HOWTO: Set up Full Disk Encryption in a Dual Boot System

[tymtheenchanter]

First off, thanks for the instructions, they worked perfectly first time


ubumar & zachwoodham
I haven't tried this yet, but you might be able to use truecrypt in linux to mount the windows system disk as a device?

-- Edit --
Just tried this and truecrypt has an option to mount an encrypted system volume. Works perfectly.

[JustHall]

Sorry to bump an old topic, but I can't seem to resolve an issue I'm having and people who read this thread may have more insight than I.

The instructions in this thread worked perfectly, however I would like to customize the TrueCrypt boot loader pre-boot authentication behavior. In TrueCrypt, under System -> Settings, you can check a box labeled "Do not show any texts in the pre-boot authentication screen (except the below custom message)" and then you can enter your own custom text in the box provided. Additionally, you can un-check a box at the bottom of this window labeled "Allow pre-boot authentication to be bypassed by pressing the Esc key (enables boot manager)" to prevent the Esc key from doing anything. This allows you to fake somebody into thinking your system is absent or corrupt.

Manipulating these options works great, until you get to the point where it's time to restore GRUB. Upon saving the TrueCrypt MBR and restoring GRUB, those settings seem to disappear. Selecting the Windows boot option in GRUB loads the standard TrueCrypt boot loader (full default text and you can press Esc, etc.), seemingly ignoring or losing the settings I had set prior to restoring GRUB.

Furthermore, now that TrueCrypt is no longer in the MBR, you can't go into the application and customize the options anymore. If you try, it brings up a message indicating that TrueCrypt isn't in your MBR so the settings may not be saved.

I assume these custom settings are stored in the MBR, but if that were the case then I would also assume they would be saved when you use dd to write the truecrypt.mbr file on your Linux boot partition.

Any thoughts or suggestions?

Thanks in advance.

[mk4umha]

Sorry to bump an old topic, but I can't seem to resolve an issue I'm having and people who read this thread may have more insight than I.

The instructions in this thread worked perfectly, however I would like to customize the TrueCrypt boot loader pre-boot authentication behavior. In TrueCrypt, under System -> Settings, you can check a box labeled "Do not show any texts in the pre-boot authentication screen (except the below custom message)" and then you can enter your own custom text in the box provided. Additionally, you can un-check a box at the bottom of this window labeled "Allow pre-boot authentication to be bypassed by pressing the Esc key (enables boot manager)" to prevent the Esc key from doing anything. This allows you to fake somebody into thinking your system is absent or corrupt.

Manipulating these options works great, until you get to the point where it's time to restore GRUB. Upon saving the TrueCrypt MBR and restoring GRUB, those settings seem to disappear. Selecting the Windows boot option in GRUB loads the standard TrueCrypt boot loader (full default text and you can press Esc, etc.), seemingly ignoring or losing the settings I had set prior to restoring GRUB.

Furthermore, now that TrueCrypt is no longer in the MBR, you can't go into the application and customize the options anymore. If you try, it brings up a message indicating that TrueCrypt isn't in your MBR so the settings may not be saved.

I assume these custom settings are stored in the MBR, but if that were the case then I would also assume they would be saved when you use dd to write the truecrypt.mbr file on your Linux boot partition.

Any thoughts or suggestions?

Thanks in advance.

Hmmm, interesting, I was hoping this method would work the way I thought it would. maybe it's possible to enter 2 passwords? One for Windows, the 2nd one for Linux using truecrypt?

[operat0r]

*** SOLVED **

be sure the mbr file is loading from the right part .. DUH...

Code:

title           Microsoft Windows XP Professional
root            (hd0,0)
savedefault
makeactive
chainloader (hd0,4)/boot/truecrypt.mbr

Not sure what I am missing I can't get windows to boot now:


Device Boot Start End Blocks Id System
/dev/sda1 * 1 7256 58283788+ 7 HPFS/NTFS
/dev/sda2 7257 14593 58934452+ 5 Extended
/dev/sda5 7257 14288 56484508+ 83 Linux
/dev/sda6 14289 14593 2449881 82 Linux swap / Solaris


head /boot/truecrypt.mbr
ê| TrueCrypt Boot Loader
°}èf;²}t%öF}uÆF}± ö·}u*6U}èS6|èLëþÀØúмûRh´f3Û¾èºfS»
hzhhç|hËÄZÀt 6U}èþ6·}ÀØúмükûhË3Û´ü¬ÀtÍë÷õ¶´Ís6G}èàÿÃf3Àü¬fØfÑ Ãâ÷ÃDisk error


so I know the MBR was backed up properly


I know windows could boot before/truecrypt

here is my menu.lst

I treid adding the UUID line to the windows titles after none of them worked ... what am I missing ?

Code:

default         0
timeout         10
splashimage=b5d01231-261d-4694-a2c1-ec4063bd6d38/boot/grub/splash.xpm.gz

title           Ubuntu 8.10, kernel 2.6.30.9
uuid            b5d01231-261d-4694-a2c1-ec4063bd6d38
kernel          /boot/vmlinuz-2.6.30.9 root=UUID=b5d01231-261d-4694-a2c1-ec4063bd6d38 ro quiet splash
initrd          /boot/initrd.img-2.6.30.9
quiet

title           Ubuntu 8.10, kernel 2.6.30.9 (recovery mode)
uuid            b5d01231-261d-4694-a2c1-ec4063bd6d38
kernel          /boot/vmlinuz-2.6.30.9 root=UUID=b5d01231-261d-4694-a2c1-ec4063bd6d38 ro  single
initrd          /boot/initrd.img-2.6.30.9

title           Ubuntu 8.10, memtest86+
uuid            b5d01231-261d-4694-a2c1-ec4063bd6d38
kernel          /boot/memtest86+.bin
quiet


title           Other operating systems:
root


title           Microsoft Windows XP Professional
root            (hd0,0)
savedefault
makeactive
chainloader     +1

title Windows XP Professional
rootnoverify (hd0,0)
uuid            b5d01231-261d-4694-a2c1-ec4063bd6d38
makeactive
chainloader (hd0,0)/boot/truecrypt.mbr
boot

title Windows XP Professional 2
rootnoverify (hd0,0)
uuid            b5d01231-261d-4694-a2c1-ec4063bd6d38
makeactive
chainloader (hd0,0)/truecrypt.mbr
boot


title Windows XP Professional 3
rootnoverify (hd0,4)
uuid            b5d01231-261d-4694-a2c1-ec4063bd6d38
makeactive
chainloader (hd0,4)/truecrypt.mbr
boot


title Windows XP Professional 4
rootnoverify (hd0,4)
uuid            b5d01231-261d-4694-a2c1-ec4063bd6d38
makeactive
chainloader (hd0,4)/boot/truecrypt.mbr
boot





title Windows XP Professional 5
rootnoverify (hd0,1)
uuid            b5d01231-261d-4694-a2c1-ec4063bd6d38
makeactive
chainloader (hd0,1)/boot/truecrypt.mbr
boot


title Windows XP Professional 6
rootnoverify (hd0,1)
uuid            b5d01231-261d-4694-a2c1-ec4063bd6d38
makeactive
chainloader (hd0,1)/truecrypt.mbr
boot

[xenosaga456]

hey im having problems doing this ??

5. Restore GRUB

Boot to the ubuntu Desktop cd, and open a terminal. Type

ls /dev/sd* && ls hd*

This will list the hard drives on your computer, which should be in the format

hda hda1 hda2 hda3 hda4

or

sda sda1 sda2 sda3 sda4

use the command

sudo mkdir /mnt/boot/
sudo mount /dev/sda* /mnt/boot/

followed by

ls /mnt/boot/

to find your boot partition. If your first guess is wrong, use

umount /mnt/boot/

and repeat with a different partition. Your grub partition will include files grub and initrd

Now we need to copy the MBR. This is set up by truecrypt, and contains your decryption files to boot the opperating system.

The command for this is;

sudo dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
sudo dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256

Remember sda may be hda on your system.

This copies the MBR

Then start the grub sub-shell, with the command

sudo grub

remember the sudo, otherwise it won't work. In grub, type

install (hd0,*)/grub/stage1 (hd0) (hd0,*)/grub/stage2 0x8000 p

repacing * with the partition of your disk. Grub uses a diferent system to linux, so you will need to subtract one from your partition number. Thus if your boot partition is sda4, grub will require (hd0,3)
(it doesn't matter if linux says sd or hd).

Finally, you need to set up grub to chainload your the image you took earlier, to load the decryption algorithm.

All you need to do edit /mnt/boot/grub/menu.lst so that your windows sections looks like






when i get to

Code:

install (hd0,7)/grub/stage1 (hd0) (hd0,7)/grub/stage2 0x8000 p

its gives me erroe 15 ??

i do all of this then i try to install grub with the above command and it gives me error 15??

Code:

sudo mount /dev/sda8 /mnt/boot/

Code:

ls /mnt/boot/
abi-2.6.32-21-generic         System.map-2.6.32-21-generic
config-2.6.32-21-generic      truecrypt.backup
grub                          truecrypt.mbr
initrd.img-2.6.32-21-generic  vmcoreinfo-2.6.32-21-generic
lost+found                    vmlinuz-2.6.32-21-generic
memtest86+.bin

you can see my problem on youtube
http://www.youtube.com/watch?v=-AcrNITmXW4

[xenosaga456]

hey i fied it

[xenosaga456]

well what i did was really complicated
but i dloaded super grub disk
then i used it to get to the origonal boot loader and ran grub from there
then i wrote grub to the MBR
next i used a live CD to open my /boot hard drive and went to my grub and copyed it from there and pasted it to the /boot folder
then i rebooted it
now trucrypt says press 'ese' to see othe hdd
then it boots from sda8 to grub where i can start ubuntu or windows if i want

[iniju]

Hi xenosaga456,

I'm trying to follow the step that you described above, as I am also getting the error 15.

Could you please detail explain in a bit more detail the super grub disk step?

Thanks and regards

[anirudh.srivathsa]

If i change the passphrase for encrypting the system, will it affect the key generated? will it affect the data present in the system?

[guimaster]

Also, your boot files will not be encrypted. There are ways around this; you can save them to a USB key, and take that with you, or only mount your boot partition as read only. If you choose the USB option, you must allow your computer to boot from USB, which could allow an attacker to boot a malicious opperating system from a USB key. If you choose the read only option, an attacker can still modify your boot files if they are sufficiently motivated, and it will be difficult to update your kernel.

At the end of the day, you have to decide where to comprimise. As a proof of concept, my set up uses a boot partition mounted read/write.

What does this comment mean? Can someone actually modify the boot partition to enable getting around the encryption?

Thanks.