|
|||||||
| BackTrack 4 Howto Tutorials and Howtos about BackTrack 4 (NOT for requesting tutorials or how to do anything) |
 |
|
|
LinkBack | Thread Tools | Display Modes |
08-16-2009, 09:02 PM
|
|||
|
|||
HOWTO: BT4 Pre-Final USB Encryption
HI all, I recently wrote a guide on full disk encryption with hard drive installs on BT4 (It can be found here). Due to my usual paranoia about my data, it was great that I had my hdd install of BT4 encrypted but what about the copy I keep on my usb drive? I feel that usb drives are more at risk for having data stolen considering how easy they are to lose.
I've been working with an encrypted usb BT4 for around a week now and I have noticed that performance is slightly slower. It is still perfectly usable for me but you might feel different. It is possible to backup your changes partition before starting and you will not lose any of your changes to your current usb BT4. I will not cover this extensively however; there may be one or two little notes in the guide below regarding this. Read to give it a try? read on. This guide is not written for a newcomer to BT, or Linux for that matter, to follow. We will be setting up encrypted partitions and loop devices and editing the initrd. If you have no idea what that stuff is, let me direct you towards Google now. I aslo very highly recommend that you know how to install BT to an unencrypted usb drive before attempting this guide. Additionally, all commands in this guide should be run as root, not sudo. That being said, let's get started. 1.) OPTIONAL – The first thing you should do is overwrite your usb drive with random data. This step is optional but it will ensure that no data is left behind from whatever you had on your usb drive before. Note that this can take a long time depending on the size of your drive. Code:
dd if=/dev/urandom of=/dev/sdX 2.) You will need to partition your flash drive the same way as you would with an unencrypted usb BT install. That is, two partitions, one for the base filesystem (the filesystem.squashfs file) and whatever other data you like to keep on your drive and a second for the changes. In my experience I have found that 2-3gb should be good for the changes the partition, but that depends on how many changes you are planning to make. We will be formatting the second partition later so the filesystem type does not matter now. 3.) Depending on what distro you are using, you may have to load a kernel module. It doesn't hurt anything if it is already loaded. Code:
modprobe aes-i586 4.) First thing is to download a new copy of BT4. Open the iso and extract the files. Code:
mount -o loop /path/to/iso /mnt/bt4/ Also, in the BT iso you just mounted, under the boot directory, copy the initrd.gz to where you copied the filesystem.squshfs file. You can unmount the BT iso now. 5.) Now we can start encrypting things.The first thing we need to encrypt is the filesystem.squashfs file. To do this we will create a luks container that is slightly bigger than the filesystem.squashfs file. I will use 1.5GB but you are free to choose any size, as long as it is larger than the filesystem.squashfs size of course. Code:
# We will first make the container. The size is dictated by the count parameter in the dd command (in megabytes). Feel free to use /dev/random or /dev/zero instead of urandom. # Note that this will take a few minutes. dd if=/dev/urandom of=filesystem bs=1M count=1500 # If you receive an error such as "/dev/loop0: No such device or address", try /dev/loop1 and use that inplace of /dev/loop0 in the commands below. losetup /dev/loop0 filesystem # Choose a strong passPHRASE here. It's pointless to go through all this trouble to encrypt everything and then