Sunday, 7 August 2011

Backtrack 5 and Windows Dual Boot with Full Disk Encryption

This post will explain how to setup your computer in order to dual boot Backtrack 5 and Windows. The difficulty is to have both operating systems fully encrypted. This guide will be focused on Backtrack 5 (Gnome desktop) and Windows 7. It should be straightforward to follow this guide using a different version of Windows. If you want to install a different Linux distribution the instructions can differ significantly.

Truecrypt will be used to encrypt the Windows installation and dm-crypt using LUKS to encrypt Backtrack. The requirements to follow this guide are having the Windows and Backtrack installation CD ready to use.

To clarify an important point: I use full disk encryption to protect my data in the event my laptop may be lost or stolen. It will not protect you in case an adversary forces you to reveal your password. For such situtions you can use deniable encryption which is also provided by truecrypt.

Preparation

Format

Before we begin the installation we will perform an anti-forensic format of the complete hard drive. This is a fancy way of saying that we will use a tool to overwrite the complete hard disk with random data. It's needed because simply deleting all your files won't actually delete them. Instead they will be simply marked as deleted and may be overwritten with new data in the future. So an attacker might still be able to retrieve your supposedly deleted files.

Another problem is that it might be possible to retrieve your old data even if it has been overwritten with new data. This can for example be done with a technique such as magnetic force microscopy. To defend against these kinds of attacks we will overwrite the complete hard drive data several times with random data.

Because securely formatting the hard drive was not my main goal I personally used the tool shred. It's available in the backtrack live CD and can be started with "shred /dev/sda". Another tool you can use is DBAN, which is a live CD allowing you to securely wipe an entire hard disk.

Partitioning

Because the partition manager that is available during the installation of Backtrack is limited in functionality we will use gparted to partition the hard disk. So start the Backtrack live CD, open a terminal and type "apt-get install gparted" to install it. Then start it be executing "gparted".

Click on Device -> Create Partition Table. The default is to create an MS DOS partition and this is what we need, so click on Apply. Now we can create the partitions. At minimum you will need the following partitions:
  • One partition that will contain Windows. During the installation we will first use this space to install an unencrypted Backtrack system. Afterwards we will install Windows on it. Hence this partition must first be formatted as an ext4 partition and in the future we will format it to NTFS for windows.
  • One ext4 partition that will contain the (unencrypted) files necessary to boot the encrypted backtrack installation. Hence a 370 MB ext4 partition will suffice.
  • Preferably, but not strictly necessary, one Linux swap partition. The ideal size depends on how much RAM you have. Since I have 4 GB ram around 800 MB swap space should suffice.
  • One ext4 partition that will contain the encrypted Backtrack installation. For this I have chosen for a 20 GB ext4 partition.
As mentioned we will first install Backtrack on the partition that will eventually contain Windows. This is done because we can't directly install Backtrack on an encrypted partition. Therefore we will first install it to an unencrypted partition and then copy all the files to the encrypted partition. Once that is done we will format the Windows partition to NTFS and install Windows on it.

Depending on the size of your hard disk and preferences you can customize the number and sizes of the partitions. Anyway, I will now detail how to create these basics partitions. First select the unallocated space and click on Partition -> New. Fill in the options as shown below (the partitions sizes may differ for you).


Create an extended partition for the remaining unallocated space. Now continue by creating the other partitions to your liking. I ended up with the following table which you can also use if you want (again, sizes may differ).


Click on Edit -> Apply All Operations to write the changes to disk. Close gparted. In the remaining of this guide I will use the device names as shown in the previous image. That is, the device names correspond to the partitions as follows:
  • /dev/sda1: Windows partition (temporarily used to first install Backtrack)
  • /dev/sda5: Unencrypted boot partition
  • /dev/sda6: Swap partition for Backtrack
  • /dev/sda7: Encrypted Backtrack partition
If you use a different partition scheme be sure the use the correct device names in the commands listed throughout this guide.

Installing Backtrack 5

Start the graphical installer of Backtrack 5 and fill in the correct information until you get to "Prepare disk space" where you must select "Specify partitions manually (advanced)".


In the next step click on /dev/sda1 and then on "Change" and select it to be an ext4 partition that mounts to /. Do not change the partition size!


