Tuesday, 9 February 2010

Installing Pentoo on Hard Drive with LUKS encryption

Pentoo is a great Linux distro created with security testing in mind - be it a penetration testing or wireless testing. I know - Backtrack 4 is out there and is cool too ;P however, being a Gentoo user you simply cannot resist Pentoo... ;) It might be just me but I find it so much easier to customise as well! And how many times you had to install something from source? And then getting all the header files and tricky dependencies right can be cumbersome...with Pentoo - you have the full Gentoo portage tree plus lots of security tools available as ebuilds at hand. If something's not there - it's so god damn easy to...compile it! ;]

Anyway - here's a quick howto how to get Pentoo installed on your hard drive with LUKS encrypted root partition and encrypted swap, too... LiveCD is great, but you might want to have something more permanent and faster...so here it goes!

Installation guides that I've used for reference:
and here:

Boot the LiveCD and check that networking is fine and that sshd is running (you don't necessarily need networking at this stage but I prefer to do the installation remotely). Also change root password:

dhcpcd eth0
/etc/init.d/sshd start

Create installation partitions. You'll at least need /boot, / (root), and swap. My setup was as follows:

pentoo ~ # fdisk -l

Disk /dev/sda: 60.0 GB, 60011642880 bytes
16 heads, 63 sectors/track, 116280 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes
Disk identifier: 0x6ce2c029

Device Boot Start End Blocks Id System
/dev/sda1 1 195 98248+ 83 Linux
/dev/sda2 196 4071 1953504 83 Linux
/dev/sda3 4072 116280 56553336 83 Linux

sda1 - boot
sda2 - swap
sda3 - root

Onto encrypted partition creation... ;) You can of course tune the encryption options (see the cryptsetup manpage)

pentoo ~ # cryptsetup --verbose --cipher "aes-cbc-essiv:sha256" --key-size 256 --verify-passphrase luksFormat /dev/sda3

This will overwrite data on /dev/sda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

Now open the encrypted partition and create the mapping needed for installation:

pentoo ~ # cryptsetup luksOpen /dev/sda3 root
Enter passphrase for /dev/sda3:
Key slot 0 unlocked.

Create filesystems on newly created partitions. Feel free to use your favourite filesystem - just beware with /boot partition as, for instance, grub doesn't really work with ext4...

pentoo ~ # mkfs.ext3 /dev/sda1
mke2fs 1.41.9 (22-Aug-2009)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
24576 inodes, 98248 blocks
4912 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
12 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729

Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 33 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

And the root partition to follow:

pentoo ~ # mkfs.ext3 /dev/mapper/root
mke2fs 1.41.9 (22-Aug-2009)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
3538944 inodes, 14138077 blocks
706903 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=0
432 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Mount partitions...

pentoo ~ # mount /dev/mapper/root /mnt/gentoo/
pentoo ~ # mkdir /mnt/gentoo/boot
pentoo ~ # mount /dev/sda1 /mnt/gentoo/boot/

Don't worry about swap partition - we'll encrypt it later.

Now we need to copy files form LiveCD onto the hard drive. As there will be some overwriting happening, it's useful to unalias the cp command first:

pentoo ~ # alias
alias aemerge='ACCEPT_KEYWORDS="~x86" emerge'
alias cp='cp -i'
alias grep='grep --color=auto'
alias ll='ls -l'
alias ls='ls --color'
alias mv='mv -i'
alias rm='rm -i'

Unalias then!

unalias cp

...and then start copying the files:

cp -avf /mnt/livecd/* /mnt/gentoo
cp -avf /etc /root /mnt/gentoo
cp -avf /usr/portage /mnt/gentoo/usr

From there on it's pretty much a straight forward Gentoo installation - all tweaks allowed! ;]

pentoo ~ # mount -t proc none /mnt/gentoo/proc
pentoo ~ # mount -o bind /dev /mnt/gentoo/dev
pentoo ~ # chroot /mnt/gentoo /bin/bash
pentoo / # env-update
>>> Regenerating /etc/ld.so.cache...
pentoo / # source /etc/profile
pentoo / # export PS1="(chroot) $PS1"

Just out of curiosity:

(chroot) pentoo src # gcc-config -l
[1] i686-pc-linux-gnu-4.3.4 *
(chroot) pentoo src # eselect profile list
Available profile symlink targets:
[1] default/linux/x86/10.0 *
[2] default/linux/x86/10.0/desktop
[3] default/linux/x86/10.0/developer
[4] default/linux/x86/10.0/server
[5] hardened/linux/x86/10.0
[6] selinux/2007.0/x86
[7] selinux/2007.0/x86/hardened
[8] selinux/v2refpolicy/x86
[9] selinux/v2refpolicy/x86/desktop
[10] selinux/v2refpolicy/x86/developer
[11] selinux/v2refpolicy/x86/hardened
[12] selinux/v2refpolicy/x86/server

Not bad! You could always switch to the hardened profile, enable the graphite extension and recompile world... ;)

Anyway - kernel compilation! I'd use a hardened-sources from the hardened-development overlay (you'll need to emerge git for that) but you can as well just stay with the stock kernel...

(chroot) pentoo src # ls -la
total 20
drwxr-xr-x 5 root root 4096 Jan 22 13:55 .
drwxr-xr-x 16 root root 4096 Dec 3 23:31 ..
lrwxrwxrwx 1 root root 31 Dec 3 23:30 linux -> /usr/src/linux-2.6.31-pentoo-r3
drwxr-xr-x 24 root root 4096 Dec 3 23:30 linux-2.6.31-pentoo-r3
drwxr-xr-x 24 root root 4096 Jan 22 13:56 linux-2.6.32-hardened-r2
drwxr-xr-x 12 root root 4096 Dec 3 21:39 mosref-2.0_beta3

The easiest way to get the kernel config file:

(chroot) pentoo src # zcat /proc/config.gz > /usr/src/linux/.config

And then you can modify it or leave it alone... :)

Edit /etc/genkernel.conf. Not really required but I like to disable clean and mrproper and add LUKS line:

# Run 'make mrproper' before configuration/compilation?

For multicore you could also add there (number of cores+1):


Compile! Well, not yet...if you run genkernel now it will fail with:

ld: cannot find -lcrypt

rebuilding genkernel did not help but...how about rebuilding glibc?

(chroot) pentoo linux # emerge -av glibc
* IMPORTANT: 2 news items need reading for repository 'gentoo'.
* Use eselect news to read news items.
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild U ] sys-libs/glibc-2.10.1-r1 [2.9_p20081201-r2] USE="-debug -gd -glibc-omitfp (-hardened) (-multilib) -nls -profile (-selinux) -vanilla" 16,511 kB

Total: 1 package (1 upgrade), Size of downloads: 16,511 kB
Would you like to merge these packages? [Yes/No]

Once it's done (few cups of chai later...)

(chroot) pentoo linux # genkernel --luks all
* Gentoo Linux Genkernel; Version 3.4.10
* Running with options: --luks all

* Linux Kernel 2.6.31-pentoo-r3 for x86...
* >> Running oldconfig...
* config: --no-clean is enabled; leaving the .config alone.
* >> Compiling 2.6.31-pentoo-r3 bzImage...
* >> Compiling 2.6.31-pentoo-r3 modules...
* Copying config for successful build to /etc/kernels/kernel-config-x86-2.6.31-pentoo-r3
* busybox: >> Applying patches...
* busybox: >> Configuring...
* busybox: >> Compiling...
* busybox: >> Copying to cache...
* initramfs: >> Initializing...
* >> Appending base_layout cpio data...
* >> Appending auxilary cpio data...
* Including LUKS support
* >> Appending busybox cpio data...
* >> Appending e2fsprogs cpio data...
* E2FSPROGS: Adding support (compiling binaries)...
* e2fsprogs: >> Configuring...
* e2fsprogs: >> Compiling libs...
* e2fsprogs: >> Compiling e2fsck...
* e2fsprogs: >> Compiling mke2fs...
* e2fsprogs: >> Copying to cache...
* >> Copying to bincache...
* >> Appending modules cpio data...
* Kernel compiled successfully!
* Required Kernel Parameters:
* real_root=/dev/$ROOT
* Where $ROOT is the device node for your root partition as the
* one specified in /etc/fstab
* If you require Genkernel's hardware detection features; you MUST
* tell your bootloader to use the provided INITRAMFS file. Otherwise;
* substitute the root argument for the real_root argument if you are
* not planning to use the initrd...

