Nov 25 2008
BackTrack 3, the EEE 701, and Disk Encryption
Explanation and Advantages
I recently decided to make BackTrack 3 the primary OS on my pearly EEE 701. Given my EEE’s whopping 4GB of solid-state storage, I decided that rather than installing BackTrack directly onto the SSD, I would instead install the live distro to an 8GB SDHC card I had lying around, and use the remaining internal 4GB SSD as an encrypted /root partition using cryptsetup. There are a few distinct advantages of such a setup. Firstly, since the OS is installed as a live distro on a removable device, portability is not sacrificed – I am still able to boot into BackTrack from the same SDHC card plugged into another machine (assuming, of course, that machines BIOS supports booting from SD.) Secondly, by overriding the default /root partition which is created by root.lzm, any changes I make to /root are persistent, and do not require a recompression of root.lzm. This allows me to store application settings and files in a much more convenient manner. Thirdly, since /root is encrypted, saving settings or files containing passwords or other sensitive information is less of a security risk.
Implementation
To install BackTrack onto the SDHC card, we use the same method as a USB install. Format the SDHC to contain a vfat filesystem. Extract the BackTrack 3 USB .iso file into the filesystem mount point, and run boot/bootinst.sh. I tried this in Ubuntu 8.10, and had some trouble: the device was recognized as /dev/mmcblk0 and the partition as /dev/mmcblk0p1, a designation that shell script got mixed up on. Running the script on the EEE’s previous OS, Xubuntu 8.04, the device and partition were recognized as /dev/sda and /dev/sda1, and I encountered no further problems.
Once we boot into BackTrack, we configure and install cryptsetup:
cd ~ wget http://luks.endorphin.org/source/cryptsetup-1.0.5.tar.bz2 tar -xvf cryptsetup-1.0.5.tar.bz2 cd cryptsetup-1.0.5 ./configure make make install
Next, we create a .lzm file for cryptsetup to ensure that it will be available each time we boot:
mkdir -p usr/include usr/lib usr/man/man8 usr/sbin usr/share/locale/de/LC_MESSAGES cp /usr/include/libcryptsetup.h usr/include/ cp /usr/lib/cryptsetup usr/lib/ cp /usr/lib/libcryptsetup.* usr/lib/ cp /usr/man/man8/cryptsetup.8 usr/man/man8/ cp /usr/sbin/cryptsetup usr/sbin/ cp /usr/share/locale/de/LC_MESSAGES/cryptsetup.mo usr/share/locale/de/LC_MESSAGES/ tar -zcvf cryptsetup.tgz usr/ tgz2lzm cryptsetup.tgz cryptsetup.lzm cp cryptsetup.lzm /mnt/sda1/BT3/modules/ # my mountpoint was /mnt/sda1, yours probably is too
Now we have cryptsetup available in the live environment. Next step is to format the EEE’s internal SSD. I set up one primary filesystem, recognized as hdc1. We’ll be formatting this with cryptsetup using a secure passphrase.
cfdisk # to set up the partition umount /dev/hdc1 cryptsetup luksFormat /dev/hdc1 cryptsetup luksOpen /dev/hdc1 root_dir mkfs.ext2 /dev/mapper/root_dir
And now we have an encrypted partition on the SSD. Next mount it and copy the existing BackTrack /root files.
mkdir /mnt/root_dir mount /dev/mapper/root_dir /mnt/root_dir cp -a /root /mnt/root_dir mv /mnt/root_dir/root/* /mnt/root_dir/root/.* /mnt/root_dir/ rmdir /mnt/root_dir/root
And we’re almost done. We’ll create a script to make it easy to mount our /root every time we boot. Create a file in /root/root/decrypt_root.sh with the following contents:
#!/bin/bash cryptsetup luksOpen /dev/hdc1 root_dir mount /dev/mapper/root_dir /root
Finally, create an .lzm file for the script.
cd ~ tar -zcvf decrypt_root.tgz root/ tgz2lzm decrpyt_root.tgz decrypt_root.lzm cp decrypt_root.lzm /mnt/sda1/BT3/modules/
And we’re finished. If all goes well, when you restart your machine you will have this script in your /root directory, and once run it will mount your encrypted SSD partition to /root. From this point, you can issue a ctrl-alt-backspace and re-login, and startx if you’d like. Welcome to a world of BackTrack possibilities!
Respond to this post