User:Drdevil44/Tiny Linux Bootloader orig

From ArchWiki

Category:Boot loaders Category:Security <-- Re-enable categories after moving to Main namespace

One of the basic principles behind Linux disk encryption has been that the boot partition must exist and must be unencrypted so that the BIOS can boot the system. This makes it very easy for a forensic examiner to determine that your drive is encrypted and to use national laws to force key disclosure.

It is possible to do away with the boot partition and even the partition table, so that a superficial examination by a forensic analyst using common forensic tools reveals nothing. Loading such a disk into any of the common forensics tools used by law enforcement will not display any partitions or provide any way to access the data. Hence, by obfuscating the boot process you raise the bar and significantly frustrate the analysis process.

Preparing the drive

Follow the ordinary steps to create an encrypted partition (prefer tc-play over LUKS as it doesn't use a header), but ensure the partition starts at a memorable offset on the disk (>=50MB) - install your system.

Preparing initrd

We're going to add a custom hook to the initrd to mount our partition without looking at the partition table.

Under /usr/lib/initcpio/, in both the hooks and install directory, duplicate the encrypt files to hooks/secenc and install/secenc. Now edit hooks/secenc file and replace the contents of the run_hook() function with (leave in the modprobes): 

echo 0 <PARTITIONSIZEINSECTORS> linear <HARDDRIVEDEVICE> <PARTITIONSTARTSECTOR> | dmsetup create encpart
... use cryptsetup to decrypt your partition (use /dev/mapper/encpart as source) ...

Now edit /etc/mkinitcpio.conf, and add that 'secenc' to the hooks line immediately after block.

Now, update your fstab to use the new root device and regenerate your initrd: 

mkinitcpio -p linux

Preparing the bootloader

Now to do away with the boot partition, we use a customised bootloader designed for anti-forensics. The Tiny Linux Bootloader expects the kernel and initrd to be concatenated after the bootloader rather than in a traditional partition. 

 git clone https://github.com/drgowen/tiny-linux-bootloader
 cd tiny-linux-bootloader

Edit paths to your kernel and initrd in build.sh and run it. 

 ./build.sh

then write it to your disk (which will overwrite your partition table with zeros - so remember where your partition is!): 

 dd if=disk of=<HARDDRIVEDEV>

Now, reboot. If successful, your system will boot. You'll see no partitions on the disk when examining it.

Retrieved from "https://wiki.archlinux.org/index.php?title=User:Drdevil44/Tiny_Linux_Bootloader_orig&oldid=349349"