Now do the same for /dev/sda5, so set it to ext4 but this time mount /boot. I have ended up with the following configuration:


When clicking on "Forward" it might tell you that some file systems are not marked for formatting but the files on it will nevertheless be deleted. Simply click on continue and proceed with the installation.

Once the installation has finished you can restart your computer to ensure everything is properly installed.

Downgrading to GRUB

At the time of writing this guide GRUB 2 is unable to chainload the truecrypt bootloader (at least to my knowledge and without annoying workarounds). For this reason we will downgrade to GRUB (grub legacy) which will be able to handle everything perfectly and offers the same functionality.

Start the Backtrack system you have just installed and open a terminal. To remove GRUB 2 execute "apt-get purge grub-pc". If it asks to remove all GRUB 2 files from /boot/grub select yes. Then execute "rm /boot/grub/core.img" to get rid of the remaining GRUB 2 files. Your computer won't be bootable until we install the old version of grub.

Install grub by executing "apt-get install grub". Configure grub to load during boot by executing "grub-install /dev/sda". Finally configure the grub boot menu by executing "update-grub". It should say "could not find /boot/grub/menu.lst ...". Enter yes to create the menu. Reboot the system to verify it boots properly.

Note: The grub menu will now display "Ubuntu 10.04.2 LTS" instead of Backtrack 5. At the end of this guide we will clean up this menu entry.

Encrypting Backtrack

Encrypted Partition

From your backtrack installation open a terminal. To be sure we have all the packages we need execute the command "apt-get install cryptsetup hashalot initramfs-tools". For Backtrack 5 only hashalot will be installed, as cryptsetup and initramfs-tools are already included in the default installation.

We have to create an initial ramdisk (initrd/initram) that contains all the necessary tools to boot a basic linux environment that will ask for your password and is able to decrypt the encrypted Backtrack partition during boot. An initial RAM disk is an initial root file system that is mounted prior to when the real root file system is available (which is in our case encrypted). We will create it using initramfs-tools.

To specify that the partition needs to be decrypted during boot execute the following single command:
echo "CRYPTOPTS=target=cryptroot,source=/dev/sda7" > /etc/initramfs-tools/conf.d/cryptroot
This will create the file /etc/initramfs-tools/conf.d/cryptroot with the given line as its content. Execute "update-initramfs -u" to apply these changes. Now run the following commands to create an encrypted partition:
  • modprobe dm_crypt
  • modprobe sha256_generic
  • luksformat -t etx4 /dev/sda7
For the last command be sure to type an uppercase YES. Otherwise it will give the cryptic error message "Cloud not create LUKS device /dev/sda7 at /usr/sbin/luksformat line 63, <MOUNTS> line 15". If you get the error message "Device luksformat1 is busy" after the format has completed, execute "cryptsetup luksClose /dev/mapper/luksformat1". We now mount the newly created encrypted partition and copy our Backtrack installation to to. For this execute the following commands:
  • cryptsetup luksOpen /dev/sda7 cryptoroot
  • mkdir /mnt/target
  • mount /dev/mapper/cryptoroot /mnt/target
  • cp -avx / /mnt/target
Copying can take a while. Once completed open /mnt/target/etc/fstab and find the section that refers to the partition where the unencrypted Backtrack system was installed. It can be recognized by the line above it which contains "# / was on /dev/sdaX during installation". The line under it will look something like this:
UUID=00adfd86-26d7-445c-8d4a-e72b16400423 / ext3 errors=remount-ro 0 1
We need to change the UUID of it to the UUID of the encrypted partition. To get the UUID execute "blkid | grep /dev/mapper/cryptoroot". Once you know the UUID update the line with the new UUID.

Testing with GRUB

Before we continue we will add a temporarily entry to GRUB to verify we can boot the encrypted Backtrack system. To do this edit /boot/grub/menu.lst and under the line "### END DEBIAN AUTOMAGIC KERNELS LIST" add the following lines:
title Cryptotest
root (hd0,4)
kernel /vmlinuz-2.6.38 root=UUID=<uuid> ro
initrd /initrd.img-2.6.38
boot
Here (hd0,4) stands for the boot partition. You can get the correct kernel version by looking at the lines between the DEBIAN AUTOMAGIC KERNELS entries. Replace <uuid> with the UUID of the encrypted partitions, which can be found by executing "blkid | grep /dev/mapper/cryptoroot".

