Backtrack 4 – Bootable USB Thumb Drive with “Full” Disk Encryption
This is a step-by-step guide showing how to create a encrypted bootable Backtrack 4 USB thumb drive.
Before we get started, here are a few housekeeping items:
- There is a PDF version of this article available here.
- I also made a video of the process. It is here.
- Finally, if you want to be notified of updates to this page, subscribe to my RSS feed here.
I put quotes around full in the title because technically the whole disk isn't encrypted. We use LVM and the native encryption routines included in Ubuntu 8.10 to encrypt all partitions except for a small boot partition that never contains any data.
This is a fairly involved process, but I have done my best to document each detail. Please let me know if I missed anything or you have any questions. I can be reached via the contact form on the 'About' page of this website or via the comments below.
I strongly recommend you read through this guide at least once before starting. I will be making a PDF available in the near future.
As in all my how-tos, user entered text is bold and comments are preceded by a # sign and generally not part of the output of a command.
Finally, a couple of posts from the Ubuntu Community Documentation site were instrumental in getting this working.
https://help.ubuntu.com/community/EncryptedFilesystemOnIntrepid
https://help.ubuntu.com/community/EncryptedFilesystemLVMHowto
WARNING: Before you start, please be aware that you can cause the system you are using to build this with to not boot correctly. During the install process below there is a warning about indicating where you want the boot loader to be installed. Be very careful at this point.
First we are going to need some stuff.
- A USB thumbdrive - minimum capacity 8GB
- A Backtrack 4 DVD or an additional USB thumbdrive (minimum 2GB, must be Backtrack 4)
- Optional: UNetbootin - A tool to transfer an iso image to a USB drive.
- Working internet connection once Backtrack 4 is booted.
Let's get started!
Let's grab a copy of the Backtrack 4 Pre Release ISO.
Description: Image Download
Name:: bt4-final.iso
Size: 1570 MB
MD5: af139d2a085978618dc53cabc67b9269
Now that we have the goods in hand, we can get to cooking. This tutorial is based on booting Backtrack 4 first. This means that you need some form of bootable Backtrack 4 media. This can be a virtual machine, DVD, or USB drive. Use your favorite method of creating a DVD or USB drive or you can use UNetBootin to create the thumb drive. Below is a screenshot of using UnetBootin to install Backtrack 4 on a USB drive.
It is as simple as selecting the image we want to write to the USB drive, the drive to write it to, and then clicking the 'OK' button. Warning: Make sure you pick the correct destination drive. You don't want to shoot yourself in the foot. 
Partitioning
The first step is the physical partitioning of the drive.
Boot up Backtrack 4 from your DVD or USB drive. We will need both networking and the graphical interface running. The following commands will get us there.
/etc/init.d/networking start
startx
We will also need to figure out which drive is our target drive. The following command will show the drives available and you can determine from that which is the new USB drive. Open a terminal windows and execute the following.
dmesg | egrep hd.\|sd.
We need to physically partition the target drive as follows:
- The first partition needs to be a primary partition, 100 MB in size set to type ext3. Also remember to make this partition active when you are creating it. Otherwise you might have some boot problems.
- The rest of the drive should be configured as an extended partition and then a logical partition created on top of it.
Below are the steps to take to get the drive partitioned. A '# blah blah' indicates a comment and is not part of the command and user typed commands are bolded. One note, we will need to delete any existing partitions on the drive. Final note, the cylinder numbers below are specific to my test machines/thumb drives, yours may be different.
fdisk /dev/sdb # use the appropriate drive letter for your system
# delete existing partitions. There may be more than one.
Command (m for help): d
Partition number (1-4): 1# create the first partition
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1044, default 1): <enter>
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-1044, default 1044): +100M#create the extended partition
Command (m for help): n
Command action
e extended
p primary partition (1-4)
e
Partition number (1-4): 2
First cylinder (15-1044, default 15): <enter>
Using default value 15
Last cylinder, +cylinders or +size{K,M,G} (15-1044, default 1044): <enter>
Using default value 1044# Create the logical partition.
Command (m for help): n
Command action
l logical (5 or over)
p primary partition (1-4)
l
First cylinder (15-1044, default 15): <enter>
Using default value 15
Last cylinder, +cylinders or +size{K,M,G} (15-1044, default 1044): <enter>
Using default value 1044# Setting the partition type for the first partition to ext3
Command (m for help): t
Partition number (1-4): 1
Hex code (type L to list codes): 83# Setting the first partition active
Command (m for help): a
Partition number (1-4): 1Command (m for help): w
It is now time to get a couple additional packages installed that we need for LVM and encryption. First we need to update the local repositories and then install lvm2 and hashalot. Output has been ommitted.
apt-get update
apt-get install hashalot lvm2
Our next step is to enable encryption on the logical partition we created above and make it available for use.
Before we do that though, there is an optional step we can take if we want to make sure no one can tell where our data is on the drive. It isn't really necessary since anything written will be encrypted, but if we want to be thorough and make sure no one can see where our data even sits on the drive, we can fill the logical partition with random data before enabling encryption on it. This will take some time, as much as a couple hours or more. Execute the following command:
dd if=/dev/urandom of=/dev/sdb5
The following commands will setup encryption services for the partition and open it for use. There are several ciphers that can be used, but the one indicated in the command is supposed to be the most secure and quickest for Ubuntu 8.10. Please note that the case of the command luksFormat is required.
cryptsetup -y --cipher aes-xts-plain --key-size 512 luksFormat /dev/sdb5
WARNING!
========
This will overwrite data on /dev/sdb5 irrevocably.Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: (enter passphrase) [type passphrase]
Verify passphrase: (repeat passphrase) [type passphase]
Command successful.cryptsetup luksOpen /dev/sdb5 pvcrypt
Enter LUKS passphrase: [type passphrase]
key slot 0 unlocked.
Command successful.
Now that that's all done, we can create our root and swap partitions using LVM. Again, the commands below will do so. 7.3 GB was the largest I could make my root partition. Play around with it a little and you may be able to make it a bit larger or you may have to make it a bit smaller.
pvcreate /dev/mapper/pvcrypt
Physical "volume /dev/mapper/pvcrypt" successfully created
vgcreate vg /dev/mapper/pvcrypt
Volume group "vg" successfully created
lvcreate -n swap -L 512M vg
/dev/cdrom3: open failed: Read-only file system. # this is normal
Logical volume "swap" created.
lvcreate -n root -L 7.3G vg
/dev/cdrom3: open failed: Read-only file system. # this is normal
Logical volume "root" created.
The final step is to format the logical volumes we just created. I have not included the output below for brevity's sake.
mkswap /dev/mapper/vg-swap
mkfs.ext3 /dev/mapper/vg-root
Believe it or not, we are finally ready to start installing Backtrack. To do, click on the install.sh icon on the desktop. This will start the graphical installer.
WARNING: You must click on the advanced tab on the next page and select your USB drive as the target for installing the bootloader. You will break your system if you do not.
We have now installed the main distribution to our thumb drive. The next step is to configure the newly installed system to use LVM and open the encrypted partition.
However, before we do that we need to figure out the UUID of our encrypted volume. We want to do this so that we don't run into problems if the device name of the drive changes from machine to machine. The command vol_id will give us the information we need. So execute vol_id as below.
vol_id /dev/sdb5
ID_FS_USAGE=crypto
ID_FS_TYPE=crypto_LUKS
ID_FS_VERSION=2
ID_FS_UUID=09330b5a-5659-4efd-8e9d-0abc404c5162
ID_FS_UUID_ENC=09330b5a-5659-4efd-8e9d-0abc404c5162
ID_FS_LABEL=
ID_FS_LABEL_ENC=
ID_FS_LABEL_SAFE=
Make a note of the ID_FS_UUID value which is in italics above. We will need it later. Note: your output will be different than mine.
Now time to configure our newly installed system. The first thing we have to do is make the newly installed system active so we can make changes to it. We do that by mounting the partitions and chrooting to it.
mkdir /mnt/backtrack4
mount /dev/mapper/vg-root /mnt/backtrack4
mount /dev/sdb1 /mnt/backtrack4/boot
chroot /mnt/backtrack4
mount -t proc proc /proc
mount -t sysfs sys /sys
To make everything truly operational, we can mount /dev/pts, but every time I try I have problems unless I reboot first. That is a real pain, so I just don't mount /dev/pts. We will get a couple warnings/errors as we go along, but they do not affect our install.
