesystem.squashfs file. I will use 1.5GB but you are free to choose any size, as long as it is larger than the filesystem.squashfs size of course. Code:
# We will first make the container. The size is dictated by the count parameter in the dd command. Feel free to use /dev/random or /dev/zero instead of urandom. dd if=/dev/urandom of=filesystem bs=1M count=1500 losetup /dev/loop0 filesystem # Choose a strong passPHRASE here. It's pointless to go through all this trouble to encrypt everything and then choose a weak password. cryptsetup luksFormat /dev/loop0 # Now that we have our container lets open it, put a filesystem in it, and put the filesystem.squashfs file in. cryptsetup luksOpen /dev/loop0 container mkfs.ext3 /dev/mapper/container mkdir /mnt/bt mount /dev/mapper/container /mnt/bt mv filesystem.squashfs /mnt/bt # Cleaning up... umount /mnt/bt rm -rf /mnt/bt cryptsetup luksClose /dev/mapper/container losetup -d /dev/loop0 # Now we have the filesystem.squashfs file encrypted inside the filesystem container. We should rename it. mv filesystem filesystem.squashfs 6.) Now we need to encrypted the changes partition. You should have your flash drive partitioned already. The commands below will destroy all data on the partition you run them on. We will be encrypting your changes partition so replace the XX below with the appropriate number & letter (eg, /dev/sda1). Code:
# Same thing as above with the passphrase you choose. cryptsetup luksFormat /dev/sdXX crypsetup luksOpen /dev/sdXX changes mkfs.ext3 -L "casper-rw" /dev/mapper/changes 7.) We now have everything encrypted but this won't do us any good because our initrd doesn't know that what it is looking for is encrypted. Let's fix that. We will be using the initrd.gz that we downloaded in the BT iso. Code:
# First lets copy the initrd.gz file to its own directory and extract it. mkdir ~/initrd cp initrd.gz ~/initrd gunzip initrd.gz cpio -id < initrd # Now we can edit the files. cd scripts We need to make that function look like below. Code:
setup_loop() {
local fspath=$1
local module=$2
local pattern=$3
local offset=$4
modprobe ${MP_QUIET} -b "$module"
/sbin/udevadm settle
if [ "$module" = loop ]; then
if [ ! -e /dev/loop0 ]; then
# temporary workaround for kernel bug
for i in 0 1 2 3 4 5 6 7; do
mknod "/dev/loop$i" b 7 "$i" || true
done
fi
dev="$(losetup -f)"
if [ "$dev" ]; then
if [ -n "$offset" ]; then
losetup -o "$offset" "$dev" "$fspath"
else
# Encryption Changes Begin
mkdir /mnt
losetup "$dev" "$fspath"
echo "Password: " >&6
cryptsetup luksOpen "$dev" luksloop >&6
# workaround (part 2):
mount -t ext3 /dev/mapper/luksloop /mnt
dev="$(losetup -f)"
losetup "$dev" /mnt/filesystem.squashfs
# Encryption Changes End
fi
echo "$dev"
return 0
else
panic "No loop devices available"
fi
else
for loopdev in $pattern; do
if [ "$(cat $loopdev/size)" -eq 0 ]; then
dev=$(sys2dev "${loopdev}")
if [ -n "$offset" ]; then
losetup -o "$offset" "$dev" "$fspath"
else
losetup "$dev" "$fspath"
fi
echo "$dev"
return 0
fi
done
panic "No loop devices available"
fi
}
8.) Now that the initrd can mount the filesystem we need to make it mount the changes. So in the same directory as the casper-helpers directory, open the file casper for editing. Around line 334 you will find the setup_unionfs function. To conserve space, I will not post the entire function. Instead, scroll down and find the "# Looking for "${root_persistence}" device or file" comment and then find the "# Adding other custom mounts" comment. They should be around lines 385 and 400 respectively. Replace the text between those two comments with this... Code:
# Looking for "${root_persistence}" device or file
if [ -n "${PERSISTENT}" ]; then
echo "Changes Password: " >&6
cryptsetup luksOpen /dev/disk/by-uuid/ENTER-UUID-HERE casper-rw >&6
cowprobe=/dev/mapper/casper-rw
if [ -b "${cowprobe}" ]; then
cowdevice=${cowprobe}
cow_fstype=$(get_fstype "${cowprobe}")
cow_mountopt="rw,noatime"
else
[ "$quiet" != "y" ] && log_warning_msg "Unable to find the persistent medium"
fi
fi
mount -t ${cow_fstype} -o ${cow_mountopt} ${cowdevice} /cow || panic "Can not mount $cowdevice on /cow"
mount -t ${UNIONFS} -o noatime,dirs=/cow=rw:$rofsstring ${UNIONFS} "$rootmnt" || panic "${UNIONFS} mount failed"
# Adding other custom mounts
Code:
blkid /dev/sdXX 8.) One more thing to change in the initrd. Go up one directory, and enter into the conf directory. Open the modules file for editing and make it look like this... Code:
fbcon vesafb fuse fan thermal unix aes dm-crypt dm-mod sha256 cbc blkcipher Last edited by ESC201; 08-20-2009 at 02:45 PM. 
