Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: HOWTO: Set up Full Disk Encryption in a Dual Boot System

  1. #1
    Join Date
    Feb 2007
    Beans
    23

    HOWTO: Set up Full Disk Encryption in a Dual Boot System

    Hi there, this is my first tutorial, so I apologise if it's a little rough around the edges.

    What This Covers

    This tutorial will allow you to create a basic dual boot system, using only free open source software, which is fully encrypted (apart from a boot partitioin).

    I am by no means an encryption expert, so please do not take anything I say as cannon.

    At the end of this tutorial, you will have a system in which both windows and ubuntu are completely encrypted, including swap space, the windows page file, and hibernation files.

    Warnings

    I have only tired this on a VMware virtual machine, and my HP 530 laptop. I cannot guarantee it will work on any computer.

    Also, this is not bulletproof. It is difficult to change the LUKS passphrase, and does not support keyfiles. You will therefore have to rely upon a very strong passphrase, which cannot change.

    Also, your boot files will not be encrypted. There are ways around this; you can save them to a USB key, and take that with you, or only mount your boot partition as read only. If you choose the USB option, you must allow your computer to boot from USB, which could allow an attacker to boot a malicious opperating system from a USB key. If you choose the read only option, an attacker can still modify your boot files if they are sufficiently motivated, and it will be difficult to update your kernel.

    At the end of the day, you have to decide where to comprimise. As a proof of concept, my set up uses a boot partition mounted read/write.

    Ok, thats the nagging over, on to the procedure

    1. Install Windows XP

    This *should* work with vista, but I've not tested it.

    2. Install ubuntu.

    During the installation, use the altnerative CD. At the partitioning phase, create a 400mb logical partitioin, and use the rest of the space to create a final parition. This should be set to 'type Physical Container for Encryption', in the part where you select filesystem.

    It will write changes to disk, just follow the wizard until you get back to the format screen. The select 'set up encrypted partition' from the top of the menu. Create a partition inside the encrypted partition, and set the type to Logical Volume.

    Once the LV is set up, you can create new logical volumes for home, / and swap. The standard rule is to use twice your RAM for your swap space.

    Once all your disk is set up, it will ask you to create a passphrase. Make sure it is a good one!

    Continue with installation until you have a working system.

    3. Boot to windows, and install Truecrypt.

    Within truecrypt, select full disk encryption. Allow it to encrypt the windows partition ONLY, otherwise it will ruin your ubuntu installation. Tell it windows is on your MBR. It isin't, but we will address this problem later. Follow the instructions on screen; you will have to create a rescue CD and burn it.

    4. Reboot the computer, and check that you can boot to windows.

    If you can, it will allow you to pass through the truecrypt boot loader, and get into windows. You can then encrypt your entire windows partition.

    5. Restore GRUB

    Boot to the ubuntu Desktop cd, and open a terminal. Type

    ls /dev/sd* && ls hd*

    This will list the hard drives on your computer, which should be in the format

    hda hda1 hda2 hda3 hda4

    or

    sda sda1 sda2 sda3 sda4

    use the command

    sudo mkdir /mnt/boot/
    sudo mount /dev/sda* /mnt/boot/

    followed by

    ls /mnt/boot/

    to find your boot partition. If your first guess is wrong, use

    umount /mnt/boot/

    and repeat with a different partition. Your grub partition will include files grub and initrd

    Now we need to copy the MBR. This is set up by truecrypt, and contains your decryption files to boot the opperating system.

    The command for this is;

    sudo dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
    sudo dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256

    Remember sda may be hda on your system.

    This copies the MBR

    Then start the grub sub-shell, with the command

    sudo grub

    remember the sudo, otherwise it won't work. In grub, type

    install (hd0,*)/grub/stage1 (hd0) (hd0,*)/grub/stage2 0x8000 p

    repacing * with the partition of your disk. Grub uses a diferent system to linux, so you will need to subtract one from your partition number. Thus if your boot partition is sda4, grub will require (hd0,3)
    (it doesn't matter if linux says sd or hd).

    Finally, you need to set up grub to chainload your the image you took earlier, to load the decryption algorithm.

    All you need to do edit /mnt/boot/grub/menu.lst so that your windows sections looks like

    title Windows XP Professional
    rootnoverify (hd0,0)
    makeactive
    chainloader (hd0,*)/truecrypt.mbr
    boot

    Done! You should now be able to boot, see grub, and select windows. This *should* drop you to the truecrypt bootloader, which will in turn allow you to boot windows after entering your password. Similarly, selecting ubuntu should ask you for your password, then boot it.

    My sincere thanks to Jari Eskelinen, who's tutorial I've borrowed heavily from. This can be found at

    http://keitin.net/jarpatus/articles/...ndex_eng.shtml

    I hope this helps anyone thinking of dual booting with encryption; it really is pretty easy!

    If anyone has questions, please feel free to reply and I'll do my best to answer them (remember, I'm defiantly not an expert).
    Also, if there is interest I will try and coax VMware into letting me take to screenshots to clear up the more confusing parts!
    Last edited by epiphiny; April 27th, 2008 at 02:28 PM. Reason: Implemeting changes recommended by Distue

  2. #2
    Join Date
    Jul 2005
    Beans
    82

    Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

    Thanks for this! I've been meaning to try the dual boot full disk encryption with Truecrypt ever since they offered full disk encryption. I'll do this in a VM as soon as I find time to test it. If it works out for me, it'll go on my laptop.

    Thanks again.

  3. #3
    Join Date
    Jul 2006
    Beans
    Hidden!

    Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

    Hello,

    first thanks for the tutorial. It worked for me with Kubuntu 8.04 and Windows Vista Business.

    I just had to do these modifications:

    #1

    The dd commands need "sudo" in my case:

    dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
    dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256
    to

    sudo dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
    sudo dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256
    #2

    I have a boot partition, where the mount point is /boot, so /boot is not necessary:

    install (hd0,*)/boot/grub/stage1 (hd0) (hd0,*)/boot/grub/stage2 0x8000 p
    to

    install (hd0,*)/grub/stage1 (hd0) (hd0,*)/grub/stage2 0x8000 p
    Thanks again

  4. #4
    Join Date
    Jul 2006
    Beans
    Hidden!

    Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

    Another point:

    I've read somewhere that is not that good idea to create the swap partition with the logical volume manager due performance reasons.

  5. #5
    Join Date
    Feb 2007
    Beans
    23

    Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

    Thanks Distue, good point well made - it's always easy to leave out stuff! I've edited the post to include the changes.

    You can certainly create another logical partition for encryption, set it to swap, and set it to have a random passphrase (its in the screen where you set the options like AES encryption etc). That said, I haven't noticed any performance issues, but you can certainly change it if you think it will make a difference.

  6. #6
    Join Date
    Nov 2007
    Beans
    46
    Distro
    Ubuntu Jaunty Jackalope (testing)

    Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

    You don't actually have to restore the grub, because you can ESC-key out of the truecrypt bootloader residing in MBR and it will look for any other bootable partitions. That is unless of course you want the linux bootloader to be on MBR and load linux by default (truecrypt bootloader will just sit there and wait for your input).

    1. Install windows whatever
    2. Install linux whichever way you want for dual or multi boot. Verify that you can still boot to windows and linux.
    3. In linux install the grub to a bootable partition e.g. the /boot partition when using LUKS.
    Code:
    $ sudo grub
    # n = the /boot (or root) partitions number minus 1
    # e.g. if boot partition is the second partition on your drive, n = 1
    grub> root (hd0,n)
    grub> setup (hd0,n)
    4. Install truecrypt in windows and encrypt the windows partition. Because of step 3 you can safely let truecrypt install the bootloader to MBR.
    5. On boot, hit esc in the truecrypt prompt if you want to load linux (you'll see the grub menu).

    Truecrypt is really good and smart software =)

  7. #7
    Join Date
    Feb 2007
    Beans
    23

    Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

    That should work, but on my system it couldn't find the grub bootloader. The way I wrote the tutorial should work regardless of how you've set up your system...

  8. #8
    Join Date
    Oct 2005
    Beans
    12

    Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

    Has anyone successfully encrypted an existing installation of ubuntu; or is a fresh install needed?

  9. #9
    Join Date
    Feb 2008
    Beans
    1

    Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

    perhaps you can detail the windows truecrypt procedures described in step 3. It is a little confusing to a new user and one could easily ruin their ubuntu installation (like I may have!)

    Thanks

  10. #10
    Join Date
    Apr 2006
    Beans
    27
    Distro
    Dapper Drake Testing/

    Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

    Thannks a lot for the guide, worked well for me

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •