Encrypted PC Triple Boot with BitLocker and LUKS Howto

Encrypted PC Triple-Boot with BitLocker and LUKS Howto

Some people when faced with data confidentiality problems think "I know, I'll use encryption". Now they have key management problems.
-

Disk Encryption Strength and Weaknesses

If you want to keep the data on your PC private, even if your PC is stolen, then it's not enough to use password-protected access.  The reason is that password access can be bypassed very easily and trivially, and if your data is not in an encrypted volume, then it's all accessible as soon as the password is bypassed.  If data is stored in encrypted volumes, then it can't be accessed unless it's decrypted, and that can't happen unless the password used for encryption is known.

The strength is that no one can access your data without your encryption password.  The weaknesses are that you can't access it either if you forget the encryption password, the password can be broken if you make it too weak, you could conceivably find yourself in a situation where you'd have to give up your password, spyware on your PC has as much free access to encrypted data as you do, and any data you copy or save outside of encrypted volumes (such as on ordinary thumb drives) is saved without encryption.  These instructions assume that you are at least a little familiar with these risks and that you are willing to accept them.

What you will need

A Windows 7 installation disk and product key valid for that edition, or a PC preinstalled with Windows 7.

If you have a PC preinstalled with Windows 7, then create a factory restore disk set.  If you make a mistake that you can't recover from, then the factory restore disks will be the only way to get a working PC again.  Keep the factory restore disks in a safe place.

A Windows 8 Pro installation disk and product key.

A Linux Mint 14 installation disk.  The disk must have a live desktop environment as well as the installer.

An external disk drive, such as a USB hard disk or a USB thumb drive.

An Internet connection.

A wireless or ethernet adapter compatible with all three operating systems, connected to the Internet.

LVM2, CryptSetup, and Hashalot for encrypting the Linux partition. If they're not included in the Linux live desktop environment, then they should be available in the package repository for installation via the Internet.

Backup copies of all your important data and settings saved on external drives or disks, if any were saved to the PC's hard disk before setting up disk encryption.  It's better to have backups and not need them than to need backups and not have them.

Six hours of time.

Courage and the willingness to risk reinstalling your operating systems if you break your PC's ability to boot.  Partitioning hard disks and installing things into their boot records carries that risk.  The risk is relatively small, but it is definitely there.

How To Do It: Windows 7, Windows 8, and Linux Mint 14

Installing Windows 7 on a blank PC

Boot the Windows 7 installation disk and install Windows 7 according to Microsoft's directions.  Use the entire disk and worry about partitioning later.

You can install your programs and customize your settings now if you want.  If you do, then install updates as well.

The partitioning layout should be:

  • Disk 0 Partition 1 or sda1: A primary bootable partition, 100 MB in size, holding the Windows boot.  This is called "Windows Boot" in the partitioning directions.
  • Disk 0 Partition 2 or sda2: A primary partition occupying the rest of the disk.  This is called "Windows 7" in the partitioning directions.

Starting with a PC pre-installed with Windows 7

The PC I got and set up for encrypted booting is an Acer Aspire 5733-6838 laptop computer.  It came with Windows 7 preinstalled on it, and the factory restore disk set restores the factory partitioning layout:

  • Disk 0 Partition 1 or sda1: A primary hidden partition, 18 GB in size, holding the factory restore system.  This is called "Factory" in the partitioning directions.
  • Disk 0 Partition 2 or sda2: A primary bootable partition, 100 MB in size, holding the Windows boot. This is called "Windows Boot" in the partitioning directions.
  • Disk 0 Partition 3 or sda3: A primary partition occupying the rest of the disk.  This is called "Windows 7" in the partitioning directions.

First, as soon as you get to the desktop, burn a factory restore DVD set and an applications/drivers disk. If you make a mistake that you can't recover from, this will be the only way to get a working PC again.

After doing this, uninstall the crapware, install the programs you want, and install updates.