Reboot the system and press ESC to enter the GRUB menu during boot. Select cryptotest from the menu. If something goes wrong restart and choose Ubuntu in the grub menu and try to figure out what when wrong. If you followed this guide everything should work.

Encrypted Swap

This step is best performed from the Cryptotest environment we just added to the grub boot menu. You can also perform it from the unencrypted Backtrack installation but then you must be sure to mount the encrypted partition and modify the correct files. This guide will assume you are running the Cryptotest option (i.e., the encrypted Backtrack system). The following procedure will make sure that the swap will also be encrypted. This is important because sensitive data can be written to the swap when using your computer.

We will first disable swap and destroy the filesystem on the swap partition. For this execute the following two commands:
  • swapoff -v /dev/sda6
  • dd if=/dev/urandom of=/dev/sda6 count=100
Open /etc/crypttab and append the following line to the file:
cryptoswap /dev/sda6 /dev/urandom swap
Now open /etc/fstab and replace the line under "swap was on /dev/sda6 during installation" with:
/dev/mapper/cryptoswap none swap sw 0 0
To test if everything is set up properly execute the following commands:
  • invoke-rc.d cryptdisks restart
  • swapon /dev/mapper/cryptoswap
Now the command "swapon -s" will show you the loaded swap partitions. It should contain the cryptoswap entry if everything is configured properly.

Final GRUB Config

Time to configure a proper GRUB menu. Open /boot/grub/menu.lst and remove the "Cryptotest" lines that you added earlier. Search for the line containing "# kopt=root=UUID=<uuid> ro" and replace the UUID with the UUID of /dev/mapper/cryptoroot. Remember that you can get this UUID by executing "blkid | grep /dev/mapper/cryptoroot". Once this is done execute the command "update-grub".

In my case the default splash screen prevented you from correctly entering the password during boot. For this reason we will remove the splash screen during boot. Open /boot/grub/menu.lst and remove the "quiet splash" from the first line in the entry for "Ubuntu 10.04 LTS, kernel 2.6.38". If you want to you can change the title to display Backtrack 5 instead of Ubuntu. As suggested by a commenter, you must also to change "defoptions=quiet splash" to "defoptions=". This will make sure running update-grub will not readd the "quiet splash" argument in the future. Optionally, if you want the grub boot menu to be displayed by default during boot, you can comment out "hiddenmenu" by changing it to "# hiddenmenu".

Note: To finish the complete setup of Backtrack execute "apt-get update" and "apt-get upgrade" in order to update all the packages.

Installing Windows

Before we can install Windows we must create a NTFS partition where it can be installed. To do this boot your Backtrack installation (or do this from a live CD) and install gparted by exeucting "apt-get install gparted" and run it by executing "gparated".

Right click on /dev/sda1 which was the partition where you installed the unencrypted Backtrack installation. Select Format to -> NTFS. Then go to Edit -> Apply All operations to save changes to disk. If for some reason these steps didn't work for the first time and /dev/sda1 still showed up with a file system other than NTFS, simply format /dev/sda1 a second time and it should work.

You can now enter the Windows installation CD and reboot. Continue the windows installer as normal until you get to "Which type of installation do you want?". Here select "Custom (advanced)". In the next screen select "Disk 0 Partition 1 and click" on next.


Once Windows has been installed download and install Truecrypt.

Start Truecrypt, click on System ->Encrypt System Partition/Drive. Choose normal, Encrypt the Windows system partition, Single boot, select your preferred encryption options (the defaults should be good), and continue with the installer while providing the information it needs. Be sure to create the rescue CD as this is very important in case the truecrypt bootloader gets damaged. If it asks you to restart the system do so. During boot you should see the Truecrypt boot loader (we will soon restore the GRUB boot loader). It will ask you for the password, enter it and continue booting.

When Windows is started it should ask to encrypt the Windows partition. Click on Encrypt. This can take a while depending on the size and speed of your hard disk. Go get a beer, watch a movie, and take a break.

