Encrypted PC Triple-Boot with BitLocker, LUKS, and Key Files Howto

Encrypted PC Triple-Boot with BitLocker, LUKS, and Key Files Howto

Some people when faced with data confidentiality problems think "I know, I'll use encryption". Now they have key management problems. - Marsh Ray

Credits

This particular howto was helped by this dm-crypt howto on ArchWiki and this thread on debianforum.de (English translation).

There are also in this library two similar howtos with passwords instead of key files, an elegant triple-booting solution with BitLocker and a not so elegant triple-booting hack with TrueCrypt:

Purpose

This howto is for either installing two side-by-side versions of Microsoft Windows with a GNU/Linux distribution or starting with a single version of Microsoft Windows, installing another version beside it, and installing a distribution of GNU/Linux beside both, encrypting every possible partition, and securing decryption access with key files instead of passwords or passphrases.

The operating systems (OSes) used as examples are Microsoft Windows 7 Home Premium, Microsoft Windows 8 Pro, and Linux Mint 14 (codename "Nadia") MATE Edition.

The encryption systems used in this howto are Windows 8 BitLocker and Linux Unified Key System (LUKS) with the Linux kernel device mapper (dm-crypt).  Access to volumes encrypted by BitLocker requires any edition of Windows Vista or later, but management of BitLocker volumes is not available in Starter, Home Basic, and Home Premium editions of Windows.  The lack of BitLocker management tools in home editions of Windows Vista and Windows 7 is why this howto requires Windows 8.

BitLocker always generates its own key files, and they're recognizable instantly as BitLocker key files.  But LUKS allows any file to be used as a key file without regard for any other purpose a key file may serve.  This means it is possible to use things like documents, pictures, sound recordings, or archives as key files.  If you use an existing file as a key file, then you must ensure that not even one single byte is ever changed, or it stops being a valid key and you'll never be able to boot into Linux again.  Also, by using another file as a key file, you lose a lot of randomness while enabling an adversary who knows anything about you to guess what your key file may be.

If you decide for any reason that using an existing file is better than generating random data for a dedicated key file, then skip the directions for creating a key file, copy your key file in its place, and substitute the name of your actual key file for "linuxmint.key" below.

This howto will not strictly achieve full disk encryption.  The only way that can happen is if every OS installed on the disk is configured to boot from a separate disk.  It will, however, achieve practical encryption of every data partition.  The only partitions on the system disk that won't be encrypted are the factory restore partition if present, the Windows repair partition, and the Linux boot partition.

Disk Encryption Strength and Weaknesses

If you want to keep the data on your PC private, even if your PC is stolen, then it's not enough to use password-protected access.  The reason is that ordinary password access can be bypassed very easily and trivially, and if your data is not in an encrypted volume, then it's all accessible as soon as the password is bypassed.  If data is stored in encrypted volumes, then it can't be accessed unless it's decrypted, and that can't happen unless the password used for encryption is known.  An alternative to memorizing passwords is to use keys stored on removable drives.

The strength is that no one can access your data without your encryption key.  The weaknesses are that you can't access it either if you lose the key, keys can be stolen, you could conceivably find yourself in a situation where you'd have to surrender the key, spyware on your PC has as much free access to encrypted data as you do, and any data you copy or save outside of encrypted volumes (such as on ordinary thumb drives) is saved without encryption.

With keys instead of passwords, you gain the potential for greater key strength by not having to make the key short enough to memorize.  However, you risk key theft if you keep the key too close to the PC while using it, and you lose plausible deniability as well as denial of access if you are compelled or forced by an adversary to surrender the key.  These instructions assume that you are at least a little familiar with these risks and that you are willing to accept them.

What you will need

A Windows 7 installation disk and product key valid for that edition, or a PC preinstalled with Windows 7.

If you have a PC preinstalled with Windows 7, then create a factory restore disk set.  If you make a mistake that you can't recover from, then the factory restore disks will be the only way to get a working PC again.  Keep the factory restore disks in a safe place.

A Windows 8 Pro installation disk and product key.

A Linux Mint 14 installation disk.  The disk must have a live desktop environment as well as the installer.

A removable disk drive, such as a USB hard disk or a USB thumb drive to store the keys.  If you don't want to store the keys for all three operating systems on the same drive, then you will need one drive for each key.  Windows BitLocker also requires you to store recovery keys somewhere; if you don't print them out and don't want to store them on the same drive(s) as your access keys, then you will need yet another removable disk for them.

An Internet connection.

A wireless or ethernet adapter compatible with all three operating systems, connected to the Internet.

LVM2, CryptSetup, Hashalot, and their dependencies for encrypting the Linux partition. If they're not included in the Linux live desktop environment, then they should be available in the package repository for installation via the Internet.

Backup copies of all your important data and settings saved on external drives or disks, if any were saved to the PC's hard disk before setting up disk encryption.  It's better to have backups and not need them than to need backups and not have them.

Six hours of time.

Courage and the willingness to risk reinstalling your operating systems if you break your PC's ability to boot.  Partitioning hard disks and installing things into their boot records carries that risk.  The risk is relatively small, but it is definitely there.

How To Do It: Windows 7, Windows 8, and Linux Mint 14

At any point in these instructions where you have to remove a removable disk drive, be sure to use the safe ejection feature.  In Windows, this is the "Safely remove hardware" icon in the taskbar next to the clock on the desktop.  In Linux, this is the eject icon next to the device in a file manager window's places sidebar.  If you don't, then you risk data (such as your encryption keys) not actually being saved and being lost instead.

Installing Windows 7 on a blank PC

Boot the Windows 7 installation disk and install Windows 7 according to Microsoft's directions.  Use the entire disk and worry about partitioning later.

You can install your programs and customize your settings now if you want.  If you do, then install updates as well.

The partitioning layout should be:

  • Disk 0 Partition 1 or sda1: A primary bootable partition, 100 MB in size, holding the Windows boot.  This is called "Windows Boot" in the partitioning directions.  This partition will be left unencrypted.
  • Disk 0 Partition 2 or sda2: A primary partition occupying the rest of the disk.  This is called "Windows 7" in the partitioning directions.  This partition will be encrypted later.

Starting with a PC pre-installed with Windows 7

The PC I got and set up for encrypted booting is an Acer Aspire 5733-6838 laptop computer.  It came with Windows 7 preinstalled on it, and the factory restore disk set restores the factory partitioning layout:

  • Disk 0 Partition 1 or sda1: A primary hidden partition, 18 GB in size, holding the factory restore system.  This is called "Factory" in the partitioning directions.  This partition will be left unencrypted.
  • Disk 0 Partition 2 or sda2: A primary bootable partition, 100 MB in size, holding the Windows boot. This is called "Windows Boot" in the partitioning directions.  This partition will be left unencrypted.
  • Disk 0 Partition 3 or sda3: A primary partition occupying the rest of the disk.  This is called "Windows 7" in the partitioning directions.  This partition will be encrypted later.

First, as soon as you get to the desktop, burn a factory restore DVD set and an applications/drivers disk. If you make a mistake that you can't recover from, this will be the only way to get a working PC again.

After doing this, uninstall the crapware, install the programs you want, and install updates.

Partition the disk for Windows 7, Windows 8, and Linux Mint 14

Boot into the Linux Mint 14 DVD. In the desktop:

  • Start gparted.
    • Mint Menu -> All applications -> Administration -> GParted
  • Identify the existing partitions.
    • You may have Windows Boot and Windows 7 as /dev/sda1 and /dev/sda2 respectively, or
    • You may have Factory, Windows Boot, and Windows 7 as /dev/sda1, /dev/sda2, and /dev/sda3 respectively.
  • Reduce the size of the Windows 7 partition.  Be sure to leave room for your Windows 7 data as well as two other full operating systems.
  • Create a new extended partition taking up the entire rest of the disk /dev/sda.
  • Create a new logical partition inside the extended partition for Windows 8, about the same size as Windows 7 (taking into consideration your preference and usage plans), and set its type to NTFS.
    • Windows 8 will not install unless the partition's filesystem type is set to NTFS.
    • Change the partition label to "Windows 8" so you can identify it when installing Windows 8 later.
  • Create a new logical partition for Linux Boot, about 1.0 GB in size, and set its type to EXT2.
  • Create a new logical partition for Linux, taking up the rest of the drive's space.
    • Even if you plan to have multiple partitions, such as separate home, root, and swap, they will all be set up later as logical volumes within this single partition.
  • If you haven't already, apply these operations.
  • The partition structure should resemble the following.  Take note of the device names (/dev/sdaX) because the shell commands later will assume this structure:
    • Factory (if present) as /dev/sda1
    • Windows Boot as either /dev/sda2 or /dev/sda1. Shell commands later will assume /dev/sda2.
    • Windows 7 as either /dev/sda3 or /dev/sda2. Shell commands later will assume /dev/sda3.
    • Windows 8 as /dev/sda5
    • Linux Boot as /dev/sda6
    • Linux as /dev/sda7
  • Quit gparted.
  • Restart the PC.
  • When prompted to remove the Linux Mint DVD, replace the Linux Mint DVD with the Windows 8 DVD.