Partition the disk for Windows 7, Windows 8, and Linux Mint 14

Boot into the Linux Mint 14 DVD. In the desktop:

  • Start gparted.
    • Mint Menu -> All applications -> Administration -> GParted
  • Identify the existing partitions.
    • You may have Windows Boot and Windows 7 as /dev/sda1 and /dev/sda2 respectively, or
    • You may have Factory, Windows Boot, and Windows 7 as /dev/sda1, /dev/sda2, and /dev/sda3 respectively.
  • Reduce the size of the Windows 7 partition.  Be sure to leave room for your Windows 7 data as well as two other full operating systems.
  • Create a new extended partition taking up the entire rest of the disk /dev/sda.
  • Create a new logical partition inside the extended partition for Windows 8, about the same size as Windows 7 (taking into consideration your preference and usage plans), and set its type to NTFS.
    • Windows 8 will not install unless the partition's filesystem type is set to NTFS.
    • Change the partition label to "Windows 8" so you can identify it when installing Windows 8 later.
  • Create a new logical partition for Linux Boot, about 1.0 GB in size, and set its type to EXT2.
  • Create a new logical partition for Linux, taking up the rest of the drive's space.
    • Even if you plan to have multiple partitions, such as separate home, root, and swap, they will all be set up later as logical volumes within this single partition.
  • If you haven't already, apply these operations.
  • The partition structure should resemble the following.  Take note of the device names (/dev/sdaX) because the shell commands later will assume this structure:
    • Factory (if present) as /dev/sda1
    • Windows Boot as either /dev/sda2 or /dev/sda1. Shell commands later will assume /dev/sda2.
    • Windows 7 as either /dev/sda3 or /dev/sda2. Shell commands later will assume /dev/sda3.
    • Windows 8 as /dev/sda5
    • Linux Boot as /dev/sda6
    • Linux as /dev/sda7
  • Quit gparted.
  • Restart the PC.
  • When prompted to remove the Linux Mint DVD, replace the Linux Mint DVD with the Windows 8 DVD.

Skip the boot into Windows 8 and boot into Windows 7. Let CHKDSK run and make sure the disk is OK.

Install Windows 8

Boot into the Windows 8 DVD.

After entering the key and accepting the license, choose a custom installation.

Install Windows 8 on the new Windows 8 partition you created in Mint.  The partition name should be called "Drive 0 Partition 4" in the installer.

Install applications and updates for Windows 8.

After the last necessary reboot, restart Windows 8 one more time.

Switch to the Windows 7 boot manager

The boot manager that Windows 8 uses works by starting Windows 8 before asking which OS to start, and when Windows 7 is chosen, doing a full warm boot.  Switching to the Windows 7 boot manager will save time on every boot.

During startup, when you're asked to choose an operating system:

  • Click on "Change defaults or choose other options"
  • Click on "Choose a default operating system"
  • Click on "Windows 7"
  • Click on the back button in the upper-left corner
  • Click on "Windows 7"

Make the Encrypted Volumes for Linux Mint 14

Boot into the Linux Mint 14 DVD.

Once in the live desktop, connect to the Internet (if you're not connected automatically), then get a shell prompt:

  • Mint Menu -> Terminal

Become root:

  • sudo su -

Set up LUKS encryption in the Linux partition you created earlier, and create the partitions you want except for boot.  (Change the device name to match your actual partition layout, and read the manual pages for commands if you're not sure what their options do.)

  • cryptsetup -y --cipher aes-xts-plain64 --key-size 512 luksFormat /dev/sda7
    cryptsetup luksOpen /dev/sda7 pvcrypt
    pvcreate /dev/mapper/pvcrypt
    vgcreate vg /dev/mapper/pvcrypt
    lvcreate --name swap --size 6G vg
    lvcreate --name root --size 20G vg
    lvcreate --name home --extents 100%FREE vg
  • Note: The first `cryptsetup` command will ask you to create a password.  If you choose a non-default keyboard layout when installing Linux Mint, then you will have to enter your password using your chosen Linux keyboard layout instead of the boot-time default keyboard layout.