|
|
08-16-2009, 10:04 PM
|
|||
|
|||
IF YOU ARE LOGGED IN, THE IS THE SECOND PART OF THE GUIDE. SEE THE POST BELOW FOR THE FIRST PART.
9.) We're all done editing the initrd. We now need to put it all back together. You must be in the ~/initrd (or whatever you named it) for this command. If not you will get a init not found error when booting BT. Code:
find ./ | cpio -H newc -o > initrd gzip -c initrd > initrd.gz Now for my end-of-guide-notes. I am really short on time this week so I have not checked over this guide for typos and/or mistakes. If you find one, let me know so I can correct it. I also typed this entire guide from memory so hopefully I didn't forget anything critical. If it doesn't work for you, ask and I'll try to figure out why. I'm also interested in hearing how an encrypted usb performs for others. I took much information from this guide on the Ubuntu forums (specifically post 33). They were discussing how to encrypt the live cd only but I adapted the same principals to the changes partition and made a few improvements to their code in the process. As always, all feedback is appreciated. -esc Last edited by ESC201; 08-20-2009 at 02:46 PM. Reason: adding info
|
|
08-20-2009, 06:08 AM
|
|||
|
|||
|
EDIT: Turns out it was the faulty USB drive. I just tried these commands out on my 4gig flash drive and it works just fine. I'll update back when I finish the encryption procedure shortly.
Egh...I've almost given up, I've been getting one problem after another.... Anyway, the problem I'm at now is with luksFormat. After using luksFormat on my changes partition, I provide and verify a passphrase, it says the command is successful. I then try to use luksOpen and it tells me "Command failed: No key available with this passphrase" (I'm definitely entering the correct passphrase...I've tried it even for very short passwords just for a test). I then check luksDump and it says that my changes partition isn't even a LUKS partition. This is very odd considering that the output of luksFormat was successful. No one else seems to have these errors in this context, so this time I'm pretty stuck. I'm editing my live USB key from a Live CD btw (And before that my live USB). Thanks. Last edited by johnchain; 08-20-2009 at 08:32 AM.
|
|
08-20-2009, 12:09 PM
|
|||
|
|||
|
Well, just tested it out...
GRUB first loaded and then as backtrack loaded it then asked for the first password (which was for the container). After entering the passphrase (hopefully I entered it correctly), a prompt showed up like so... (initramfs) I could type commands and such, using ls showed the whole filesystem (/mnt /etc root ... the works). but it didn't finish booting as usual. For example "startx" didn't exist. It never asked for the second passphrase. Maybe I just typed in the first one wrong...I'll check tomorrow. Overall I was having so many issues with this process. For example, I ended up resizing the BT4 partition several times (which includes reediting the initrd files), thinking that I didn't make enough space. Turns out that when doing this in a live CD, I could copy over any files over 1.5 gb. So I stuck the USB drive in windows, reformatted the BT4 volume to FAT32 and recopied the files. That any my faulty 8Gb usb drive. I'm guessing I screwed up somewhere editing the initrd files, wouldn't be surprised since it's late and I rushed things considering it's my 4th-5th? try. Egh....this one's for tomorrow. Great tutorial btw.
|
|
08-20-2009, 02:43 PM
|
|||
|
|||
|
Quote:
As for your error, when you get dropped into the initramfs shell (I forget the proper name for this) there was an error while booting and the system is giving you a low level shell so you can try to determine the problem. Naturally, you don't have all the advanced features of a regular bash shell and I believe it is read only or at least not persistent. A good place to start is to boot your system and when you get dropped into the initramfs shell there should be a file called casper.log. Run "more capser.log" and post the output of it here.
|
|
08-20-2009, 07:58 PM
|
|||
|
|||
|
Well here's the output..