Once it's done you can verify everything still works by rebooting Windows.

Restoring GRUB

Boot from the Backtrack live CD. We will first copy the truecrypt bootloader as a file to the linux boot partition. To do this open a terminal and do:

  • Mount the boot partition be executing "mount /dev/sda5 /mnt"
  • Copy the truecrypt boot loader by executing the following two command
    • dd if=/dev/sda of=/mnt/truecrypt.mbr count=1 bs=512
    • dd if=/dev/sda of=/mnt/truecrypt.backup count=8 bs=32256
We will now restore the grub boot menu by executing the commands:
  • apt-get install grub
  • grub
  • Execute "find /grub/stage1". This should output the line "(hdX,Y)" where X and Y are numbers depending on how you set up your partitions. These numbers will be used in the next commands. In my case the output is "(hd0,4)".
  • root (hdX,Y)
  • setup (hdX)
  • quit
Now let's add the truecrypt boot loader as an option to the grub loader. Open /mnt/grub/menu.lst in your favourite editor. Under the line "### END DEBIAN AUTOMAGIC KERNELS LIST" add the following lines:
title Windows 7
rootnoverify (hd0,0)
makeactive
chainloader (hd0,4)/truecrypt.mbr
boot
And there you go. You have a fully encrypted Windows partition with a dual boot between a fully encrypted Backtrack 5 installation.

Sources

Inspiration was taken from the following sources, a few man pages, and relied on some creativity to solve problems along the way.

Encrypted Ubuntu Partition
Reverting to GRUB Legacy
Restoring GRUB
Bug: Unable to enter password
Chainloading Truecrypt

35 comments:

  1. really nice guide you got there :-)
    worked great for me.

    just some minor changes i recommend:
    before booting to the "cryptotest" environment for the first time one should run "update-initramfs -u"

    the menu.lst boot entries need to start with a lowercase "title"

    when updating menu.lst in "Final GRUB Config" and setting kopt=root=UUID you might want to clear "defoptions=quiet splash" too, changing it to "defoptions=" this way the default entry (in this case bt) will be setup properly by running update-grub (otherwise it would get changed again every time you run update-grub)

    one might also want to comment out "hiddenmenu", changing it to "#hiddenmenu" so the boot menu will be displayed every time

    change "dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=0 bs=32256" to "dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256"
    or nothing is copied

    i think thats all. i let you know if i come across anything else :-)

    again nice guide! :-)

    ReplyDelete
  2. @mv Thanks for the suggestions, they are included in the post now :)

    ReplyDelete
  3. Nice guide, few nasty typos though:

    "cryptsetup luksOpen /dev/sda7 cryptoroot"

    You seem to use "cryptoroot" a lot though you used "cryptroot" earlier in

    "echo "CRYPTOPTS=target=cryptroot,source=/dev/sda7" > /etc/initramfs-tools/conf.d/cryptroot"


    And
    "luksformat -t etx4 /dev/sda7"

    needs to be
    "luksformat -t ext4 /dev/sda7"
    ofc.


    And it might be a good idea to make grub show the grub menu at the first "Cryptotest" by commenting the 'hiddenmenu' because on my laptop grub didn't want to show reactions for the ESC key form some reason.

    ReplyDelete
  4. And maybe you could also add the following:

    http://www.backtrack-linux.org/forums/backtrack-5-bugs/40541-problem-initrds-cryptroot-when-unlocking-luks-root-during-boot.html

    As when typing the password for every character entered the above line gets repeated. Not severe but annoying ;)

    ReplyDelete
  5. One more problem I encountered:
    After having installed Windows encrypted it etc (followed guide till end), when I tried to start Backtrack it would not boot cause inside the menu.lst there was the wrong uuid for the Backtrack entry.

