Encrypted PC Triple-Boot with TrueCrypt and LUKS Howto

Update Regarding TrueCrypt

TrueCrypt should not be used. It has an undisclosed vulnerability that resulted in the shutdown of the TrueCrypt project and withdrawal of installation packages for all versions from official sources.

Encrypted PC Triple-Boot with TrueCrypt and LUKS Howto

Some people when faced with data confidentiality problems think "I know, I'll use encryption". Now they have key management problems.
-

Disk Encryption Strength and Weaknesses

If you want to keep the data on your PC private, even if your PC is stolen, then it's not enough to use password-protected access.  The reason is that password access can be bypassed very easily and trivially, and if your data is not in an encrypted volume, then it's all accessible as soon as the password is bypassed.  If data is stored in encrypted volumes, then it can't be accessed unless it's decrypted, and that can't happen unless the password used for encryption is known.

The strength is that no one can access your data without your encryption password.  The weaknesses are that you can't access it either if you forget the encryption password, the password can be broken if you make it too weak, you could conceivably find yourself in a situation where you'd have to give up your password, spyware on your PC has as much free access to encrypted data as you do, and any data you copy or save outside of encrypted volumes (such as on ordinary thumb drives) is saved without encryption.  These instructions assume that you are at least a little familiar with these risks and that you are willing to accept them.

Why Not Use TrueCrypt Full Disk Encryption?

As of 7.1a, TrueCrypt does not support full disk encryption of a PC's system disk when non-Microsoft bootloaders (such as LILO or GRUB) are used for booting multiple operating systems.

The partitions that will be left exposed as unencrypted are the Windows factory restore partition (if present), the Windows boot and recovery partition, and the Linux boot partition.  When any of these partitions are mounted, you must make sure that no sensitive data is copied or saved to them by accident.

What you will need

A Windows 7 installation disk and product key valid for that edition, or a PC preinstalled with Windows 7.

If you have a PC preinstalled with Windows 7, then create a factory restore disk set.  If you make a mistake that you can't recover from, then the factory restore disks will be the only way to get a working PC again.  Keep the factory restore disks in a safe place.

A Windows 8 Pro installation disk and product key.

A Linux Mint 14 installation disk.  The disk must have a live desktop environment as well as the installer.

Two blank CD-R disks.

An external disk drive, such as a USB hard disk or a USB thumb drive.

An Internet connection.

A wireless or ethernet adapter compatible with all three operating systems, connected to the Internet.

TrueCrypt for encrypting the Windows system partitions.

LVM2, CryptSetup, and Hashalot for encrypting the Linux partition. If they're not included in the Linux live desktop environment, then they should be available in the package repository for installation via the Internet.

Backup copies of all your important data and settings saved on external drives or disks, if any were saved to the PC's hard disk before setting up disk encryption.  It's better to have backups and not need them than to need backups and not have them.

Six hours of time.

Courage and the willingness to risk reinstalling your operating systems if you break your PC's ability to boot.  Partitioning hard disks and installing things into their boot records carries that risk.  The risk is relatively small, but it is definitely there.

How To Do It: Windows 7, Windows 8, and Linux Mint 14

Installing Windows 7 on a blank PC

Boot the Windows 7 installation disk and install Windows 7 according to Microsoft's directions.  Use the entire disk and worry about partitioning later.

You can install your programs and customize your settings now if you want.  If you do, then install updates as well.

The partitioning layout should be:

  • sda1: A primary bootable partition, 100 MB in size, holding the Windows boot.  This is called "Windows Boot" in the partitioning directions.
  • sda2: A primary partition occupying the rest of the disk.  This is called "Windows 7" in the partitioning directions.

Starting with a PC pre-installed with Windows 7

The PC I got and set up for encrypted booting is an Acer Aspire 5733-6838 laptop computer.  It came with Windows 7 preinstalled on it, and the factory restore disk set restores the factory partitioning layout:

  • sda1: A primary hidden partition, 18 GB in size, holding the factory restore system.  This is called "Factory" in the partitioning directions.
  • sda2: A primary bootable partition, 100 MB in size, holding the Windows boot. This is called "Windows Boot" in the partitioning directions.
  • sda3: A primary partition occupying the rest of the disk.  This is called "Windows 7" in the partitioning directions.

First, as soon as you get to the desktop, burn a factory restore DVD set and an applications/drivers disk. If you make a mistake that you can't recover from, this will be the only way to get a working PC again.

After doing this, uninstall the crapware, install the programs you want, and install updates.

