Recently, due to laptop thefts at work and the risk of Personally Identifiable Information (PII) loss, I had to make the difficult choice to start a project to force encrypt our user laptops. So, due to “what do we already own?” , I chose Microsoft Bitlocker for the Windows 7 computers, and FileVault for the Macintosh OSX 10.7 computers.
That seems fine, however, one “snag”… I use a dual boot Backtrack 5 and Windows 7 machines DAILY at work. So, being the guy who lives by the rule “Don’t give an order that you’re not willing to follow yourself” kind of guy, I had to figure out how to encrypt my windows side and still boot Backtrack 5.
I got it to work. I was painful.
take a second to re-read that. yes, it works, and yes, it caused me pain to make it work.
So, here are the steps I used to make this work:
Step 1: Wipe the drive. (you should have backed it up if you needed to save something… I shouldn’t have to tell you that.)
Step 2: Create a partition for the Win7 to be housed. Make it the first partition. Leave unallocated space for BackTrack. (I left 30 gigs for backtrack… you probably want more, I have a lot of scripts that always put captured data on something external that I mount and encrypt with Truecrypt…)
Step 3: Install Windows7 (or dump your standard image) to that partition. Mine created a 100MB boot thing before the windows 7 partition, let it do whatever it wants to do, except use that unallocated space you already saved for Backtrack.
Step 4: Boot Windows 7 and test. Make sure Windows 7 works first! (Well, functions as well as one could expect for Windows)
Step 5: In Windows, run this command from a command prompt: “%windir%\System32\BdeHdCfg.exe” -target default (this command preps the drive for Bitlocker.)
Step 6: Encrypt the drive via Bitlocker with your pin. (record the recovery key. this is the single more important long string of numbers you’ll ever deal with in Windows. Preserve it, protect it. This key is your life, young padawan…)
Step 7: When it’s done, Boot Windows 7 and test. Make sure Windows 7 still works! (Well, functions as well as one could expect for Windows)
Step 8: Pause Bitlocker. I turned it off. (this seems to make no sense, but I had a problem testing this that if I tried to encrypt the drive after installing Linux, forget it, it died.)
Step 9: Boot Backtrack 5 DVD/USB key.
Step 10: Install backtrack 5 to that new unallocated partition. I configured /dev/sda3 as my /boot partition and /dev/sda5 as my root and /dev/sda6 as my swap. /dev/sda1 was the windows 7 boot partition and /dev/sda2 was my windows 7 system partition)
Step 11: make sure when you install grub, you install it to /dev/sda3. DO NOT PUT IT IN THE MBR or /dev/sda or /dev/sda1. If you do, you just screwed yourself.
Step 12: This will only boot to Windows 7 still. Grab BCDEDIT for windows, and add a boot option to boot linux on /dev/sda3.
Step 13: Boot Windows 7 and test. Make sure Windows 7 still works! (Well, functions as well as one could expect for Windows)
Step 14: Boot Backtrack 5 from the windows boot menu. it should shell to grub, boot it. Make sure Backtrack 5 works.
Step 15: Boot Windows 7 and turn Bitlocker back on. (record the recovery key. this is the single more important long string of numbers you’ll ever deal with in Windows. Preserve it, protect it. This key is your life, young padawan…)
Step 16: It should present you the windows 7 boot menu, where option 1 is Windows 7 and option 2 is Backtrack Linux then it should now prompt you for your Bitlocker pin.
I can’t stress two things: #1) this took me weeks of wiping the drive to figure this out. Don’t be shocked if you have to tweek the steps for your specific situation. #2) that recovery key is the most important thing in this process…
a few notes: (things that make you go Hmmmm…)
1) It asks you to pick which OS first, then prompts you to enter your Bitlocker pin… You can’t boot linux unless you unlock bitlocker first. Not sure why, but I’ll call it an “added feature!” Remember, the linux side is NOT ENCRYPTED! That means don’t be an *idiot* what you store there, assume it’s accessible if someone takes your laptop.
2) After you update-grub, plan on having your recovery password around for Bitlocker… it always keeps asking me for it after I update grub, even though it’s installed to the /boot partition. (/dev/sda3 in my case) Don’t leave your recovery key in your laptop bag, because that defeats the purpose of encrypting it, duh. I can’t stress that enough. The whole “point” is to protect the windows side in case anyone takes your laptop from getting any useful info off it…. Don’t forget the goal while you’re having so much fun messing with this nightmare.