    Before installing Windows it worked though, so one might have to redo the uuid adjustment (setting it to the encrypted partition again like told and done earlier in the guide) after re-installing grub after the Windows installation

    ReplyDelete
  6. Hi,
    i am hopeless ... i get to the point where one shoul do the sryptotest ...
    i set the root at hd0,5 as the encrypted ext4 partition where i copied the backtrack files is on /dev/sda6

    title Cryptotest
    root (hd0,5)
    kernel /vmlinuz-2.6.38 root=UUID= ro
    initrd /initrd.img-2.6.38
    boot

    the i replaced with the one given by "blkid | grep /dev/mapper/cryptoroot" ... but i noticed, that this uuid is different as when i run gparted and i check-out informations about /dev/sda6 ... so i have try with both uuid, but everytime i get :
    Error 17: Cannot mount selected partition
    Press any key to continue ...

    can you please give me an indice what did i made wrong?
    thank You

    ReplyDelete
  7. Are you using a custom partition scheme? Make sure "root (hd0,5) is correct". Also use the UUID returned by blkid corresponding to cryptoroot. It's been a while since I wrote this though, so I can't easily give detailed information. Did you follow the guide as explained or made some own modifications along the way?

    ReplyDelete
  8. hi, and thx. yes i did everything as described here, exept the partitioning ... i have my own scheme, but i double-checked that the root device and its uuid corresponds with my case ...
    I think the problem is that in the bootloader makes no attempt/call to decrypt the partition ... it does not ask for passphrase before trying to mount ...
    anyway, does not matter ... i am trying an other tuto ... and seems it works fine for me now.
    Thanks for your answer anyway

    ReplyDelete
  9. Hi,
    Thanks for this great tutorial. I'm following your guide exactly as is.
    I'm having an issue which I can't debug. When I try to boot with Cryptotest, it asks for my luks password and things seem to be going well, but then I get the following alert:
    Alert! /dev/disk/by-uuid/ does not exist. Dropping to a shell!

    Ok, now I've triple checked the UUID and it is correct, so I don't understand why initram is complaining and not mounting the encrypted BT partition at sda7 (my setup is exactly like yours).

    I've googled around before bothering you and it seems that this error is somewhat common with lucid. https://bugs.launchpad.net/ubuntu/+source/linux/+bug/594523

    Unfortunately no one seems to really know why this happens so there doesn't seem to me to be a simple fix. You can see here (http://ubuntuforums.org/showthread.php?t=1492816) and here (http://www.geekzone.co.nz/forums.asp?forumid=46&topicid=81382).

    My machine is a sony vaio laptop in case that helps.

    Hopefully you or someone else can help me out.

    Thanks

    ReplyDelete
    Replies
    1. Yes,

      I'm replying to myself so that others can learn from my stupid mistake and not spend a whole day pulling their hair out.
      Obviously I made a silly mistake when setting up the cryptotest.
      When reading "kernel /vmlinuz-2.6.38 root=UUID= ro" I obviously wasn't paying attention because I put in my UUID but forgot to replace the < and >. These should not be present. That was my mistake. After I corrected that all went well.

      Thanks again Mathy. I love this blog.

      Delete
    2. Good to see that you fixed the problem *and* posted the solution here! Will hopefully help others who are stuck in the same situation :)

      Delete
  10. Hi there! Awesome guide! Thanks!

    I followed your instructions to the letter and I never ran into any problems until the very end. When I attempt to boot into Windows 7 it says "Error 15: File not found" I'm sure i've made a stupid typo somewhere and i'm still investigating.

    ReplyDelete
    Replies
    1. And I was correct, accidentally referred to truecrypt.mbt in my menu.lst as opposed to truecrypt.mbr!

      Delete
  11. Backtrack won't upgrade to r2 is this possible related to encrypting ?

    ReplyDelete
  12. Great howto guide - good job.

    Followed through with no issues (other than my own inability to type from time to time).

    Will be recommending to the community at www.in2security.org.nz

    One quick thing - if there is a way to highlight the commands from the prose that would be fab. Can be easy to miss things :)

    Thanks for your work on this

    ReplyDelete
  13. hi mathy,
    i'm still using this setup every day :-)

    just wanted to let you (and everyone else too) know, that if you update you system using this guide (http://www.backtrack-linux.org/backtrack/upgrading-to-backtrack-5-r2/) you end up not being able to boot into the new kernel (after step 1). you need to boot into the old kernel again, log in and execute "update-grub". then you can boot into the new kernel and continue upgrading.

    thx again for this guide mathy

    ReplyDelete
  14. Hey, thank you Mathy for this great guide!
    Everything worked fine, after encrypting Backtrack5R2 it booted fine. After installing win7 and finalizing grub, I get:

    "No init found. Try passing init= bootarg."

    after Luks authentication. I can still boot in to encrypted win7.
    I "trippel" checked all my inputs but after 5 hours of testing I don't know what went wrong. I used the exact same partitioning as you did.