The magic to making all this work is to rebuild the initrd image that is used to boot our system. We need to include some things, load some modules, and tell it to open the encrypted volume, but first we have to go through the whole process of installing software again. We have to do this because we are essentially right back where we started when we booted the live cd. Do the following again.
apt-get update
apt-get install hashalot lvm2
The next step is to configure how initramfs-tools will create our initrd file. We do this by added two scripts and editing the modules file. I have added the text of the scripts here, but also provided a command that will grab them from my website.
The first script we need to create is /etc/initramfs-tools/hooks/pvcrypt. This script will copy the needed files for the initrd image. Executing the following will get the script where it needs to be.
cd /etc/initramfs-tools/hooks
wget -O pvcrypt http://www.infosecramblings.com/hooks-pvcrypt
The contents of the script should look like this.
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
if [ ! -x /sbin/cryptsetup ]; then
exit 0
fi
. /usr/share/initramfs-tools/hook-functions
mkdir -p ${DESTDIR}/etc/console-setup
cp /etc/console-setup/boottime.kmap.gz ${DESTDIR}/etc/console
copy_exec /bin/loadkeys /bin
copy_exec /bin/chvt /bin
copy_exec /sbin/cryptsetup /sbin
copy_exec /sbin/vol_id /sbin
The next script we need to create is /etc/initramfs-tools/scripts/local-top/pvcrypt. This script tells the system to open the encrypted volume and requests the passphrase. Executing the following will get the script where it needs to be.
cd /etc/initramfs-tools/scripts/local-top
wget -O pvcrypt http://www.infosecramblings.com/local-top-pvcrypt
Unlike the first script, you will need to edit this script to point to your encrypted volume. This is where the UUID we found earlier comes in. Replace the word UUID with the value you noted above.
PREREQ="udev"
prereqs()
{
echo "$PREREQ"
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
/bin/loadkeys -q /etc/console-setup/boottime.kmap.gz
modprobe -Qb dm_crypt
modprobe -Qb sha256
modprobe -Qb aes_i586
modprobe -Qb xts
# The following command will ensure that the kernel is aware of
# the partition before we attempt to open it with cryptsetup.
/sbin/udevadm settle
sleep 10
if grep -q splash /proc/cmdline; then
/bin/chvt 1
fi
/sbin/cryptsetup luksOpen /dev/disk/by-uuid/UUID pvcrypt
Both scripts need to be executable.
chmod +x /etc/initramfs-tools/hooks/pvcrypt
chmod +x /etc/initramfs-tools/scripts/local-top/pvcrypt
The final change we need to make before rebuilding initrd is to edit the /etc/initramfs-tools/modules file and add a couple encryption modules. This will make sure they are copied into the initrd image. We can do this one of two ways. We can use our favorite editor and add the following lines to the bottom of the file and save it.
aes_i586
xts
or use a wget command like above.
cd /etc/initramfs-tools
wget -O modules http://www.infosecramblings.com/initramfs-modules
Either way, your /etc/initramfs-tools/modules file should look like this:
# List of modules that you want to include in your initramfs. # # Syntax: module_name [args ...] # # You must run update-initramfs(8) to effect this change. # # Examples: # # raid1 # sd_mod fbcon vesafb aes_i586 xts
Now it's time to rebuild our initrd image.
update-initramfs -u
If all goes well, you are now ready to cross your fingers and reboot. The system will start to boot then ask you for your LUKS passphrase. Type that bad boy in and, if all goes well, your system will boot.
If, however, you run into any problems, you don't have to start over. As long as your encrypted volume is built correctly and you have the correct LUKS passphrase, you can get back to the place you were with the Live CD. Simply boot with the original Live CD/USB drive and enter the following.
/etc/init.d/networking start
apt-get update
apt-get instal hashalot lvm2
cryptsetup luksOpen /dev/[your logical partition] pvcrypt
mkdir /mnt/backtrack4
mount /dev/mapper/vg-root /mnt/backtrack4
mount /dev/[boot partition] /mnt/backtrack4/boot
chroot /mnt/backtrack4
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
You can now do any trouble shooting you need to do and try to reboot again. One note, if you want to check the UUID of your partition, do it before you chroot.
Once you have a booting system, you are ready to login. The default userid is root and the default password is toor. You are now ready to login and being playing. Don't forget to change the root password as soon as you login the first time.
That's it. You can make some final tweaks if you want like setting the network to start automatically and starting KDE at boot, but for all intents and purposes you have successfully installed Backtrack 4 to USB drive and don't have to worry about sensitive information being intercepted if it gets lost of stolen.
Good luck!
-Kevin
Backtrack 4 – Bootable USB Thumb Drive with “Full” Disk Encryption by Kevin Riggins is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Permissions beyond the scope of this license may be available at http://www.infosecramblings.com/about/.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=1fba856b-5f2c-4c0a-ab8b-2732ede0b8ab)
{ 1 trackback }
{ 186 comments… read them below or add one }
← Previous Comments
Is it possible to format the free space as NTFS and use that partition on windows?
@kriggins,
After reading your post, I started playing around with partitions, making some additional check that they were all unmounted, and trying with different USB ports... at the end, I relaunched the install process and both drives were magically recognized!
Sorry for annoying you with that, I should have tried harder
Many thanks!
Jack
I also receive this error:
"
device-mapper:table:253:0:crypt:Error allocation crypto tfm
command failed. No key available with this passphrase
"
I tried booting with the livecd, and then seeing if I can open the encrypted portion, same error. This has happened to me twice (starting from scratch both times)
Greetings from Sweden! I just wanted to say thank you for this guide. It worked like a charm! Much appreciated you took the time to make this.
Mattias
Hello i have been having a problem , all the procedure until the installation is exactly as above no problems there but when i go in the manual install no partitions are made in the flash drive , i tried with an 8G and a 16G flash drive no luck. And also if i proceed with the installation then during the installation a get a fatal error and the hole procedure stops.Everything works up until that moment and i don't what it could be, any thoughts?
I tried following the instructions while booting from a dvd, had some issues arise while installing hashalot and lvm2 apt-get returned an error regarding "update-initramfs disabled" because of using a live cd environment. a possible workaround is to replace the update-initramfs binary e.g
cd /usr/sbin/
mv update-initramfs update-initramfs.old
ln -s /rofs/usr/sbin/update-initramfs /usr/sbin/update-initramfs
this must be done before installing hashalot and lvm2.
In the end I found running backtrack4 in VirtualBox (installed not live disc) worked best and returned no errors throughout the process. In the end this was an awesome "how to" thanks for the work.
@nate,
That is not actually an error. The programs get installed correctly. The update-initramfs runs fine once we have installed Backtrack to the target drive and then chrooted to it. That error is only because the install process tries to rebuild the initrd image and can't because it is running from a read-only medium.
-Kevin
@dan,
I'm not sure what you are asking. The how-to calls for using all space on the target drive. If you have a large enough drive, say 16 GB or bigger, you could setup a partition that is FAT or NTFS formatted to use with Windows, but you would lose the encryption option for that partition.
The error you received means that some step in the process was missed or didn't work correctly. The required encryption modules are no in the initrd image on the drive. Usually, redoing the install carefully will take care of this.
@Mattias,
Thanks!
@Athbot,
Make sure you are deleting any partitions on the target drive before you try to create the new ones. Sometimes you have to delete the partitions, write the table to the drive, quite fdisk, reboot and then create the new partitions.
-Kevin
@capron,
I don't know if the method you found for 9.10 will work for this. Give it a try and let us know.
-Kevin
Thanks a lot for the guide, it was really helpful (especially the scripts part) which would have been very difficult to figure out alone.
And just FYI i did the install on a HD and not on a USB stick with only minor adaptations and it works like a charm.
Thanks again.
Ulrick
@Ulrich,
Thanks. I'm glad it worked well for you. I really should add a note that this method works for hard drive install as well as thumb/SD/USB drives.
