BT4 Encrypted HDD install using LUKS and LVM

[_arc_]

This is my first tutorial here, I hope it is useful to you

This will allow you to have an encrypted BT4-beta install with the boot partition located on the hard drive.
I hope you find this easy to follow


Remember to Replace /dev/sda* with your device.


Preperation

Bring network adapter up and obtain an ip address

Code:

ifconfig eth0 up
dhclient eth0

Install needed software

Code:

apt-get update && apt-get install hashalot lvm2

Make sure the partitions you are going to use are unmounted

Code:

cat /proc/partitions

Code:

umount /dev/{sda1,sda2}

Partitioning

Partition the hard drive, create a new empty partition table first (o in fdisk), and remember to set the /boot partition bootable (a then 1 in fdisk)

Create one small partition which will be the boot partition and one large partition which will be the encrypted partition.

Code:

fdisk /dev/sda

Code:

/boot  200m
/btcrypt rest

Make the filesystem on the boot partition and label it

Code:

mkfs.ext2 /dev/sda1
e2label /dev/sda1 boot

Encrypting the hard drive and creating the LVM's

Encrypt the large partition

Code:

cryptsetup -v -y -c twofish-cbc-essiv:sha256 -h sha256 -s 256 luksFormat /dev/sda2

Open the encrypted partition and create the physical volume and volume groups

Code:

cryptsetup luksOpen /dev/sda2 btcrypt
pvcreate /dev/mapper/btcrypt
vgcreate btcrypt /dev/mapper/btcrypt

Create swap partition, change 4G to your swap size

Code:

lvcreate -L 4G -n swap btcrypt

Create root partition, use all the free space

Code:

lvcreate -l 100%FREE -n root btcrypt

Find and activate volume groups

Code:

vgscan --mknodes
vgchange -ay

Make filesystem on the root partition

Code:

mkfs.ext3 /dev/mapper/btcrypt-root

Make and activate swap partition

Code:

mkswap /dev/mapper/btcrypt-swap
swapon /dev/mapper/btcrypt-swap

Mount the root and boot partition and continue with the install

Code:

mkdir /mnt/bt4
mount /dev/mapper/btcrypt-root /mnt/bt4/
mkdir /mnt/bt4/boot/
mount /dev/sda1 /mnt/bt4/boot
cp --preserve -R /{bin,dev,home,pentest,root,usr,boot,etc,lib,opt,sbin,var} /mnt/bt4/
mkdir /mnt/bt4/{mnt,tmp,proc,sys}
chmod 1777 /mnt/bt4/tmp/
mount -t proc proc /mnt/bt4/proc/
mount -o bind /dev /mnt/bt4/dev/
chroot /mnt/bt4/ /bin/bash

[_arc_]

Setting up initramfs-tools preparing and creating the initrd image

Add the encryption information to crypttab

Code:

echo "btcrypt      /dev/sda2       none luks,retry=1,lvm=btcrypt" >> /etc/crypttab

Make fstab and lilo.conf look like the following

Code:

nano /etc/fstab

Code:

/dev/mapper/btcrypt-root / auto defaults 0 0
/dev/mapper/btcrypt-swap none swap auto,defaults,pri=1 0 0 
proc /proc proc defaults 0 0 
sysfs /sys sysfs defaults 0 0 
devpts /dev/pts devpts gid=5,mode=620 0 0 
tmpfs /dev/shm tmpfs defaults 0 0 
LABEL=boot /boot ext2 auto,noatime 0 0

Code:

nano /etc/lilo.conf

Code:

lba32
boot=/dev/sda
large-memory
prompt
timeout=50
vga=0x317
image=/boot/vmlinuz
        label="BT4"
        read-only
        initrd=/boot/initrd.img-2.6.28.1
        root= /dev/mapper/btcrypt-root

Add the encryption modules to the initramfs-tools config file

Code:

nano /etc/initramfs-tools/modules

Code:

twofish
sha256

Check the initramfs config file for MODULES=most

Code:

nano /etc/initramfs-tools/initramfs.conf

Create a blank modules.dep file, without which I have some errors on booting

Code:

mkdir -p /etc/initramfs-tools/lib/modules/2.6.28.1/
touch /etc/initramfs-tools/lib/modules/2.6.28.1/modules.dep
depmod -a

Fix the default resume partition, so suspend can work

Code:

blkid /dev/mapper/btcrypt-swap

add this to /etc/initramfs-tools/conf.d/resume
replace /dev/sd* with the UUID from the previous command

Code:

nano /etc/initramfs-tools/conf.d/resume

Code:

RESUME=UUID=e0eb116b-b425-4896-8faa-279f18ca0341

Ok let's make an initrd,

Code:

update-initramfs -k all -c
ls -l /boot/

You will see initrd.img-2.6.28.1 in your boot partition, this is our newly created initrd




Checking the initrd image

Code:

cd /root/
mkdir tmp
cd tmp

Decompress the initrd and pipe it through cpio

Code:

gzip -dc /boot/initrd.img-2.6.28.1 | cpio -id

You can see the the file system of the initrd image laid out

Code:

ls

First check that the encrypted partitions were being picked up properly by the update-initramfs script (Line should read as below)

