Installing backtrack on encrypted partition with luks

Hackers For Charity

Before you start please note that this process will format any data you have. Have a full backup of your system before you begin. Be sober while you are doing this please. I have tested the tutorial for backtrack 4 pre-final, backtrack 4 final, backtrack 5 and backtrack 5 r1.
Kindly note that my hardisk setup may be different than yours. I want to install backtrack as follows:

/dev/sda1 —– /boot partition
/dev/sda2 —– /root partition

My /root partition will be encrypted with luks such that in order for me to boot, i will have to enter a password.Boot with a live cd and proceed as follows
Kindly remember to change your partitions as necessary

Format the /root partition with luks. Enter the password you want to be using at startup.credits to opox90 for noting we need to use sha2 instead of sha1

root@bt:~# cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdXX

Open the partion for mounting. Enter the password you entered above

root@bt:~# cryptsetup luksOpen /dev/sdXX root

Format the container with ext3 filesystem. You can use whichever linux filesystem you are comforable with

root@bt:~# mkfs.ext3 -j -O extent /dev/mapper/root

After this is done, run the backtrack installer( on backtrack desktop. Double clicking it should do.
Select your country.
Select the keyboard layout.

Then we now go to partition the disk . Select manual and click next

Select the partition for boot, for me thats /dev/sda1. Click “edit partition” and then set the options. In my options, i use ext3 as the file system, i choose to format the partition and the most important bit is that i set the mountpoint as /boot

Select the partition for root, for me thats /dev/mapper/root. Click “edit partition” and then set the options. In my options, i use ext3 as the file system, i choose to format the partition and the most important bit is that i set the mountpoint as /root

My final setup for the install looks as below. I know, my hardisk is rather small 🙂

When you click next, you will get a warning about swapspace. I personally opt not to have swapspace. I have enough memory to run backtrack and a few virtual machines. Click “continue”

The next bit is important. Click “Advanced” .It is the location backtrack will install the bootloader. I usually install the bootloader to hd0 but you can install it to the linux partition. Even if you have windows, you can install the bootloader to hd0, and when it comes time to boot, you will be presented with options as to which os to boot.

You are now set for the install. Click install and wait for the backtrack install to finish. After its done, click the “continue using the live cd”
We need to make a few changes before we exit the live cd

root@bt:~# mkdir /mnt/root
root@bt:~# mount /dev/mapper/root /mnt/root/

Mount the /boot partition

root@bt:~# mount /dev/sdXX /mnt/root/boot
root@bt:~# mount -t proc proc /mnt/root/proc/
root@bt:~# mount -o bind /dev /mnt/root/dev/
root@bt:~# chroot /mnt/root/ /bin/bash

Using a text editor like vi or nano, edit the /etc/crypttab and add the /root partition here

root /dev/sdXX none luks

Using a text editor like vi or nano, edit the /etc/fstab file. Remove any other lines you will find and leave your file in the below order. Replace the XX with your partitions

/dev/mapper/root / ext3 relatime,errors=remount-ro 0 1
/dev/sdXX /boot ext3 defaults 0 0

Using a text editor like vi or nano, edit the /etc/initramfs-tools/modules file and add the following modules to the end of the file


Create the new initrd image

root@bt:~# update-initramfs -k all -c

Install grub to your harddisk. Use the device name and not a partition e.g /dev/sda

root@bt:~# grub-install /dev/sdX

root@bt:~# exit

root@bt:~# reboot

Your /root partition should now be encrypted and you will be asked a password when booting to decrypt it.

Credits to esc201, who wrote a good tutorial on encrypting the disk with bt4-prefinal.

This entry was posted in Uncategorized. Bookmark the permalink.

14 Responses to Installing backtrack on encrypted partition with luks

  1. Chimp says:

    when i do
    update-initramfs -k all -c
    it shows cannot find /lib/modules/
    where am i doing wrong ?

  2. watathi says:

    @chimp, the reason you are getting the errors is because backtrack 5 uses kernel 2.6.39. The errors therefore are expected but will not affect the system .As long as you didn’t get an error when generating the initrd for 2.6.39

  3. iain says:

    Hi great tuturial. just a couple of question’s: does “sdXX” mean sda2 in your example or do you type sdaXX
    Mount the /boot partition
    root@bt:~# mount /dev/sdXX /mnt/root/boot
    and next question
    aes-i586 would i change this to aes-i686 for a inet i7 cpu
    many many thanks Iain

  4. iain says:

    inet should say intel sorry

  5. iain says:

    also if you wanted to swap would you just use:
    cryptsetup luksFormat /dev/swap ?

    • watathi says:

      Yes the sdXX means something like sda2 . The reason I have to put the two XX is so that somebody can remember to replace those values themselves.
      Also change the i586 to fit your correct architecture. For swap right now, I have not yet managed to get an encrypted swap partition but the problem would be initialising it before boot. I will check and revert back

  6. op0x90 says:

    you should replace cryptsetup luksFormat /dev/sdXX
    with: cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdXX
    Because using “cryptsetup luksDump /dev/mapper” show’s cryptsetup luksFormat /dev/sdXX
    will use the default sha1 which any1 using ati gpu hash cracking rig(such as a bitcoin mining rig) would crack the sha1 hash in hours.

  7. ncx7 says:

    When I do: update-initramfs -k all -c
    I get: update-initramfs is disabled since running on read-only media

    Then when I try: grub-install /dev/stb
    I get: usr/sbin/grub-probe: error: cannot find a device for /boot/grub (is /dev mounted?).
    No path or device is specified.

    Any idea what I need to do?

    • watathi says:

      M suspecting you missed this command. chroot /mnt/root/ /bin/bash When you chroot into the backtrack you have installed on the disk, you shouldn’t get the error. The error you have gotten about read-only media means you are doing update-initramfs from the dvd and not from the installed backtrack on disk.

      • ncx7 says:

        Thanks. That was very helpful and got me two steps further… I could swear I’d entered that command but apparently not. After reboot, however, I’m getting a new error: “/dev/mapper/root […] wrong fs type, bad option, bad superblock on /dev/sdb2 …”. (/dev/sdb2 is the unencrypted /boot partition.) This is followed by “mountall: mount /boot [780] terminated with status 32 […] Filesystem could not be mounted: /boot” Any idea as to what I’ve done wrong this time?

      • ncx7 says:

        Nevermind. Dumb mistake and it’s fixed. Thanks again for your help, Watathi.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s