–Bill (General Major Webelo Captain Zapp Brannigan)
So, being someone who used Backtrack daily for my career, I routinely make sure I’m current with Backtrack. So Backtrack 5 is out, I went and grabbed x64 KDE version, backedup up my PSKL directory on BT4R2, and blew it away…
First thing, startx didn’t load from the DVD until I removed some cache files…
So finally startx loaded and I was able to use the graphical installer to install it to my hard drive on my laptop.
When I rebooted, I did startx, and got a kernel panic (blinking caps lock light). So I’m like, “M’kay, x64 kde is borked…” so I grabbed x64 gnome, repeat process, same things, x32 gnome, repeat process, same thing. ok, it’s NOT borked, I’m just not doing it right.
so I searched and searched, found nothing immediately useful. (I could bore the heck out of anyone with some of the searches I did to get at this one…)
Finally, I found this kernel parameter: i915.modeset=1
they should rename that to “setbrokentofixed=1”
So, put that at the end of your GRUB_CMDLINE_LINUX_DEFAULT in your /etc/default/grub and update-grub!
Boom, I appended that and now startx works and I can enjoy the BT5 goodness… Now I just gotta configure my metasploit account on there and put my pskl directory back with all out awesome scripts.
Enjoy BackTrack 5!
Update (June 15th 2011): Talking with a few others, including the great comments here, you might need this like in your /etc/default/grub
Alternative line from Daveonator:
GRUB_CMDLINE_LINUX_DEFAULT=”text splash vga=791 i915.modeset=1″
Try it, and let us know.
More about the sound than the video… turn up the volume.
SpinRite has been chewing on this same sector of this drive for 48 hours now. You can’t say it isn’t tenacious. I had to put the thing in a closet because I couldn’t stand the sound any more.
The salesmen here have a real knack for screwing up HDDs…
My company has a bunch of Lenovo X60 and X61 TabletPCs in the hands of our salesmen. Seeking to extend the useful life of these computers, I thought I’d see how effective an SSD upgrade would be along with Windows 7 RC build 7100.
All 3 of the computers shown are X60 Tablets with L2400 processors and 2GB of RAM. The two on the left have the stock 5400RPM HDD installed, the one on the right has an OCZ Vertex 30GB SSD. The lone Windows XP machine is how the computers are currently configured. A lot of the extra time booting up is spent loading support apps, such as Lenovo’s fingerprint software, some of which is no longer necessary even in XP… MOST of which is not necessary in Win 7.
The tests I ran were standard tasks our salesmen run every day using SalesLogix which we use for CRM and invoicing. SalesLogix uses a local db via MSDE (or SQL Server Express on the Windows 7 machines).
I judge a boot process to be complete when the computer is usable… so I brought up the task manager on each machine and waited until processor usage was down below 3% for a few seconds before officially marking the machine “done booting.”
One of the greatest benefits of using an SSD in these machines cannot be quantified in this environment: the ability to safely turn off the HDD-protection software which senses physical shocks to the system and seats the HDD’s heads for a few seconds, effectively pausing anything the computer is doing until the “shocks” stop. This means that users can’t walk and launch SalesLogix at the same time or it will take a verrrry long time to open. A SSD removes this limitation and will make noticeable improvements in productivity in the field.
These 30GB SSD’s can be purchased for just over $100 right now and 60GB drives are around $210. I highly recommend them. Be certain to get the Vertex series (if you get an OCZ, that is)… avoid the Core series, they are awful.
Break a screen on a Lenovo X60/X61 ThinkPad and Lenovo wants to charge you ~$900 to fix it. A new screen can be purchased from a 3rd party for ~$250…so I thought I’d take a stab at doing it myself when an employee broke his screen.
That was 4 broken screens ago. As an attempt to make this incredibly mind-numbing and time-consuming task more interesting, I decided I’d record myself doing it to a) see how fast I can do it and b) show others how to do it if they choose to try.
Good luck…I recommend just sending it to Lenovo. As you’ll see in this video, replacing a tablet screen is much more involved than replacing a regular laptop screen.