Note: it scrolls automatically and the normal commands to make the screen scroll for "more" aren't recognized, so I can only reproduce this bit. EDIT: Found a typo and fixed that, now I have this output Code:
Enter LUKS passphrase: Command failed: No key available with this passphrase. mount: cannot read /etc/fstab: No such file or directory /mnt/filesystem.squashfs: No such file or directory stdin: error 0 mount: mounting /dev/loop1 on //filesystem.squashfs faieled: No such device Can not mount /dev/loop1 (/cdrom/casper/filesystem.squashfs) on //filesystem.squashfs EDIT2: Definitely typing it in properly. Not sure why it would be doing this. I think I'm going to start this all over except I'll do it in my ubuntu, that way I have more RAM and diskspace to play around, I'm currently doing all these edits on an external hdd, maybe that's messing with stuff. Well, I started from scratch... (Actually, semi scratch. I did the whole process over, but made the size of the boot partition too small...by like 20Mb...very frustrating....so I then repartitioned, reformated the boot, and then reformated the encrypted changes partition....I also made sure to change in initrd the new UUID). I'm still getting the same passphrase error in casper.log. That error is usually what you get when the wrong passphrase is typed in. Maybe my keyboard isn't being read properly (I once used a liveCD, and it confused the numeric keypad with some of the letter since I have to hold down a Fn key to access them)....it'd help if I could see the input i put in somehow. Also interesting, I installed grub onto the live USB using a liveCD on my laptop. Running the LiveUSB on my laptop gets me to the passhphrase error, but when trying to boot from my desktop, it says the usb isn't even bootable. Odd. EDIT: Update. I booted off the liveUSB on ANOTHER computer...and entering the first passphrase was a success. It gave the message (slot 0 unlocked" or something. It then asked for the second password. BUT....after 7-8 seconds, it started to continue booting on its own. I didn't even finish typing in the passphrase. I then decided to check if changes even worked. It didn't, everything stored was lost upon reboot. Something is fishy in the initrd editing. I wonder why it doesn't wait for the passphrase. Last edited by balding_parrot; 08-21-2009 at 05:53 AM.
|
|
08-21-2009, 06:42 AM
|
|||
|
|||
|
Well it sounds like we have a lot of things to try. First off, (I should have done this in the first place) here's my initrd, You will, of course, need to extract it and put your uuid in and zip it all up again. Do that, and then post the output of casper.log.
I don't see why your keymap would be any different from the initramfs shell than when you enter your password.
|
|
08-21-2009, 07:30 AM
|
|||
|
|||
|
Quote:
As to the key map, I remember reading somewhere in one of these BT4 encryption threads that making a passphrase in a US layout with certain characters could cause problems cus on bootup .. a default keyboard layout is used. I'll try different passphrases...I can always change to accomodate my laptop.
|
|
08-21-2009, 02:41 PM
|
|||
|
|||
|
Quote:
As for keymaps, I've always used a US keymap and thus I've never had a problem with keymaps. Excuse me if I'm wrong, just a suggestion, but aren't the number keys the same for almost all keymaps? Try using a test password made up of numbers?
|
|
08-21-2009, 08:00 PM
|
|||
|
|||
|
Ah ok, that would make sense.
My laptop keyboard looks like this...  I've previously had trouble with live CDs. I had to use a copy of Parted Magic to format one of my flash drives, and when I started typing, I noticed that when i pressed a key with one of those numbers on it, it gave me the number instead of the letter, so I had to type with the blue "Fn" key pressed down. Who knows, maybe it just activated the num lock on its own. Either way, I wish I knew what I was typing in on bootup, I'll try activating/deactivating the num lock before typing in the passphrase next time, or I'll test passwords that don't use those keys. BTW...I really appreciate the help so far 
|
|
| Bookmarks |
| Tags |
| encryption, esc201, initrd, luks, usb |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 11:31 AM.