* Additional kernel cmdline arguments that *may* be required to boot properly...

* Do NOT report kernel bugs as genkernel bugs unless your bug
* is about the default genkernel configuration...
* Make sure you have the latest genkernel before reporting bugs.
(chroot) pentoo linux #


Edit the /etc/fstab file:

/dev/sda1 /boot ext3 noauto,noatime 1 2
/dev/mapper/root / ext3 noatime 0 1
/dev/mapper/crypt-swap none swap sw 0 0

Ok, time to create LUKS mappings:

vi /etc/conf.d/dmcrypt

...and add your swap partition:


Now the bootloader:

nano /boot/grub/menu.lst

If you've installed the stock kernel that's how it should look like:

title Pentoo Linux 2.6.31-r3
root (hd0,0)
kernel /boot/kernel-genkernel-x86-2.6.31-pentoo-r3 crypt_root=/dev/sda3 real_root=/dev/mapper/root
initrd /boot/initramfs-genkernel-x86-2.6.31-pentoo-r3

Rite - unfortunately we now need to install new config file manually - run grub:

GNU GRUB version 0.97 (640K lower / 3072K upper memory)

[ Minimal BASH-like line editing is supported. For the first word, TAB
lists possible command completions. Anywhere else TAB lists the possible
completions of a device/filename. ]

grub> root (hd0)
Filesystem type unknown, using whole disk

grub> root (hd0,0)
Filesystem type is ext2fs, partition type 0x83

grub> setup (hd0)
Checking if "/boot/grub/stage1" exists... yes
Checking if "/boot/grub/stage2" exists... yes
Checking if "/boot/grub/e2fs_stage1_5" exists... yes
Running "embed /boot/grub/e2fs_stage1_5 (hd0)"... 17 sectors are embedded.
Running "install /boot/grub/stage1 (hd0) (hd0)1+17 p (hd0,0)/boot/grub/stage2 /boot/grub/menu.lst"... s


Voila! Few boot script tweaks...

(chroot) pentoo linux # rc-update del autoconfig default
* service autoconfig removed from runlevel default
(chroot) pentoo linux # rc-update add keymaps default
* service keymaps added to runlevel default
(chroot) pentoo linux #rc-update add dmcrypt boot
* service dmcrypt added to runlevel default

Edit the keymap file if you wish...

nano /etc/conf.d/keymaps

Done...reboot & enjoy! ;]


  1. : someone leave a damn comment telling him (or anyone interested) to join #pentoo on freenode

  2. Hey man, thx for the nice writeup, I linked your post on our install page.

    BTW, you can join us on irc://irc.freenode.net/#pentoo if you want to discuss about our project!

  3. I wrote something similar to this post.
    but, japanese ... sorry


  4. you are the man!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  5. tried to run bt4 on acer-aspire-one-happy (green) but it does not recognize the 1024x600 screen ... pentoo does!
    run's great with my external rt73 wlan dongle ... pentoo would be perfect when accept the internal broadcom 802.11n wireless adapter ... but who is perfect ;-)

  6. hey man.. fisrt i'm sorry for my bad english :D

    i wanna ask you "how i can protecting /etc/shadow or /etc/passwd, so that file can't be mount with live-cd other linux? "
    i'm tired using ext4 or reizerfs, becouse that file system still can be mounted with live-cd linux..

    thank you :)

    1. Hi,
      If I understand correctly, you want to prevent the ability to read these files when someone boots your system of a LiveCD?

      The only way to do it really, is to encrypt the contents of your drive. If the whole drive is encrypted (apart from the boot partition), they would then be able to read the contents of the disk, only if they knew the encryption password/key.

      Hope that helps.

  7. Alternative way:

    - install Sabayon or Gentoo (stage3?)
    - then add pentoo overlay with layman
    - if you use Sabayon bear in mind you lose ability to reliably edit make.con with USE flags


Have your say: