HOWTO: Set up Full Disk Encryption in a Dual Boot System
Hi there, this is my first tutorial, so I apologise if it's a little rough around the edges.
What This Covers
This tutorial will allow you to create a basic dual boot system, using only free open source software, which is fully encrypted (apart from a boot partitioin).
I am by no means an encryption expert, so please do not take anything I say as cannon.
At the end of this tutorial, you will have a system in which both windows and ubuntu are completely encrypted, including swap space, the windows page file, and hibernation files.
Warnings
I have only tired this on a VMware virtual machine, and my HP 530 laptop. I cannot guarantee it will work on any computer.
Also, this is not bulletproof. It is difficult to change the LUKS passphrase, and does not support keyfiles. You will therefore have to rely upon a very strong passphrase, which cannot change.
Also, your boot files will not be encrypted. There are ways around this; you can save them to a USB key, and take that with you, or only mount your boot partition as read only. If you choose the USB option, you must allow your computer to boot from USB, which could allow an attacker to boot a malicious opperating system from a USB key. If you choose the read only option, an attacker can still modify your boot files if they are sufficiently motivated, and it will be difficult to update your kernel.
At the end of the day, you have to decide where to comprimise. As a proof of concept, my set up uses a boot partition mounted read/write.
Ok, thats the nagging over, on to the procedure
1. Install Windows XP
This *should* work with vista, but I've not tested it.
2. Install ubuntu.
During the installation, use the altnerative CD. At the partitioning phase, create a 400mb logical partitioin, and use the rest of the space to create a final parition. This should be set to 'type Physical Container for Encryption', in the part where you select filesystem.
It will write changes to disk, just follow the wizard until you get back to the format screen. The select 'set up encrypted partition' from the top of the menu. Create a partition inside the encrypted partition, and set the type to Logical Volume.
Once the LV is set up, you can create new logical volumes for home, / and swap. The standard rule is to use twice your RAM for your swap space.
Once all your disk is set up, it will ask you to create a passphrase. Make sure it is a good one!
Continue with installation until you have a working system.
3. Boot to windows, and install Truecrypt.
Within truecrypt, select full disk encryption. Allow it to encrypt the windows partition ONLY, otherwise it will ruin your ubuntu installation. Tell it windows is on your MBR. It isin't, but we will address this problem later. Follow the instructions on screen; you will have to create a rescue CD and burn it.
4. Reboot the computer, and check that you can boot to windows.
If you can, it will allow you to pass through the truecrypt boot loader, and get into windows. You can then encrypt your entire windows partition.
5. Restore GRUB
Boot to the ubuntu Desktop cd, and open a terminal. Type
ls /dev/sd* && ls hd*
This will list the hard drives on your computer, which should be in the format
hda hda1 hda2 hda3 hda4
or
sda sda1 sda2 sda3 sda4
use the command
sudo mkdir /mnt/boot/
sudo mount /dev/sda* /mnt/boot/
followed by
ls /mnt/boot/
to find your boot partition. If your first guess is wrong, use
umount /mnt/boot/
and repeat with a different partition. Your grub partition will include files grub and initrd
Now we need to copy the MBR. This is set up by truecrypt, and contains your decryption files to boot the opperating system.
The command for this is;
sudo dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
sudo dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256
Remember sda may be hda on your system.
This copies the MBR
Then start the grub sub-shell, with the command
sudo grub
remember the sudo, otherwise it won't work. In grub, type
install (hd0,*)/grub/stage1 (hd0) (hd0,*)/grub/stage2 0x8000 p
repacing * with the partition of your disk. Grub uses a diferent system to linux, so you will need to subtract one from your partition number. Thus if your boot partition is sda4, grub will require (hd0,3)
(it doesn't matter if linux says sd or hd).
Finally, you need to set up grub to chainload your the image you took earlier, to load the decryption algorithm.
All you need to do edit /mnt/boot/grub/menu.lst so that your windows sections looks like
title Windows XP Professional
rootnoverify (hd0,0)
makeactive
chainloader (hd0,*)/truecrypt.mbr
boot
Done! You should now be able to boot, see grub, and select windows. This *should* drop you to the truecrypt bootloader, which will in turn allow you to boot windows after entering your password. Similarly, selecting ubuntu should ask you for your password, then boot it.
My sincere thanks to Jari Eskelinen, who's tutorial I've borrowed heavily from. This can be found at
http://keitin.net/jarpatus/articles/...ndex_eng.shtml
I hope this helps anyone thinking of dual booting with encryption; it really is pretty easy!
If anyone has questions, please feel free to reply and I'll do my best to answer them (remember, I'm defiantly not an expert).
Also, if there is interest I will try and coax VMware into letting me take to screenshots to clear up the more confusing parts!
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System
Thanks for this! I've been meaning to try the dual boot full disk encryption with Truecrypt ever since they offered full disk encryption. I'll do this in a VM as soon as I find time to test it. If it works out for me, it'll go on my laptop.
Thanks again.
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System
Hello,
first thanks for the tutorial. It worked for me with Kubuntu 8.04 and Windows Vista Business.
I just had to do these modifications:
#1
The dd commands need "sudo" in my case:
Quote:
dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256
to
Quote:
sudo dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
sudo dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256
#2
I have a boot partition, where the mount point is /boot, so /boot is not necessary:
Quote:
install (hd0,*)/boot/grub/stage1 (hd0) (hd0,*)/boot/grub/stage2 0x8000 p
to
Quote:
install (hd0,*)/grub/stage1 (hd0) (hd0,*)/grub/stage2 0x8000 p
Thanks again
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System
Another point:
I've read somewhere that is not that good idea to create the swap partition with the logical volume manager due performance reasons.
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System
Thanks Distue, good point well made - it's always easy to leave out stuff! I've edited the post to include the changes.
You can certainly create another logical partition for encryption, set it to swap, and set it to have a random passphrase (its in the screen where you set the options like AES encryption etc). That said, I haven't noticed any performance issues, but you can certainly change it if you think it will make a difference.
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System
You don't actually have to restore the grub, because you can ESC-key out of the truecrypt bootloader residing in MBR and it will look for any other bootable partitions. That is unless of course you want the linux bootloader to be on MBR and load linux by default (truecrypt bootloader will just sit there and wait for your input).
1. Install windows whatever
2. Install linux whichever way you want for dual or multi boot. Verify that you can still boot to windows and linux.
3. In linux install the grub to a bootable partition e.g. the /boot partition when using LUKS.
Code:
$ sudo grub
# n = the /boot (or root) partitions number minus 1
# e.g. if boot partition is the second partition on your drive, n = 1
grub> root (hd0,n)
grub> setup (hd0,n)
4. Install truecrypt in windows and encrypt the windows partition. Because of step 3 you can safely let truecrypt install the bootloader to MBR.
5. On boot, hit esc in the truecrypt prompt if you want to load linux (you'll see the grub menu).
Truecrypt is really good and smart software =)
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System
That should work, but on my system it couldn't find the grub bootloader. The way I wrote the tutorial should work regardless of how you've set up your system...
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System
Has anyone successfully encrypted an existing installation of ubuntu; or is a fresh install needed?
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System
perhaps you can detail the windows truecrypt procedures described in step 3. It is a little confusing to a new user and one could easily ruin their ubuntu installation (like I may have!)
Thanks
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System
Thannks a lot for the guide, worked well for me :)