Kevin
Awesome, works for me. Thanks for your help!
@daniel,
You are welcome. Thanks for the feedback.
Thanks for the guide. Real cool .
Great guide and videos...Thanks for taking the time to put this out here.
@Justitia and @vtwin1800,
Thank you for the comments and I'm glad you found the guides helpful.
Kevin
it appears to me that you made 2 partitions in this guide. sdb1 and sdb2. where does sdb5 come from? If this is an obvious thing please forgive my ignorance i am still getting used to linux.
yeah i didn't read very good, my bad...
pvcreate /dev/mapper/pvcrypt
Device /dev/mapper/pvcrypt not found (or ignored by filtering)
any thoughts?
once again as soon as i post i find my mistake...
works a treat! usb install went so well in fact, i'm doing the same with my laptop next
thankyou very much for this tutorial, very useful, appreciate =)
I am not sure what I did wrong but I am getting:
"Command failed: Can not access device" after I reboot.
@kyle,
That is usually indicative of the mistyped UUID or other problem. Try the troubleshooting tips at the end of the how-to to make sure you can mount the device outside of booting and then double-check the /etc/initramfs-tools/scripts/local-top/pvcrypt script for the correct UUID or device name.
You can paste it here if you would like me to take a look.
-Kevin
I'd like to say thanks for the guide, one of the most thorough ive read in a while.
Just getting a few problems:
Im getting "operating system not found" when trying to boot, could be a mistake in my installation, but ive had it on the 2 different devices i have tried to install on. Although when manually editing the boot partition in the install process, i get a different window than the one in your screenshot, more.. basic.
Could be related but im getting the error "Command failed: Can not access device" when doing "update-initramfs -u" when i have chroot'd onto the usb stick.
Will try a full reinstall again, i just dont want to keep repeating the 3 hour wait while filling the partition with random data, or the hour or so wait while installing.
Any thoughts on the errors?
@pyros,
The problem with the update-initramfs command concerns me because it means that things are not getting written correctly to the usb device.
The no operating system found could be related to that or to the final step when you select the device to install the boot loader to. Make sure you are picking the correct device.
Finally, you only have to write random data once. No need to do it again.
-Kevin
The no operating system found could be related to that or to the final step when you select the device to install the boot loader to.
Regarding that, am i meant to select the device (sda) or the boot partition of the device (sda1)? The guide shows the device itself, so i chose it, but just to be clear
No need to do it again
Good to know
Ill get back to here when ive reinstalled
Hey thanks for this guide... unfortunately i am getting an error where it finds the UUID I put in but then it says attempting to resume from... with a UUID that is diff than mine.. it then says doing a normal boot... then just sits there.... nothing else.
any ideas?
Also did anyone;s install take like 2 hours? on a gen one macbook?
@pyros,
You select the device itself.
@Andrew,
That resume message is normal and shouldn't be causing any issues. Is this happening after you have enter your LUKS key or before. I can't speak to the gen one macbook specifically, but it does take quite a while for an install to finish on my laptop, even when I don't write random data to the drive.
-Kevin
Seems my first problem was an error with the bios - it was counting my usb drive as a hard drive, which pushed it down to second priority and so didnt boot.
After reinstalling, update-initramfs did work, so i have no idea what was wrong with it.
Many thanks for the assistance and the guide, i now have a smooth running OS on my USB stick
Kevin, the resume msg is happening after i put in the key.. am i not waiting long enough.. also i skipped the writing random data part of the guide
If you don't get a can't access device error then you should be okay. I'd give it a least a few minutes to boot just to see if that's the problem.
Kevin
Ok tried again... it says boot from dev (blah, blah) then my UUID..
then asks for key.... enters fine
kinit: name_to_dev_t( blah/blah/ NOT my uuid)
resuming from (also not my UUID)
no resume file found
starting normal boot
then nothing
ive let it sit now for 15 mins.. nothing
OK booted into a vmware backtrack session to try to repair
after running the hashalot and lvm updates i ran
#cryptsetup luksOpen /dev/sdb pvcrypt
Enter LUKS passphrase: (my password)
Command failed: No key available with this passphrase.
never mind last comment it needed to be sdb5.. ok now im checking the uuid in the script to make sure that isnt the issue
here is my pvccrypt
PREREQ="udev"
prereqs()
{
echo "$PREREQ"
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
/bin/loadkeys -q /etc/console-setup/boottime.kmap.gz
modprobe -Qb dm_crypt
modprobe -Qb sha256
modprobe -Qb aes_i586
modprobe -Qb xts
# The following command will ensure that the kernel is aware of
# the partition before we attempt to open it with cryptsetup.
/sbin/udevadm settle
sleep 10
if grep -q splash /proc/cmdline; then
/bin/chvt 1
fi
/sbin/cryptsetup luksOpen /dev/disk/by-uuid/eef9d0f6-88a6-4341-847a-48587882a3af pvcrypt
@Andrew,
That file looks good. One thing you can try is to change the /dev/disk... line to be /dev/sdb5 and see if that works. It definitely shouldn't sit for 15 minutes.
I have had several people who, for whatever reason, have had problems with their first install, but starting over has worked. Something to consider.
Kevin
Hi,
After enable encryption the BT installer run but close in the 3rd screen (Prepare disk space) without notice.
I start from scratch and the same happens. Any idea? (Lenovo 3000 N200)
Regards
@John,
I don't know what might be causing that behavior. Maybe try a different USB thumb drive.
-Kevin
Hi,
Iam trying to do with HDD no USB.
Error: the kernel is unable to re-read the partitiontable.... vg-swap
regards,
@John,
You might try performing the initial partitioning step. Rebooting, installing lvm2 and hashalot and then encrypting the device and creating the logical volumes.
Not sure why you would be getting that error on vg-swap since it isn't a partition, but a logical volume.
-Kevin
Hi,
thx for reply. this laptop is using Hitachi HDD (HTS54168). According to System>Gparte>Show features
linux-swap Read, Check, Label (not available)
ext2/ext3 are ok.
any ideas?
Hi,
It seems there's an issue when creating root logical volumen:
After i created swap logical volume i use "vgdisplay" to see the "Free PE" available, so i used "lvcreate -n root -l yyy vg" instead. Replace "yyy" with Free PE
I still have to finish the gui install ... i'll let you know of any issues.
Regards,
J
im not sure which thumdrive to down load back track to, which one to do the partition on, and which one to instal it on. please get back to me asap i really want to try this sofeware.
@marcel,
Careful reading of the how-to will provide you with all the answers you need, but, in short, you install Backtrack using Unetbootin to one device, boot from it and perform all other actions to the second device.
The first device can be 2GB or larger, but the second must be at least 8GB or larger.
Again, read all steps very carefully, particularly when partitioning and installing the bootloader. These two steps can cause your system OS to not boot if done incorrectly.
-Kevin
Hi,
Everything is working fine! Thx for this great tutorial!
One thing i have noticed is that "creation of a second account" (non-root) is skipped? installer jump from step 4 to 7.
i guess after BT is installed i just create a regular account using: "adduser useraccount" ... right?
Best regards,
J
@John,
You can add a non-admin account if you want just like you indicate. For Backtrack and the uses I have for it, I just run as root.
Kevin
When doing "update-initramfs -u" at the end. I got the "update-initramfs is disabled since running on a live CD". What do I do then? Thanks!
@Matthew,
It looks like you missed the chroot step. Go back to that point in the how-to and repeat all the steps after chrooting.
Kevin
OK, I finally got the LUKS part to work, but after saying "Command successful.", it dumps:
Gave up waiting for root device. Common problems:
- Boot args (cat /proc/cmdline)
- Check rootdelay= (did the system wait long enough?)
- Check root= (did the system wait for the right device?)
- Missing modules (cat /proc/modules; ls /dev)
ALERT! /dev/mapper/vg-root does not exist. Dropping to a shell!
...and then I get a (initramfs) prompt.
Any ideas?
@derek,
It looks like maybe the lvm modules didn't get copied into the initrd image. You might try the troubleshooting options at the bottom of the post and redoing the apt-get install lvm2 and update-initramfs commands.
-kevin
← Previous Comments