Format the Linux Boot partition and the encrypted volume groups you just made in the Linux partition.

  • mkfs.ext2 /dev/sda6
    mkswap /dev/mapper/vg-swap
    mkfs.ext3 /dev/mapper/vg-root
    mkfs.ext3 /dev/mapper/vg-home

Minimize the terminal window or move it out of the way.

Install Linux Mint 14

Open the "Install Linux Mint" icon on the desktop.

  • When asked to choose an installation type, choose "Something else."
  • Map the Linux Boot partition:
    • Click on /dev/sda6
    • Click on the Change button
    • Change "Use as:" to "Ext2 file system"
    • Change "Mount point:" to "/boot"
    • Click on OK
  • For each of the volume groups you created:
    • Click on the name that has a size listed beside it
    • Click on the Change button
    • Change "Use as:" to "Ext3 journaling file system" or "Ext4 journaling file system"
      • For /dev/mapper/vg-swap, change "Use as:" to "swap area" instead.
    • Change "Mount point:" to the appropriate mount point
  • Proceed with installation using these partitions/mount-points.
  • When finished, DO NOT restart the PC.  Stay in the live desktop environment.

What If You Rebooted or Needed To Shut Down

If you restarted the PC after installing Linux Mint but before fixing GRUB (the next step), then follow these directions.

If you didn't restart yet, then skip these directions and continue with the next step, fixing GRUB.

  1. Boot into the Linux Mint DVD.
  2. At the desktop, reconnect to the Internet if you aren't already reconnected.
  3. At the desktop, open a terminal: Mint Menu -> Terminal.
  4. Become root:
    • sudo su -
  5. Open the encrypted volume:
    • cryptsetup luksOpen /dev/sda7 pvcrypt

Fix GRUB To Unlock the Encrypted Volumes on Boot

Bring back the terminal window you moved out of the way earlier.  Before rebooting, the freshly installed Linux Mint system has to be configured to mount the encrypted partition.

Get the Linux partition's UUID:

  • blkid /dev/sda7

Copy or remember the UUID between the quotes.  Mount and change-root into the new system:

  • mkdir -p /mnt/mint
    mount /dev/mapper/vg-root /mnt/mint
    mount /dev/sda6 /mnt/mint/boot
    mount /dev/mapper/vg-home /mnt/mint/home
    mount -o bind /dev /mnt/mint/dev
    mount -o bind /sys /mnt/mint/sys
    mount -o bind /proc /mnt/mint/proc
    cp /mnt/mint/etc/resolv.conf /mnt/mint/etc/resolv.conf.bak
    cp /etc/resolv.conf /mnt/mint/etc/resolv.conf
    chroot /mnt/mint

Reinstall the disk encryption tools:

  • apt-get update && apt-get install lvm2 cryptsetup hashalot

Edit /etc/crypttab:

  • editor /etc/crypttab

At the bottom of the file, add the following line:

  1. pvcrypt /dev/disk/by-uuid/<uuid> none luks
    • Replace <uuid> with the actual UUID. An example:
    • pvcrypt /dev/disk/by-uuid/2e30603e-5b1f-417c-9f9c-3797fcca87c6 none luks

Save the file and exit the editor.

Update the initramfs image:

  • update-initramfs -u

Exit cleanly:

  • cp /etc/resolv.conf.bak /etc/resolv.conf
    exit
    umount /mnt/mint/proc
    umount /mnt/mint/sys
    umount /mnt/mint/dev
    umount /mnt/mint/home
    umount /mnt/mint/boot
    umount /mnt/mint
    exit
    exit

Shut down the Linux Mint DVD and test boot into the installed Linux Mint system.

Enable BitLocker on Windows 8 and encrypt both Windows drives

Boot into Windows 8.

Insert your removable disk or USB thumbdrive.

