Tuesday, February 14, 2012

Installing BackBox Linux with LVM and (nearly) complete encryption

Abstract

The idea is to install BackBox with full disk encryption and LVM.
BackBox Linux is a Penetration Testing Distribution based on Ubuntu Linux. Or better, Xubuntu Natty Narwhal (11.4 LTS) so its based on the XFCE window manager and not on Unity or KDE.
Ubuntu doesn't offer LVM nor encrypted installation out of the box. Sure, with BackBox this is the same. So its time for some tricks.

Background

I own a netbook and i prefer to encrypt it. I used to install Backtrack 5 R1 back when i got the netbook. BT is mainly a great penetration testing distribution. But as a matter of fact it is also great for general network analysis/troubleshooting and related stuff which i like to use it for (you know those friends "can you help me getting my WLAN working?").
Since you can lose a netbook faster than a normal PC i decided to setup disk encryption so when i lose it or someone needs my equipment more than i do, i won't also lose all my informations. I followed Backtrack 5 – Bootable USB Thumb Drive with “Full” Disk Encryption to setup my little Acer.
Now don't get me wrong, BT is great. It's a tested and well-made distribution initially based on Ubuntu. But after a release there is not much done with the OS, the applications receive updates but no security fixes for the OS. From the penetration testing perspective this is ok - run it just for your tests via Live-CD or USB and after this go back to you usual OS. But if you use it as installed OS you would like to have this also patched, especially against critical (local) bugs like http://www.exploit-db.com/exploits/18411/. Debian patches those bugs, Ubuntu does then too. Backtrack won't do it because of their philosophy. I can understand this but i need something else.
So one day i stumled across the Securitytube Tools site and found BackBox. I was first thinking of a BlackBox/FluxBox based distribution but learned its XFCE! That was my first Desktop Environment when i started using Ubuntu 5 years back (before that i used almost every other no-tiling WM/DE available). BackBox is packed in Italy, so basically my 2nd italien distribution. The first one was (only as live medium since it is for forensics) DEFT Linux.
After playing around a bit with BackBox i found it nice to handle. As written above it doesn't offer disk encryption and no LVM as basic install routine. Also i got some data on my disk already which i don't want to destroy and also won't want to backup before (i know, i know...lazy guy sometimes). Lukily /home is a separate logical volume and i got some data volumes too. So just install BackBox to / and /boot and i should be done. But thats needs some testing before to ensure everything will run fine.

Preferences

  • A virtual machine powered by Virtual Box with 8GB disk and 768MB RAM
  • An ISO of BackBox 2.0.1 amd64
  • some background knowledge about cryptsetup, LVM under Linux, filesystems and ubiquity (the Ubuntu installer)
  • recordmydesktop for making a video 
  • some "still looking for a working one" video editing program under linux and some time to work on that video. Also patience and some more learning.
Note from the real world: NetBooks have no CD drive usually so i needed to put the ISO onto an USB stick. This made some stress since my 2 free sticks won't boot directly after the preparation via unetbootin. It seems that one stick is really broken somehow and i needed to format the other before i was able to boot it directly and install all.

Documentation


After the BackBox boot you should (if it applies) change your keyboard layout and choose the best mirror. You will need a working network connection. Then open up a terminal window.


Note: The following steps can easily damage/break your system. If you are not sure what the step means just don't do it and don't start before you are sure you understood every single step in the document. For this writing I assume you have a completely blank system. If you are doing this on a live system, plesae be very careful and be sure your backups are working! Additionally test test test before.


Lets start. Become root with

sudo -s

lvm2 is not included in the base install, so we need to install it

apt-get update
apt-get install lvm2

After this we need to create some partitions using fdisk on sda (my hard disk). The installer is not capable of doing this the way we need it, but it will see the existing partitions/filesystems:

fdisk /dev/sda

I created a small primary partition sda1 (300MB is enough) and used the rest for another primary partition sda2. The partition type on sda1 is 83 (Linux) and on sda2 8e (Linux LVM). sda1 is marked as active partition.

Now we can save this and start with the activation of the encrypted device. 
First format the partition (use uppercase YES and a secure passphrase - please remember that following my instructions you will end up with an english keyboard at boot time, which maybe different from you native keyboard).

cryptsetup luksFormat /dev/sda2

Now open the device as a mapper to crypt:

cryptsetup luksOpen /dev/sda2 crypt

So the encryption is running on that device, next we need to create a Volumegroup (i used cryptvg but any other name is good too) and Logical Volumes with filesystems. The installer will tell you that you need at least 4.2GB of space. Good thing is that you can extend all partitions in LVM on the fly later. Please note that you don't create the physical disk on /dev/sda2 (like without encryption) but on the mapper device /dev/mapper/crypt!

pvcreate /dev/mapper/crypt
vgcreate cryptvg /dev/mapper/crypt
lvcreate -L 5G -n rootlv cryptvg
lvcreate -L 500M -n swaplv cryptvg
lvcreate -L 500M -n homelv cryptvg


Now create the filesystems:

mkfs.ext4 /dev/sda1
mkfs.ext4 /dev/cryptvg/rootlv
mkfs.ext4 /dev/cryptvg/homelv
mkswap -f /dev/cryptvg/swaplv

Thats it! Now launch the installer and follow the normal instructions.


Important addition: Once you come to the step "Allocate drive space", choose "Something else"! I hope this is clear, the other disk partitioning options won't help you! Proceed with the steps below.
Use /dev/mapper/cryptvg-rootlv as you / (check format partition) and /dev/mapper/cryptvg-homelv as /home. swaplv will be used automatically. /dev/sda1 is /boot (check format partition).

After the install do NOT click reboot! Your system isn't aware of encryption and LVM now! Use the "Continue testing" button.

Lets setup a chroot environment for the further installation. You need to mount sys, proc and /dev into the chroot to be aware of your Live-CD system.

mount /dev/cryptvg/rootlv /mnt
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
mount -o bind /dev /mnt/dev
mount /dev/sda1 /mnt/boot
chroot /mnt

In the chroot, you need to enable grub to recognize and decrypt your cryptdevice. Use any texteditor you like (e.g. vi, nano) to edit /etc/default/grub. Change the line

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
to
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:crypt quiet splash"

Now we need to change the /etc/crypttab to use the UUID of /dev/sda2 as cryptdevice:

ls /dev/disk/by-uuid/$(ls -l /dev/disk/by-uuid | grep sda2 | grep cut -d" " -f8) >> /etc/crypttab

Edit the /etc/crypttab to look like this (inserted/added content is bold)

# <target name> <source device> <key file> <options>
crypt /dev/disk/by-uuid/564606ec-3c60-4141-833e-463a67307141 none luks

The /dev/disk/by-uuid/... should be added automatically from the command above. Later you can change this to have a key on an USB stick or something else...

Now update the system (no dist-upgrade) and install lvm2 and cryptsetup:


apt-get update
apt-get upgrade
apt-get install lvm2 cryptsetup

This is the "lazy way" to update the initramfs and also update grub. Benefit is that you system will be upgraded, but after the reboot you will have to do another update. Somehow it isn't getting all the stuff.

Now you can enter exit or press Ctrl-D to leave the chroot and reboot the system. Once the system comes up you should be greeted with a Prompt to enter you passphrase. Remember the english keyboard, type your passphrase and the boot should proceed with a nice message saying that the cryptdevice was successfully unlocked. Once you are logged in, the encryption works completely transparent.

Looking forward

This tutorial should also work with other Debian/Ubuntu based distributions. I tested it with Ubuntu 11.10 and it works.

I hope that i manage to prepare my screencast on this tutorial, which will also show the installation itself. It will also clarify some points i just touched without deeper explanation. Sorry for that but 1. as mentioned above i am a lazy guy sometimes and 2. i would like to press you to understand what you do.

If you have an existing Ubuntu 11.4 installation you can also add the BackBox repository easily to your installation, look at the BackBox wiki. If you haven't set it up with encryption, you will need to follow this tutorial doing a complete new installation.

References

No comments:

Post a Comment