choose a weak password. cryptsetup luksFormat /dev/loop0 # Now that we have our container lets open it, put a filesystem in it, and put the filesystem.squashfs file in. cryptsetup luksOpen /dev/loop0 container mkfs.ext3 /dev/mapper/container mkdir /mnt/container mount /dev/mapper/container /mnt/container mv filesystem.squashfs /mnt/container # Cleaning up... umount /mnt/container rm -rf /mnt/container cryptsetup luksClose /dev/mapper/container losetup -d /dev/loop0 # Now we have the filesystem.squashfs file encrypted inside the filesystem container. We need to rename it. Simply... mv filesystem filesystem.squashfs 6.) Now we need to encrypt the changes partition. You should have your flash drive partitioned already. The commands below will destroy all data on the partition you run them on. We will be encrypting your changes partition so replace the XX below with the appropriate number & letter (eg, /dev/sda1). Code:
# Same thing as above with the passphrase you choose. cryptsetup luksFormat /dev/sdXX crypsetup luksOpen /dev/sdXX changes mkfs.ext3 -L "casper-rw" /dev/mapper/changes Code:
# Note that this is only for putting backed-up changes back into the changes directoy! mkdir /mnt/changes mount /dev/mapper/changes /mnt/changes cp -R /path/to/backed-up/changes /mnt/changes umount /mnt/changes 7.) We now have everything encrypted but this won't do us any good because our initrd doesn't know that what it is looking for is encrypted. Let's fix that. We will be using the initrd.gz that we downloaded and extracted from the BT iso earlier. Code:
# First lets copy the initrd.gz file to its own directory and extract it. mkdir ~/initrd cp initrd.gz ~/initrd gunzip initrd.gz cpio -id < initrd # While we're at it, delete the archives we just extracted so they don't get in the way when we compress everything again. rm initrd rm initrd.gz # Now we can edit the startup script files. cd scripts We need to make that function look like below. Code:
setup_loop() {
local fspath=$1
local module=$2
local pattern=$3
local offset=$4
modprobe ${MP_QUIET} -b "$module"
/sbin/udevadm settle
if [ "$module" = loop ]; then
if [ ! -e /dev/loop0 ]; then
# temporary workaround for kernel bug
for i in 0 1 2 3 4 5 6 7; do
mknod "/dev/loop$i" b 7 "$i" || true
done
fi
dev="$(losetup -f)"
if [ "$dev" ]; then
if [ -n "$offset" ]; then
losetup -o "$offset" "$dev" "$fspath"
else
# Encryption Changes Begin
mkdir /mnt
losetup "$dev" "$fspath"
echo "Password: " >&6
cryptsetup luksOpen "$dev" luksloop >&6
# workaround (part 2):
mount -t ext3 /dev/mapper/luksloop /mnt
dev="$(losetup -f)"
losetup "$dev" /mnt/filesystem.squashfs
# Encryption Changes End
fi
echo "$dev"
return 0
else
panic "No loop devices available"
fi
else
for loopdev in $pattern; do
if [ "$(cat $loopdev/size)" -eq 0 ]; then
dev=$(sys2dev "${loopdev}")
if [ -n "$offset" ]; then
losetup -o "$offset" "$dev" "$fspath"
else
losetup "$dev" "$fspath"
fi
echo "$dev"
return 0
fi
done
panic "No loop devices available"
fi
}
Either replace the whole function with what I have posted above or just add in my changes between the two comments mentioned. If you want, you can change the echo line that says "Password" to something else, like an error so that anyone that tries to boot BT may think it doesn't work and move on. If not, keep the password or remove the line entirely. Whatever works. ------------------------------------------------------------------------------------------------------- If you are logged in, see post number 2 in this thread for the second part of the guide. Last edited by ESC201; 12-06-2009 at 09:22 PM. 
|
|
08-16-2009, 09:04 PM
|
|||
|
|||
IF YOU ARE LOGGED IN, THE IS THE SECOND PART OF THE GUIDE. SEE THE POST BELOW FOR THE FIRST PART.
8.) Now that the initrd can mount the filesystem we need to make it mount the changes partition. First we will need the UUID of your changes partition. To get this run... Code:
blkid /dev/sdXX In the same directory as the "casper-helpers" directory, open the file "casper" for editing. Around line 334 you will find the "setup_unionfs" function. To conserve space, I will not post the entire function. Instead, scroll down and find the "# Looking for "${root_persistence}" device or file" comment and then find the "# Adding other custom mounts" comment. They should be around lines 385 and 400 respectively. Replace the text between those two comments with this... Code:
# Looking for "${root_persistence}" device or file
if [ -n "${PERSISTENT}" ]; then
echo "Changes Password: " >&6
cryptsetup luksOpen /dev/disk/by-uuid/ENTER-UUID-HERE casper-rw >&6
cowprobe=/dev/mapper/casper-rw
if [ -b "${cowprobe}" ]; then
cowdevice=${cowprobe}
cow_fstype=$(get_fstype "${cowprobe}")
cow_mountopt="rw,noatime"
else
[ "$quiet" != "y" ] && log_warning_msg "Unable to find the persistent medium"
fi
fi
mount -t ${cow_fstype} -o ${cow_mountopt} ${cowdevice} /cow || panic "Can not mount $cowdevice on /cow"
mount -t ${UNIONFS} -o noatime,dirs=/cow=rw:$rofsstring ${UNIONFS} "$rootmnt" || panic "${UNIONFS} mount failed"
# Adding other custom mounts
his part is the reason I can't just post my initrd; it will be different for every person. 9.) One more thing to change in the initrd. Go up one directory, and enter into the "conf" directory. Open the "modules" file for editing and make it look like this... Code:
fbcon vesafb fuse fan thermal unix aes dm-crypt dm-mod sha256 cbc blkcipher 10.) We're all done editing the initrd. We now need to put it all back together. You must be in the ~/initrd (or whatever you named it) for this command. If not you will get a init not found error when booting BT. Code:
find ./ | cpio -H newc -o > initrd gzip -c initrd > initrd.gz The two things that are different now are as follows: Replace the "filesystem.squashfs" file with the encrypted one we made and then replace the "initrd.gz" file with the one we modified. You have to enter your password twice. First the one for the "filesystem.squashfs" file and the second for the changes partition. You could get around this by using keyfiles but if someone gets a hold your keyfile, there goes the security provided by the encryption. Also, it will seem that the system hangs after "aufs 2-standalone.tree-29-20090518" (which is right after you enter your second passphrase). Hit any random key followed by the enter key and your system will continue booting. I have no clue why this happens. I spent a lot of time searching through the initrd for what causes this came up with nothing. It's really nothing more than a minor annoyance but if you know how to prevent this, please be kind enough to share. Okay, cross your fingers and hope it works now! I took much information from this guide on the Ubuntu forums (specifically post 33). They were discussing how to encrypt the live cd only but I adapted the same principals to get the changes partition working. As always, all feedback is appreciated. -esc Last edited by ESC201; 12-06-2009 at 09:20 PM. Reason: adding info and clarifying
|
|
08-20-2009, 05:08 AM
|
|||
|
|||
|
EDIT: Turns out it was the faulty USB drive. I just tried these commands out on my 4gig flash drive and it works just fine. I'll update back when I finish the encryption procedure shortly.
Egh...I've almost given up, I've been getting one problem after another.... Anyway, the problem I'm at now is with luksFormat. After using luksFormat on my changes partition, I provide and verify a passphrase, it says the command is successful. I then try to use luksOpen and it tells me "Command failed: No key available with this passphrase" (I'm definitely entering the correct passphrase...I've tried it even for very short passwords just for a test). I then check luksDump and it says that my changes partition isn't even a LUKS partition. This is very odd considering that the output of luksFormat was successful. No one else seems to have these errors in this context, so this time I'm pretty stuck. I'm editing my live USB key from a Live CD btw (And before that my live USB). Thanks. Last edited by johnchain; 08-20-2009 at 07:32 AM.
|
|
08-20-2009, 11:09 AM
|
|||
|
|||
|
Well, just tested it out...
GRUB first loaded and then as backtrack loaded it then asked for the first password (which was for the container). After entering the passphrase (hopefully I entered it correctly), a prompt showed up like so... (initramfs) I could type commands and such, using ls showed the whole filesystem (/mnt /etc root ... the works). but it didn't finish booting as usual. For example "startx" didn't exist. It never asked for the second passphrase. Maybe I just typed in the first one wrong...I'll check tomorrow. Overall I was having so many issues with this process. For example, I ended up resizing the BT4 partition several times (which includes reediting the initrd files), thinking that I didn't make enough space. Turns out that when doing this in a live CD, I could copy over any files over 1.5 gb. So I stuck the USB drive in windows, reformatted the BT4 volume to FAT32 and recopied the files. That any my faulty 8Gb usb drive. I'm guessing I screwed up somewhere editing the initrd files, wouldn't be surprised since it's late and I rushed things considering it's my 4th-5th? try. Egh....this one's for tomorrow. Great tutorial btw.
|
|
08-20-2009, 01:43 PM
|
|||
|
|||
|
Quote:
As for your error, when you get dropped into the initramfs shell (I forget the proper name for this) there was an error while booting and the system is giving you a low level shell so you can try to determine the problem. Naturally, you don't have all the advanced features of a regular bash shell and I believe it is read only or at least not persistent. A good place to start is to boot your system and when you get dropped into the initramfs shell there should be a file called casper.log. Run "more capser.log" and post the output of it here.
|
|
08-20-2009, 06:58 PM
|
|||
|
|||
|
Well here's the output..