Code:

cat conf/conf.d/cryptroot

Code:

target=btcrypt,source=/dev/sda2,key=none,lvm=btcrypt-root,lvm=btcrypt

Then check the modules directory

Code:

ls -l lib/modules/2.6.28.1/

If there is no modules.dep file in lib/modules/2.6.28.1/ then create it

Code:

touch lib/modules/2.6.28.1/modules.dep

And repack the files

Code:

find ./ | cpio -H newc -o > /boot/initrd.img-2.6.28.1.new

gzip and renamed the initrd

Code:

cd /boot/ 
gzip initrd.img-2.6.28.1.new
mv initrd.img-2.6.28.1.new.gz initrd.img-2.6.28.1

Cleaning up

Ran lilo, exit chroot and rebooted

Code:

lilo -v

Code:

exit

Code:

reboot

Sources and Further Reading

Code:

hxxp://forums.remote-exploit.org/showthread.php?t=19550
man cpio
man initramfs-tools
man initramfs.conf
man update-initramfs
man mkinitramfs
man crypttab

Thanks for the release guys.

[RaginRob]

Thanks for this great Howto! It worked perfectly except for one small issue when installing lilo (or grub in my case). Before exiting chroot when I tried to run

Code:

lilo -v

I got a write error from lilo, same with grub-install in my case. This can be fixed by updating the mtab in the chroot environment before installing lilo:

Code:

grep -v rootfs /proc/mounts > /etc/mtab

After that lilo (or grub) was installed properly and everything worked fine.

[jojokoko]

_arc_

Great posting, thanks for taking the time, I followed everything and had a problem and I was wondering if you had any thoughts.

I am using an eee pc 1000 and I am running into an error when I reboot. After I am asked for my password to decrypt the partition I see the following (I completely erased the laptop and followed the steps again and received the same error message):

Enter passphrase to unlock the disk /dev/sda2 (btcrypt):
keyslot 0 unlocked
Command successful
Done
Begin: Running /scripts/local-premount ...
Begin: Waiting for resume device... ...
Done
Done
mount: mounting /dev/root on /root failed: No such device
Begin: Running /scripts/local-bottom ...
Done
Done
Begin: Running /scripts/init-bottom ...
mount: mounting /root/dev on /dev/.static/dev failed: No such device file or directory
Done
mount: mounting /sys on /root/sys failed: No such file or directory
mount: mounting /proc on /root/proc failed: No such file or directory
Target filesystem doesn't have /sbin/init
No init found. Try passing init=bootarg

BusyBox v1.10.2 yada yada yada
(initramfs)


I added the yada yada myself, I am essentially presented the initramfs prompt.

Any thoughts on how to fix this? Is there anything else I can post that will help solve my problem?

Thanks

[_arc_]

Thank you for your comments

jojokoko
I would double check fstab, lilo.conf and crypttab and make sure they tally with your partitions.
Also check /etc/initramfs-tools/modules for the relevent crypto filesystem modules are there.

Can you post the files above if you have any problems.

Thanks


RaginRob
Thanks It should not be a problem installing lilo by hand or
if you install grub by hand you should not have any problems either.

grub
root (hd0,0)
setup (hd0)

But grub-install reads mtab and will fail in a chroot environment
unless the command you have posted is used.

[KMDave]

Quick question, haven't checked the encrypted setup with BT4 yet for myself:
Does it result in the same unmount issue when shutting down as in BT3?

[_arc_]

Quote:

Originally Posted by KMDave

Quick question, haven't checked the encrypted setup with BT4 yet for myself:
Does it result in the same unmount issue when shutting down as in BT3?

Hi KMDave
No problems with unmounting as with BT3.

[Mexicant]

Is there an easy way to modify this so that it either automatically senses what device the boot drive is tied to or where you can manually select at startup? I set it up as an sda but when I boot with another hard drive in the system it forces the USB drive to sdb and it can't find the encrypted partition. Do I have to make two images for this, or is there an easy way to have it either know or be told that it's on a different mount point?

Other than that it works AWESOME. Thanks for the walkthrough!

[xCPPx]

Interesting. I've had the same unmount issue in bt3 where the root partition would fail to unmount properly upon shutdown, citing it was busy. I didn't dive into the problem any deeper after writing the tutorial, but it still does interest me as to why it occurs. I haven't tried out your method yet, arc, but you say that there are no unmounting console errors with it on shutdown?

EDIT: Just to be clear. I am talking about the encryption method described in my thread here.

[_arc_]

Mexicant
You can try specifying a UUID in crypttab instead of the device name.
/dev/disk/by-uuid/<UUID>

xCPPx
I have read and used your tutorial for bt3, nice.
No problem with unmounting here under ubuntu. I have a box running encrypted BT3 and had the same error but have not had a chance to look at the problem either. I suspect the shutdown script needs reordering or re-writing.