Skip the boot into Windows 8 and boot into Windows 7. Let CHKDSK run and make sure the disk is OK.

Install Windows 8

Boot into the Windows 8 DVD.

After entering the key and accepting the license, choose a custom installation.

Install Windows 8 on the new Windows 8 partition you created in Mint.  The partition name should be called "Drive 0 Partition 4" in the installer.

Install applications and updates for Windows 8.

After the last necessary reboot, restart Windows 8 one more time.

Switch to the Windows 7 boot manager

The boot manager that Windows 8 uses works by starting Windows 8 before asking which OS to start, and when Windows 7 is chosen, doing a full warm boot.  Switching to the Windows 7 boot manager will save time on every boot.

During startup, when you're asked to choose an operating system:

  • Click on "Change defaults or choose other options"
  • Click on "Choose a default operating system"
  • Click on "Windows 7"
  • Click on the back button in the upper-left corner
  • Click on "Windows 7"

Make the encrypted volumes and key file for Linux Mint 14

Boot into the Linux Mint 14 DVD.

Once in the live desktop, connect to the Internet (if you're not connected automatically), then get a shell prompt:

  • Mint Menu -> Terminal

Become root:

  • sudo su -

Insert and mount your removable key drive. These instructions assume that your removable drive is detected as /dev/sdb and that it has only one preformatted DOS/Windows partition on it.  The `dd` command takes a while to run, and it tends to run faster if there's a good source of randomness, so while it's running, go ahead and use the applications in the live desktop until it finishes.

  • mkdir -p /mnt/keydrive
    mount /dev/sdb1 /mnt/keydrive
    dd if=/dev/random of=/mnt/keydrive/linuxmint.key count=4096 bs=1
    

Set up LUKS encryption with your new key file in the Linux partition you created earlier, and create the partitions you want except for boot.  (Change the device name to match your actual partition layout, and read the manual pages for commands if you're not sure what their options do.)

  • cryptsetup -y --cipher aes-xts-plain64 --key-size 512 luksFormat /dev/sda7 /mnt/keydrive/linuxmint.key
    cryptsetup --key-file=/mnt/keydrive/linuxmint.key luksOpen /dev/sda7 pvcrypt
    pvcreate /dev/mapper/pvcrypt
    vgcreate vg /dev/mapper/pvcrypt
    lvcreate --name swap --size 6G vg
    lvcreate --name root --size 20G vg
    lvcreate --name home --extents 100%FREE vg

Format the Linux Boot partition and the encrypted volume groups you just made in the Linux partition.

  • mkfs.ext2 /dev/sda6
    mkswap /dev/mapper/vg-swap
    mkfs.ext3 /dev/mapper/vg-root
    mkfs.ext3 /dev/mapper/vg-home

Minimize the terminal window or move it out of the way.

If you want to store a copy of your key file on another removable drive, then use the live desktop's file manager to copy the key file from your key drive to your key recovery drive.  If you can have only one plugged in at a time, then copy the file from your key drive to the desktop, unmount the drive (by using the eject icon next to the drive name), remove the key drive and insert the key recovery drive, and copy the file from the desktop to the key recovery drive.

Having a backup copy of your key file on a separate drive is highly recommended!  If you lose the main copy of your key file, or if the drive it's on goes bad, then you will never be able to boot back into Linux again unless you have a copy saved somewhere else.

Install Linux Mint 14

Open the "Install Linux Mint" icon on the desktop.

  • When asked to choose an installation type, choose "Something else."
  • Map the Linux Boot partition:
    • Click on /dev/sda6
    • Click on the Change button
    • Change "Use as:" to "Ext2 file system"
    • Change "Mount point:" to "/boot"
    • Click on OK
  • For each of the volume groups you created:
    • Click on the name that has a size listed beside it
    • Click on the Change button
    • Change "Use as:" to "Ext3 journaling file system" or "Ext4 journaling file system"
      • For /dev/mapper/vg-swap, change "Use as:" to "swap area" instead.
    • Change "Mount point:" to the appropriate mount point
      • The root partition mounts at "/" and the home partition mounts at "/home".
  • Proceed with installation using these partitions/mount-points.
  • When finished, DO NOT restart the PC.  Stay in the live desktop environment.

What if you rebooted or needed to shut down

If you restarted the PC after installing Linux Mint but before fixing initramfs (the next step), then follow these directions.

If you didn't restart yet, then skip these directions and continue with the next step, fixing initramfs.

  1. Boot into the Linux Mint DVD.
  2. At the desktop, reconnect to the Internet if you aren't already reconnected.
  3. At the desktop, open a terminal: Mint Menu -> Terminal.
  4. Become root:
    • sudo su -
  5. Open the encrypted volume:
    • mkdir -p /mnt/keydrive
      mount /dev/sdb1 /mnt/keydrive
      cryptsetup --key-file=/mnt/keydrive/linuxmint.key luksOpen /dev/sda7 pvcrypt

Fix initramfs to unlock the encrypted volumes on boot

Bring back the terminal window you moved out of the way earlier.  Before rebooting, the freshly installed Linux Mint system has to be configured to mount the encrypted partition.

Get the Linux partition's UUID:

  • blkid /dev/sda7

Copy or remember the UUID between the quotes.  Now get the key drive partition's UUID:

  • blkid /dev/sdb1

Copy or remember the UUID between the quotes.  For DOS/Windows-formatted drives, it will be something shorter, such as "24AB-68CD".  This is normal.

A tip for having both UUIDs available later: Open a new terminal window and run both previous commands in the new window.  Then minimize the window, and bring it back when you need it later.

Mount and change-root into the new system:

  • mkdir -p /mnt/mint
    mount /dev/mapper/vg-root /mnt/mint
    mount /dev/sda6 /mnt/mint/boot
    mount /dev/mapper/vg-home /mnt/mint/home
    mount -o bind /dev /mnt/mint/dev
    mount -o bind /sys /mnt/mint/sys
    mount -o bind /proc /mnt/mint/proc
    cp /mnt/mint/etc/resolv.conf /mnt/mint/etc/resolv.conf.bak
    cp /etc/resolv.conf /mnt/mint/etc/resolv.conf
    chroot /mnt/mint

Reinstall the disk encryption tools:

  • apt-get update && apt-get install lvm2 cryptsetup hashalot

Edit /etc/crypttab:

  • pluma /etc/crypttab

At the bottom of the file, add the following line:

  1. pvcrypt /dev/disk/by-uuid/<uuid> linuxmint.key luks,keyscript=/etc/init.d/keyscript.sh
    • Replace <uuid> with the actual UUID of the encrypted LVM partition (assumed /dev/sda7 earlier). An example:
    • pvcrypt /dev/disk/by-uuid/2e30603e-5b1f-417c-9f9c-3797fcca87c6 linuxmint.key luks,keyscript=/etc/init.d/keyscript.sh

Save the file and exit the editor.

Create the file /etc/init.d/keyscript.sh:

Type the following text into the file:

  • #!/bin/sh
    if [ ! -d /keydrive ]; then
        mkdir /keydrive 1&>2
    fi
    mount -t vfat /dev/disk/by-uuid/<uuid> /keydrive 1>&2
    cat /keydrive/$CRYPTTAB_KEY
    umount /keydrive 1>&2
    rmdir /keydrive 1>&2
    • Replace <uuid> with the actual UUID of the removable disk with your key (assumed /dev/sdb1 earlier).  An example:
    • mount -t vfat /dev/disk/by-uuid/24AB-68CD /keydrive 1>&2

Save the file and exit the editor.  Next, make the file an executable script:

Update the initramfs image and update GRUB:

  • update-initramfs -u -k all
    update-grub

Exit cleanly:

  • cp /etc/resolv.conf.bak /etc/resolv.conf
    rm /etc/resolv.conf.bak
    exit
    umount /mnt/mint/proc
    umount /mnt/mint/sys
    umount /mnt/mint/dev
    umount /mnt/mint/home
    umount /mnt/mint/boot
    umount /mnt/mint
    exit
    exit

Shut down the Linux Mint DVD and test boot into the installed Linux Mint system.

Enable BitLocker and encrypt your Windows 8 partition

Boot into Windows 8.

Insert the removable disk or USB thumbdrive that you want to use as your key drive for Windows 8.