    When mounting the encrypted BT5R2 partition (sda7) the links: "initrd.img" and "vmlinux" appear as broken.?

    Sorry for my noobish Question, I tried to read all google gave me but I am kind of lost.

    Any help appreciated!

    --------------------------------
    root@bt:~# blkid
    /dev/loop0: TYPE="squashfs"
    /dev/sda5: UUID="cc2212a4-0694-491f-9a5f-600e82324f9b" TYPE="ext4"
    /dev/sda7: UUID="eb6983d1-20ba-47d8-bce0-fb950484f3ad" TYPE="crypto_LUKS"
    /dev/mapper/udisks-luks-uuid-eb6983d1-20ba-47d8-bce0-fb950484f3ad-uid0: UUID="fd550a6e-953c-4024-b006-2bee16e208e4" TYPE="ext4"

    --------------------------------
    boot/grub/menu.lst (only changed entrys)
    (...)

    ## hiddenmenu
    # Hides the menu by default (press ESC to see the menu)
    # hiddenmenu

    (...)

    ## e.g. kopt=root=/dev/hda1 ro
    ## kopt_2_6_8=root=/dev/hdc1 ro
    ## kopt_2_6_8_2_686=root=/dev/hdc2 ro
    # kopt=root=UUID=eb6983d1-20ba-47d8-bce0-fb950484f3ad ro

    ...

    ## ## End Default Options ##

    title BT5R2, kernel 3.2.6
    uuid cc2212a4-0694-491f-9a5f-600e82324f9b
    kernel /vmlinuz-3.2.6 root=UUID=cc2212a4-0694-491f-9a5f-600e82324f9b ro
    initrd /initrd.img-3.2.6
    quiet

    title BT5R2, kernel 3.2.6 (recovery mode)
    uuid cc2212a4-0694-491f-9a5f-600e82324f9b
    kernel /vmlinuz-3.2.6 root=UUID=cc2212a4-0694-491f-9a5f-600e82324f9b ro single
    initrd /initrd.img-3.2.6

    title BT5R2, memtest86+
    uuid cc2212a4-0694-491f-9a5f-600e82324f9b
    kernel /memtest86+.bin
    quiet

    ### END DEBIAN AUTOMAGIC KERNELS LIST

    title Windows 7
    rootnoverify (hd0,0)
    makeactive
    chainloader (hd0,4)/truecrypt.mbr
    boot

    ReplyDelete
    Replies
    1. hi
      i think you have errors, but i cant tell you what you did wrong.
      pls compare my files to yours:

      root@bt:~# blkid
      /dev/sda5: UUID="06763f66-1d97-4dc3-9893-2e84304bbf04" TYPE="ext4"
      /dev/sda7: UUID="afbf1413-fe64-4ab8-889b-b742d4f55182" TYPE="crypto_LUKS"
      /dev/mapper/cryptroot: UUID="39a75883-182d-44b0-8e7f-4eeeb2f66fea" TYPE="ext4"
      /dev/mapper/cryptoswap: UUID="0cb92094-d87d-46fb-b859-6382c7f9b8dd" TYPE="swap"

      ----------------------

      /boot/grub/menu.lst
      ....
      ## ## Start Default Options ##
      ## default kernel options
      ## default kernel options for automagic boot options
      ## If you want special options for specific kernels use kopt_x_y_z
      ## where x.y.z is kernel version. Minor versions can be omitted.
      ## e.g. kopt=root=/dev/hda1 ro
      ## kopt_2_6_8=root=/dev/hdc1 ro
      ## kopt_2_6_8_2_686=root=/dev/hdc2 ro
      # kopt=root=UUID=39a75883-182d-44b0-8e7f-4eeeb2f66fea ro

