Hi there, this is my first tutorial, so I apologise if it's a little rough around the edges.
What This Covers
This tutorial will allow you to create a basic dual boot system, using only free open source software, which is fully encrypted (apart from a boot partitioin).
I am by no means an encryption expert, so please do not take anything I say as cannon.
At the end of this tutorial, you will have a system in which both windows and ubuntu are completely encrypted, including swap space, the windows page file, and hibernation files.
Warnings
I have only tired this on a VMware virtual machine, and my HP 530 laptop. I cannot guarantee it will work on any computer.
Also, this is not bulletproof. It is difficult to change the LUKS passphrase, and does not support keyfiles. You will therefore have to rely upon a very strong passphrase, which cannot change.
Also, your boot files will not be encrypted. There are ways around this; you can save them to a USB key, and take that with you, or only mount your boot partition as read only. If you choose the USB option, you must allow your computer to boot from USB, which could allow an attacker to boot a malicious opperating system from a USB key. If you choose the read only option, an attacker can still modify your boot files if they are sufficiently motivated, and it will be difficult to update your kernel.
At the end of the day, you have to decide where to comprimise. As a proof of concept, my set up uses a boot partition mounted read/write.
Ok, thats the nagging over, on to the procedure
1. Install Windows XP
This *should* work with vista, but I've not tested it.
2. Install ubuntu.
During the installation, use the altnerative CD. At the partitioning phase, create a 400mb logical partitioin, and use the rest of the space to create a final parition. This should be set to 'type Physical Container for Encryption', in the part where you select filesystem.
It will write changes to disk, just follow the wizard until you get back to the format screen. The select 'set up encrypted partition' from the top of the menu. Create a partition inside the encrypted partition, and set the type to Logical Volume.
Once the LV is set up, you can create new logical volumes for home, / and swap. The standard rule is to use twice your RAM for your swap space.
Once all your disk is set up, it will ask you to create a passphrase. Make sure it is a good one!
Continue with installation until you have a working system.
3. Boot to windows, and install Truecrypt.
Within truecrypt, select full disk encryption. Allow it to encrypt the windows partition ONLY, otherwise it will ruin your ubuntu installation. Tell it windows is on your MBR. It isin't, but we will address this problem later. Follow the instructions on screen; you will have to create a rescue CD and burn it.
4. Reboot the computer, and check that you can boot to windows.
If you can, it will allow you to pass through the truecrypt boot loader, and get into windows. You can then encrypt your entire windows partition.
5. Restore GRUB
Boot to the ubuntu Desktop cd, and open a terminal. Type
ls /dev/sd* && ls hd*
This will list the hard drives on your computer, which should be in the format
hda hda1 hda2 hda3 hda4
or
sda sda1 sda2 sda3 sda4
use the command
sudo mkdir /mnt/boot/
sudo mount /dev/sda* /mnt/boot/
followed by
ls /mnt/boot/
to find your boot partition. If your first guess is wrong, use
umount /mnt/boot/
and repeat with a different partition. Your grub partition will include files grub and initrd
Now we need to copy the MBR. This is set up by truecrypt, and contains your decryption files to boot the opperating system.
The command for this is;
sudo dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
sudo dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256
Remember sda may be hda on your system.
This copies the MBR
Then start the grub sub-shell, with the command
sudo grub
remember the sudo, otherwise it won't work. In grub, type
install (hd0,*)/grub/stage1 (hd0) (hd0,*)/grub/stage2 0x8000 p
repacing * with the partition of your disk. Grub uses a diferent system to linux, so you will need to subtract one from your partition number. Thus if your boot partition is sda4, grub will require (hd0,3)
(it doesn't matter if linux says sd or hd).
Finally, you need to set up grub to chainload your the image you took earlier, to load the decryption algorithm.
All you need to do edit /mnt/boot/grub/menu.lst so that your windows sections looks like
title Windows XP Professional
rootnoverify (hd0,0)
makeactive
chainloader (hd0,*)/truecrypt.mbr
boot
Done! You should now be able to boot, see grub, and select windows. This *should* drop you to the truecrypt bootloader, which will in turn allow you to boot windows after entering your password. Similarly, selecting ubuntu should ask you for your password, then boot it.
My sincere thanks to Jari Eskelinen, who's tutorial I've borrowed heavily from. This can be found at
http://keitin.net/jarpatus/articles/...ndex_eng.shtml
I hope this helps anyone thinking of dual booting with encryption; it really is pretty easy!
If anyone has questions, please feel free to reply and I'll do my best to answer them (remember, I'm defiantly not an expert).
Also, if there is interest I will try and coax VMware into letting me take to screenshots to clear up the more confusing parts!
Bookmarks