Press Windows+W to bring up the Setting search box.  Search for "bitlocker" and click on the BitLocker Drive Encryption search result.

In the "Operating system drive" section, click on "Turn on BitLocker" next to drive (C:).  This may trigger a UAC alert.

If you get the following error message:

This device can't use a Trusted Platform Module. Your administrator must set the "Allow BitLocker without a compatible TPM" option in the "Require additional authentication at startup" policy for OS volumes.

Then follow these directions to set the option referenced in the error message:

  1. Press Windows+W to bring up the Setting search box.
  2. Search for "policy" and click on the "Edit group policy" search result.
    • This may trigger a UAC alert.
    • The group policy editor is a lot like the Windows registry editor: it lets you change settings that manage your ability to use your PC, log in, or start up.  Do not make any mistakes here because the changes are often instant and always without any undo feature.
  3. In the main part of the window, double-click on "Computer Configuration".
  4. Double-click on "Administrative Templates".
  5. Double-click on "Windows Components".
  6. Double-click on "BitLocker Drive Encryption".
  7. Double-click on "Operating System Drives".
  8. Double-click on "Require additional authentication at startup".
  9. Click on the "Enabled" radio button.
  10. In the "Options:" section, make sure the "Allow BitLocker without a compatible TPM" checkbox is checked.
  11. Click on OK.
  12. Close the group policy editor window.
  13. In the BitLocker Drive Encryption window, click on the "Turn on BitLocker" item again.

In the wizard window that opens, when it tells you to choose how to unlock your drive at startup, click on "Insert a USB flash drive" and click on your removable drive.  Click on Save.  This saves the key to what is now your Windows 8 key drive.

If you want to save your recovery key to another external drive, then insert your key recovery drive, removing your key drive if necessary.

Click on "Save to a USB flash drive" and choose your removable drive, or click on "Save to a file" and browse to the save location.  Click on Next.

Click on the "Encrypt entire drive" radio button, then click on Next.

Make sure the "Run BitLocker system check" checkbox is checked, then click on Continue.

When prompted, restart the PC, reinsert your key drive if necessary, then boot into Windows 8.

Wait for drive encryption to finish.

Encrypt your Windows 7 partition with BitLocker

Stay in Windows 8.  If you aren't in Windows 8, the boot into it.

If you removed your key drive and key recovery drive, then reinsert them now.  If they're not the same drive and you can have only one inserted at a time, then reinsert you key drive.

Press Windows+W to bring up the Setting search box.  Search for "bitlocker" and click on the BitLocker Drive Encryption search result.

  • If you were watching the progress bar in the "BitLocker Drive Encryption" window, then you can click on the "Manage BitLocker" link instead.

In the "Fixed data drives" section, click on drive (D:) (your Windows 7 drive C), then click on the "Turn on BitLocker" item next to the drive icon.  This may trigger a UAC alert.

Click on the "Automatically unlock this drive on this computer" checkbox, then click on Next.

Click on "Save to a USB flash drive" and choose your key drive.

  • Although this will save a copy of the recovery key to the root directory of your key drive instead of your key recovery drive, you must choose this method or the key itself will not be saved and you will not be able to boot back into Windows 7.

If you want to use a separate key recovery drive, and if you had to remove it to insert your key drive, reinsert it now, then click on "Save to a file" and save to a folder on your recovery drive.  Click on Next.

Click on the "Encrypt entire drive" radio button, then click on Next.

Click on Start Encrypting.

Wait for drive encryption to finish, then shut down your PC.

Store your removable disk or USB thumbdrve that is your key drive in a safe place away from your PC, but in a convenient place for you to plug into your PC when you start or restart it.  If you saved your recovery keys on a different removable drive, then store that in a safe place away from your PC and away from your key drive.

Everything is done.  All three operating systems now require a key on your removable drive in order to start up, and none of them can be bypassed in order to access any data on your three encrypted partitions unless the encryption systems have exploitable weaknesses.

Booting Mistakes and Key Recovery

If you make a mistake in booting, such as using the wrong key or forgetting to use a key, or if your key drive is no longer readable, then follow the procedure that matches below.

Do not allow the final three situations detailed below to happen.  There is no recovering from them.  Have backup copies of your boot and recovery key files so that you won't have to lose your data just because you lost your key.

Where are the boot keys?

The boot keys are files saved in the root directory of your key drive(s), and they have all four DOS file attributes set: Archive, Read-only, System, and Hidden.  Windows treats files with both the Hidden and System attributes set as special system files, hiding them from view even when Explorer is configured to show hidden files.

Linux doesn't hide files with DOS attributes set, so they are visible while in Linux.  A key file's name is an uppercase GUID not the same as the recovery key's, with the extension ".BEK".  These files must not be renamed or moved to any subdirectory.

Booting Windows 7 with the wrong key or with no key inserted

Insert the correct key drive, press F11, and choose Windows 7.

Booting Windows 8 with the wrong key or with no key inserted

Insert the correct key drive, press Enter, choose "Windows 8 (loader)" from GRUB, and choose Windows 8.

Booting Linux with the wrong key or with no key inserted

Insert the correct key drive, press Ctrl+Alt+Delete, and choose Linux.

Recovering the Windows 7 key if you can still boot into Windows 8

Boot into Windows 8.

Insert the removable disk that you want to use as your key drive for Windows 7.

Press Windows+W to search for settings.  Search for "bitlocker" and click on the "Manage BitLocker" result.

In the "Fixed data drives" section, click on drive (D:) (your Windows 7 drive C), then click on the "Back up recovery key" item next to the drive icon.  This may trigger a UAC alert.

Click on "Save to a USB flash drive", choose your key drive, and click on Save.  The boot key and the recovery key will both be saved in the root directory of your key drive.  Click on Finish.

Reboot into Windows 7.

Recovering the Windows 8 key if you can still boot into Windows 7

You will need your key recovery drive and a scrap of paper you can keep safe and destroy.  The scrap should have enough room for you to write 8 groups of 6 digits.

Insert your key recovery drive.

Open the "BitLocker Recovery Key" file corresponding to Windows 8.

Write the numbers of the recovery key on your scrap of paper.

Boot into Windows 8.  At the message "Plug in the USB drive that has the BitLocker key", press Escape.

Insert the removable disk that you want to use as your Windows 8 key drive.

Type in the digits of the recovery key.  Windows will fill in the dashes separating groups for you.  Press Enter.

If you wrote the recovery key on a scrap of paper, then either keep it as safe as your key recovery drives or destroy it.

Press Windows+W to search for settings.  Type in "bitlocker" and click on the "Manage BitLocker" result.

Click on the "Back up recovery key" item next to the Windows 8 drive icon.  This may trigger a UAC alert.

Click on "Save to a USB flash drive", choose your key drive, and click on Save.  The boot key and the recovery key will both be saved in the root directory of your key drive.  Click on Finish.

Booting into Windows 7 or Windows 8 without either version's boot key

There are a couple of ways to get the recovery key, but you will need your key recovery drive and a scrap of paper you can keep safe and destroy.  The scrap should have enough room for you to write 8 groups of 6 digits.  The first method is the quickest and most secure, but the other two methods are the most convenient.

The recovery key calls itself a text file, but it is encoded in little-endian UTF-16 with some illegal characters embedded in it.  Windows automatically translates the file when a text editor reads it, but Linux text editors struggle with the illegal characters.

Method 1: Booting into the Linux BusyBox initramfs:

  1. Boot into Linux without the key, and wait for the "(initramfs)" command prompt.
  2. Insert your Windows key recovery drive.
  3. Type the following commands to mount the drive.  This assumes that your drive is detected as /dev/sdb:
    • mkdir /mnt
      mount /dev/sdb1 /mnt
  4. Use the `cat` command to display the recovery key:
    • If you saved the key in the root directory:
      • Type `cat /mnt/BitLocker` (without the backticks), then press the Tab key.  Pressing the Tab key will type the rest of the recovery key file's name for you.  If you saved more than one recovery key to your key recovery drive, then press Tab twice to show the names, type the first few letters and numbers of the rest of the name, and press Tab again.
    • If you saved the key in a subdirectory, such as in a folder called "Recovery":
      • Type `cat /mnt/Recovery/BitLocker` (without the backticks, and substituting your actual directory name), then press the Tab key to fill in the rest of the file name.  If the directory name is long, then you can us the Tab key to fill in the directory name as well.
  5. Write the numbers of the recovery key on your scrap of paper.
  6. Press Ctrl+Alt+Delete to reboot.

Method 2: Booting into your Linux desktop:

  1. Boot into Linux.
  2. Insert your key recovery drive.
  3. Start the Firefox Web browser.
  4. Press Ctrl+O to open a file.
  5. In the Places list, click on your key recovery drive, then in the main part browse to the recovery key.
  6. Write the numbers of the recovery key on your scrap of paper.
  7. Shut down and reboot normally.

Method 3: Using another computer:

  1. Access another PC running Windows.
  2. Insert your key recovery drive into this other PC.
  3. Open the "BitLocker Recovery Key" file corresponding to Windows on your PC.
  4. If you can't keep the screen of this PC visible while using your PC, then write the numbers of the recovery key on your scrap of paper.
  5. Don't forget to use the "safely remove hardware" feature of the other PC and remove your key recovery drive when you're done.

Boot into the version of Windows whose recovery key you just saw.  At the message "Plug in the USB drive that has the BitLocker key", press Escape.

Type in the digits of the recovery key.  Windows will fill in the dashes separating groups for you.

If you wrote the recovery key on a scrap of paper, then either keep it as safe as your key recovery drives or destroy it.

If you're booting into Windows 8, then follow both sections above for recovering the Windows 8 key and recovering the Windows 7 key.

Booting Linux without the main key but with a copy

If you need to use another removable drive as your new Linux key drive, then copy the key file from your backup to your new key drive.

Boot into Linux with your new key drive.  Wait for the "(initramfs)" prompt in the BusyBox initramfs environment.

Mount the new key drive:

  • mkdir /mnt
    mount -t vfat /dev/sdb1 /mnt

Unlock your Linux root drive:

  • cryptsetup --key-file=/mnt/linuxmint.key luksOpen /dev/disk/by-uuid/<uuid> pvcrypt

    • Substitute the actual name of your key file if you changed it, and substitute <uuid> with your Linux root drive's actual UUID.
    • You can use tab completion (by pressing Tab) to fill in the UUID after you start typing it.
      • If pressing Tab doesn't fill in the UUID, then press Tab again to get a list.
      • If you get the error "Device ... is not a valid LUKS device," then repeat the command with a different UUID.

Unmount the key drive:

  • umount /mnt

Exit initramfs and resume booting Linux:

  • exit

Once in your Linux desktop, fix initramfs to recognize your new key drive.

Bring up a terminal: Mint Menu -> Terminal.

Get the new UUID for your new key drive.  Copy it to the clipboard, write it down, or remember it.

  • sudo blkid /dev/sdb1

Edit your keyscript:

Edit the line with the `mount` command, replacing the UUID following `/dev/disk/by-uuid/` with the new UUID of your new key drive.  After making this change, save and exit the editor.

Update the initramfs image:

  • sudo update-initramfs -u -k all

Booting Windows 7 without a recovery key or backup copy of the boot key

Follow the instructions for "Recovering the Windows 7 key if you can still boot Windows 8" above.

If you can't boot into Windows 8 because you don't have a recovery key or a backup copy of the boot key for Windows 8 either, then format and reinstall both Windows operating systems, because you have lost all ability to access anything you saved in them.  You're out of luck.  It's over.

After destroying and reinstalling Windows, boot into your Linux Mint DVD, follow the instructions for "What if you rebooted or needed to shut down" above, then follow the instructions for mounting and changing root into the new Linux system, then run the command `grub-install /dev/sda` to restore boot-time access to your Linux system.

Do not allow this situation to happen!  At the very least, keep a copy of your recovery key somewhere else, whether as a file on another drive or as a printed/written page filed away somewhere.

Booting Windows 8 without a recovery key or backup copy of the boot key

Format the Windows 8 partition and reinstall Windows 8, because you have lost all ability to access anything you saved in it.  You're out of luck.  It's over.

After destroying and reinstalling Windows, boot into your Linux Mint DVD, follow the instructions for "What if you rebooted or needed to shut down" above, then follow the instructions for mounting and changing root into the new Linux system, then run the command `grub-install /dev/sda` to restore boot-time access to your Linux system.

Do not allow this situation to happen!  At the very least, keep a copy of your recovery key somewhere else, whether as a file on another drive or as a printed/written page filed away somewhere.

Booting Linux without a backup copy of the key file

Format the Linux partition and reinstall Linux, because you have lost all ability to access anything you saved in it.  You're out of luck.  It's over.

Do not allow this situation to happen!  Keep a copy of your key file on another drive, whether it be as part of a CD-R, part of a DVD-R, or on a removable drive filed away somewhere.  Keep two copies if you can.

Comments

+discussion

 

Journals

2110 medium
Full list of journal entries