Press Windows+W to bring up the Setting search box.  Search for "bitlocker" and click on the BitLocker Drive Encryption search result.

In the "Operating system drive" section, click on "Turn on BitLocker" next to drive (C:).  This may trigger a UAC alert.

If you get the following error message:

This device can't use a Trusted Platform Module. Your administrator must set the "Allow BitLocker without a compatible TPM" option in the "Require additional authentication at startup" policy for OS volumes.

Then follow these directions to set the option referenced in the error message:

  1. Press Windows+W to bring up the Setting search box.
  2. Search for "policy" and click on the "Edit group policy" search result.
    • This may trigger a UAC alert.
    • The group policy editor is a lot like the Windows registry editor: it lets you change settings that manage your ability to use your PC, log in, or start up.  Do not make any mistakes here because the changes are often instant and always without any undo feature.
  3. Drag the bar between the left and right halves of the window to the right if you can't read the left-hand options.
  4. Double-click on "Administrative Templates" under "Computer Configuration" to expand the heading.
  5. Double-click on "Windows Components" to expand the heading.
  6. Double-click on "BitLocker Drive Encryption" to expand the heading.
  7. Click on the "Operating System Drives" heading.
  8. On the right-hand side, double-click on the "Require additional authentication at startup" item.
  9. Click on the "Enabled" radio button.
  10. In the "Options:" section, make sure the "Allow BitLocker without a compatible TPM" checkbox is checked.
  11. Click on OK.
  12. Close the group policy editor window.
  13. In the BitLocker Drive Encryption window, click on the "Turn on BitLocker" item again.

In the wizard window that opens, when it tells you to choose how to unlock your drive at startup, click on "Enter a password" then enter the password you want to use.

  • Note: If your keyboard layout in Windows is different from the keyboard layout at boot, then you will set your password here using your Windows layout, but you will have to enter it at boot time using the boot layout.

After clicking on Next, click on "Save to a USB flash drive" and choose your removable drive.  Click on Next.

Click on the "Encrypt entire drive" radio button, then click on Next.

Make sure the "Run BitLocker system check" checkbox is checked, then click on Continue.

Remove your removable disk or USB thumbdrive using the "Safely Remove Hardware and Eject Media" icon.

Restart the PC, then boot into Windows 8.  Enter the password you just set.

  • If the password you set doesn't work, then either reboot with your removable disk inserted or use one of the recovery options.

Wait for drive encryption to finish.

Reinsert your removable disk or USB thumbdrive.

Press Windows+W to bring up the Setting search box.  Search for "bitlocker" and click on the BitLocker Drive Encryption search result.

In the "Fixed data drives" section, click on drive (D:) (your Windows 7 drive C), then click on the "Turn on BitLocker" item next to the drive icon.  This may trigger a UAC alert.

Click on the "Use a password to unlock the drive" checkbox, then enter the password you want to use, then click on Next.

Click on "Save to a USB flash drive" and choose your removable drive.  Click on Next.

Click on the "Encrypt entire drive" radio button, then click on Next.

Click on Start Encrypting.

Wait for drive encryption to finish, then shut down your PC.

Store your removable disk or USB thumbdrve in a safe place away from your PC.

Everything is done.  All three operating systems now require a password in order to start up, and none of them can be bypassed in order to access any data on your three encrypted partitions unless the encryption systems have exploitable weaknesses.

Comments

+discussion

I used a slightly different procedure, however I have encountered an issue in my setup where selecting the Windows Boot Manager in grub goes to the BitLocker Recovery screen, and after correctly entering the recovery code it only gives me the option to reboot, which boots right back into Grub where the process repeats. Have you encountered this issue at all, and if so, how did you work around this problem?

  --Ryan (Not signed in).....Wed Mar 19 19:38:42 -0700 2014


Sorry, I haven't encountered an issue like this at all.

  --ArielMT.....Thu Mar 20 15:17:19 -0700 2014

 

Journals

2110 medium
Full list of journal entries