      ## default grub root device
      ## e.g. groot=(hd0,0)
      # groot=06763f66-1d97-4dc3-9893-2e84304bbf04
      .....
      title Ubuntu 10.04.2 LTS, kernel 3.2.6
      uuid 06763f66-1d97-4dc3-9893-2e84304bbf04
      kernel /vmlinuz-3.2.6 root=UUID=39a75883-182d-44b0-8e7f-4eeeb2f66fea ro
      initrd /initrd.img-3.2.6
      quiet


      see? i would say you did something wrong in the process because you ended up with a wrong config.

      then again a "update-grub" may solve some problems :-)

      try running it and post the results.
      pls provide the entire files next time using pastebin or something

      michael

      Delete
    2. thx michael, I decided to take the time and redo all from beginning. But: same result. Another lost night, well I am learning.
      I power on, see the grub menue where I can choose BT5 or win7. Win7 gets me to the truecrypt loader and than boots fine. When entering to BT5 it asks for my Luks password as it should, after unlocking it trys to boot but stops with Error:
      "No init found. Try passing init= bootarg".

      Image: http://imageshack.us/photo/my-images/140/imag0248o.jpg/
      I provided you with full menu.lst and boot.log information on http://pastebin.com/rT70WKjY


      I carefully followed the guide. But... I really want this setup to work.
      I have absolutly no idea what is wrong. I tried fsck dev/sda5 and also updated grub, from the liveUSBsystem. Your help is highly appreciated!

      Delete
    3. sure buddy no problem :-)
      your kopt and groot settings seem fine.
      but i think you entered the wrong uuid in your bt boot entry:

      title BT5R2, kernel 3.2.6
      uuid d6138c21-d8ea-4cf2-a805-e7da3ecc933f
      kernel /vmlinuz-3.2.6 root=UUID=b1e4b4c7-122b-4b67-8e8e-a0f0ca669807 ro
      initrd /initrd.img-3.2.6
      quiet

      root@bt:~# blkid
      /dev/loop0: TYPE="squashfs"
      /dev/sda1: LABEL="System Reserved" UUID="9C16253316251036" TYPE="ntfs"
      /dev/sda5: UUID="d6138c21-d8ea-4cf2-a805-e7da3ecc933f" TYPE="ext4"
      /dev/sda7: UUID="b1e4b4c7-122b-4b67-8e8e-a0f0ca669807" TYPE="crypto_LUKS"
      /dev/sdb1: LABEL="PENDRIVE" UUID="190A-066E" TYPE="vfat"
      /dev/mapper/udisks-luks-uuid-b1e4b4c7-122b-4b67-8e8e-a0f0ca669807-uid0: UUID="b65381e9-783c-498c-8c9c-823c15e6ae49" TYPE="ext4"


      try changing your boot entry to this:

      title BT5R2, kernel 3.2.6
      uuid d6138c21-d8ea-4cf2-a805-e7da3ecc933f
      kernel /vmlinuz-3.2.6 root=UUID=b65381e9-783c-498c-8c9c-823c15e6ae49 ro
      initrd /initrd.img-3.2.6
      quiet


      notice the different root=UUID= setting

      lets see if this works :-)

      Delete
    4. OK! This clearly is a EPIC FAIL on my side. Booting in to a swap partion should be penalized. Oooops.
      THANK YOU SO MUCH MAN!

      Delete
    5. happy it works :-)

      i'll pass some of the thx on to mathy for creating this guide. its the setup i work with every day :-)

      -michael v.

      Delete
    6. Absolutly! Thx Mathy! Thx Mv!

      Delete
  15. This Guide is realy good an it largely works for me.

    I have an aesthetic question.
    It relates to the last commands to save the mbr into a file.
    I've changed the appearance of the Truecrypt Bootloader after I have copied the file. (Userdefined password prompt)
    So i've restored the original Truecrypt Bootloader with the Truecrypt rescue disk.
    After this i've modified the bootloader with truecrypt again. Now I've booted my liveusb and deleted the Truecrypt.bmr and the truecrypt.backup and after this i've tried to copy the modified bootloader back into the truecrypt.* files with the same commands.
    But now every time i try to boot the new mbr file from grub it loads the old ones witch i thought that i've already deleted and replaced.