Note: it scrolls automatically and the normal commands to make the screen scroll for "more" aren't recognized, so I can only reproduce this bit. EDIT: Found a typo and fixed that, now I have this output Code:
Enter LUKS passphrase: Command failed: No key available with this passphrase. mount: cannot read /etc/fstab: No such file or directory /mnt/filesystem.squashfs: No such file or directory stdin: error 0 mount: mounting /dev/loop1 on //filesystem.squashfs faieled: No such device Can not mount /dev/loop1 (/cdrom/casper/filesystem.squashfs) on //filesystem.squashfs EDIT2: Definitely typing it in properly. Not sure why it would be doing this. I think I'm going to start this all over except I'll do it in my ubuntu, that way I have more RAM and diskspace to play around, I'm currently doing all these edits on an external hdd, maybe that's messing with stuff. Well, I started from scratch... (Actually, semi scratch. I did the whole process over, but made the size of the boot partition too small...by like 20Mb...very frustrating....so I then repartitioned, reformated the boot, and then reformated the encrypted changes partition....I also made sure to change in initrd the new UUID). I'm still getting the same passphrase error in casper.log. That error is usually what you get when the wrong passphrase is typed in. Maybe my keyboard isn't being read properly (I once used a liveCD, and it confused the numeric keypad with some of the letter since I have to hold down a Fn key to access them)....it'd help if I could see the input i put in somehow. Also interesting, I installed grub onto the live USB using a liveCD on my laptop. Running the LiveUSB on my laptop gets me to the passhphrase error, but when trying to boot from my desktop, it says the usb isn't even bootable. Odd. EDIT: Update. I booted off the liveUSB on ANOTHER computer...and entering the first passphrase was a success. It gave the message (slot 0 unlocked" or something. It then asked for the second password. BUT....after 7-8 seconds, it started to continue booting on its own. I didn't even finish typing in the passphrase. I then decided to check if changes even worked. It didn't, everything stored was lost upon reboot. Something is fishy in the initrd editing. I wonder why it doesn't wait for the passphrase. Last edited by balding_parrot; 08-21-2009 at 04:53 AM.
|
|
08-21-2009, 05:42 AM
|
|||
|
|||
|
Well it sounds like we have a lot of things to try. First off, (I should have done this in the first place) here's my initrd, You will, of course, need to extract it and put your uuid in and zip it all up again. Do that, and then post the output of casper.log.
I don't see why your keymap would be any different from the initramfs shell than when you enter your password.
|
|
08-21-2009, 06:30 AM
|
|||
|
|||
|
Quote:
As to the key map, I remember reading somewhere in one of these BT4 encryption threads that making a passphrase in a US layout with certain characters could cause problems cus on bootup .. a default keyboard layout is used. I'll try different passphrases...I can always change to accomodate my laptop.
|
|
08-21-2009, 01:41 PM
|
|||
|
|||
|
Quote:
As for keymaps, I've always used a US keymap and thus I've never had a problem with keymaps. Excuse me if I'm wrong, just a suggestion, but aren't the number keys the same for almost all keymaps? Try using a test password made up of numbers?
|
|
08-21-2009, 07:00 PM
|
|||
|
|||
|
Ah ok, that would make sense.
My laptop keyboard looks like this...  I've previously had trouble with live CDs. I had to use a copy of Parted Magic to format one of my flash drives, and when I started typing, I noticed that when i pressed a key with one of those numbers on it, it gave me the number instead of the letter, so I had to type with the blue "Fn" key pressed down. Who knows, maybe it just activated the num lock on its own. Either way, I wish I knew what I was typing in on bootup, I'll try activating/deactivating the num lock before typing in the passphrase next time, or I'll test passwords that don't use those keys. BTW...I really appreciate the help so far 
|
|
| Bookmarks |
| Tags |
| encryption, esc201, initrd, luks, usb |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 04:09 PM.