    Where is my flaw?
    (sorry for the simple language and grammar mistakes...)

    ReplyDelete
    Replies
    1. whatever is in /boot/truecrypt.mbr gets chainloaded by grub.
      to change it boot into windows adjust your settings in the truecrypt program, boot a live cd and redo the steps from "Restoring GRUB" in this tutorial.

      since i never did this, it is just theory. dont mess up your system :-)
      -michael

      Delete
    2. this is what i do :D
      but it doesn't work.
      strangely it always loads the old unedited bootloader.
      I've already deleted the old file but it always loads
      the old, already deleted and overwritten one.

      Delete
    3. thats really is strange :-)
      maybe mathy can help you

      Delete
  16. This is absolutely spot on, it works like a charm!
    I have one tiny question though.....is there any way to make the font size used by grub any smaller? On my Dell laptop the characters are HUGE.
    Thanks

    ReplyDelete
  17. Hi,
    I'm using bt5 r2 kde in virtual box inside my win7. But every time i start the virtual box i have to use it like live cd not as os. I already installed it in virtual box. Do i have any cure for this problem. Plz help me out.
    thanks.

    ReplyDelete
  18. Having a weird issue. Ive found similar issues but nothing exact.. I have it set up on a USB hdd and it works great in VM, but when i hook it into a computer with an existing hdd i get grub menu and choose the backtrack option and it fails after not being able to mount /dev/sda7. This is due to the fact that the external drive on this pc is sdb not sda. But i have double checked menu.lst and fstab to only use UUID rather than path. But i cant seem to find where it is getting sda7 hardcoded. Have also re-run update-grub several times.

    ReplyDelete
  19. This is a most excellent tutorial and it wirked wull up to the "restoring GRUB" portion.

    I used cascade encryption and this may be part of the problem as the boot leader is different. but, I still cannot figure out why copying the mbr does not work.

    I get the following: Loader damaged, get rescue disk....

    In that case, grub works for loading BT5 but I need to use the rescue disk to load my Windows partition.

    Any idea what I do wrong?

    ReplyDelete
    Replies
    1. same problem, also used cascade encryption and cant get it to work with finaliying GRUB

      Delete
  20. hey i wanted to say this guide is very useful even though its 2012 i use it and i was gone mention that now you don't have to do the grub downgrade. I am dual booting Windows 8 Pro and Backtrack 5r3 both 64bit. I had Windows 8 Pro already installed and so it filled the /dev/sda1 and /dev/sda2 spot. I did follow your linux partition advice and did that. However if you have windows installed already you don't need to create a new partition table or else it will delete all your partitions and windows and here was my partition setup

    /dev/sda1: Windows system reserved
    /dev/sda2: Windows 8 Pro
    /dev/sda5: /boot
    /dev/sda6: swap
    /dev/sda7: ext4
    /dev/sda8: / <--since windows occupy sda1 i used it on sda8

    next i didnt need to downgrade grub i continued using the regular grub so i skipped that part and followed everything else sides i found the cryptotest entry you wanted to test i couldnt get it to work but my partition is encrypted since it wont allow access until i enter the password

    last at the final grub config since im using the regular grub instead of downgrading it u edit it under /boot/grub/grub.cfg

    and if you keep grub 2 and you encrypt the partition after you boot and you get to the BackTrack 5 screen an it sits there hit the delete button to see the access to enter your encryption password

    -Paul





    ReplyDelete
  21. This guide is gold. Every single step worked to the T. I'm running windows 8 pro 64 with bt5r3.. a virtually duplicate setup to the guide on a 160gb hdd. Everything is well explained, not a single problem encountered/no workarounds needed. This is right on the money.

    Thanks for this Mathy.

    -Bam

    ReplyDelete
  22. Side note:

    During the first test of the encrypted system, make sure when editing your menu.lst in grub you do the CORRECT/CURRENT kernel version

    title Cryptotest
    root (hd0,4)
    kernel /vmlinuz-2.6.38 root=UUID= ro
    initrd /initrd.img-2.6.38
    boot

    ## for backtrack 5r3 it would be -3.2.6

    -Bam

    ReplyDelete