Partition the disk for Windows 7, Windows 8, and Linux Mint 14

Boot into the Linux Mint 14 DVD. In the desktop:

  • Start gparted.
    • Mint Menu -> All applications -> Administration -> GParted
  • Identify the existing partitions.
    • You may have Windows Boot and Windows 7 as /dev/sda1 and /dev/sda2 respectively, or
    • You may have Factory, Windows Boot, and Windows 7 as /dev/sda1, /dev/sda2, and /dev/sda3 respectively.
  • Reduce the size of the Windows 7 partition.  Be sure to leave room for your Windows 7 data as well as two other full operating systems.
  • Create a new extended partition taking up the entire rest of the disk /dev/sda.
  • Create a new logical partition inside the extended partition for Windows 8, about the same size as Windows 7 (taking into consideration your preference and usage plans), and set its type to NTFS.
    • Windows 8 will not install unless the partition's filesystem type is set to NTFS.
  • Create a new logical partition for Linux Boot, about 1.0 GB in size, and set its type to EXT2.
  • Create a new logical partition for Linux, taking up the rest of the drive's space.
    • Even if you plan to have multiple partitions, such as separate home, root, and swap, they will all be set up later as logical volumes within this single partition.
  • If you haven't already, apply these operations.
  • The partition structure should resemble the following.  Take note of the device names (/dev/sdaX) because the shell commands later will assume this structure:
    • Factory (if present) as /dev/sda1
    • Windows Boot as either /dev/sda2 or /dev/sda1. Shell commands later will assume /dev/sda2.
    • Windows 7 as either /dev/sda3 or /dev/sda2. Shell commands later will assume /dev/sda3.
    • Windows 8 as /dev/sda5
    • Linux Boot as /dev/sda6
    • Linux as /dev/sda7
  • Quit gparted.
  • Restart the PC.
  • When prompted to remove the Linux Mint DVD, replace the Linux Mint DVD with the Windows 8 DVD.

Skip the boot into Windows 8 and boot into Windows 7. Let CHKDSK run and make sure the disk is OK.

Install Windows 8

Boot into the Windows 8 DVD.

After entering the key and accepting the license, choose a custom installation.

Install Windows 8 on the new Windows 8 partition you created in Mint.  The partition name should be called "Drive 0 Partition 4" in the installer.

Install applications and updates for Windows 8.

After the last necessary reboot, restart Windows 8 one more time.

Switch to the Windows 7 boot manager

The boot manager that Windows 8 uses works by starting Windows 8 before asking which OS to start, and when Windows 7 is chosen, doing a full warm boot.  This will essentially force you to go through TrueCrypt's bootloader twice to boot Windows 7.  Switching to the Windows 7 boot manager will remove this unnecessary step.

During startup, when you're asked to choose an operating system:

  • Click on "Change defaults or choose other options"
  • Click on "Choose a default operating system"
  • Click on "Windows 7"
  • Click on the back button in the upper-left corner
  • Click on "Windows 7"

Install Linux Mint 14

Boot into the Linux Mint 14 DVD.

Once in the live desktop, connect to the Internet (if you're not connected automatically), then get a shell prompt:

  • Mint Menu -> Terminal

Become root:

  • sudo su -

Set up LUKS encryption in the Linux partition you created earlier, and create the partitions you want except for boot.  (Change the device name to match your actual partition layout, and read the manual pages for commands if you're not sure what their options do.)

  • cryptsetup -y --cipher aes-xts-plain64 --key-size 512 luksFormat /dev/sda7
    cryptsetup luksOpen /dev/sda7 pvcrypt
    pvcreate /dev/mapper/pvcrypt
    vgcreate vg /dev/mapper/pvcrypt
    lvcreate --name swap --size 6G vg
    lvcreate --name root --size 20G vg
    lvcreate --name home --extents 100%FREE vg

Format the Linux Boot partition and the encrypted volume groups you just made in the Linux partition.

  • mkfs.ext2 /dev/sda6
    mkswap /dev/mapper/vg-swap
    mkfs.ext3 /dev/mapper/vg-root
    mkfs.ext3 /dev/mapper/vg-home

Minimize the terminal window or move it out of the way, then open the "Install Linux Mint" icon on the desktop.

  • When asked to choose an installation type, choose "Something else."
  • Map the Linux Boot partition:
    • Click on /dev/sda6
    • Click on the Change button
    • Change "Use as:" to "Ext2 file system"
    • Change "Mount point:" to "/boot"
    • Click on OK
  • For each of the volume groups you created:
    • Click on the name that has a size listed beside it
    • Click on the Change button
    • Change "Use as:" to "Ext3 journaling file system"
      • For /dev/mapper/vg-swap, change "Use as:" to "swap area" instead.
    • Change "Mount point:" to the appropriate mount point
  • Proceed with installation using these partitions/mount-points.
  • When finished, DO NOT restart the PC.  Stay in the live desktop environment.

Bring back the terminal window you moved out of the way earlier.  Before rebooting, the freshly installed Linux Mint system has to be configured to mount the encrypted partition.

Get the Linux partition's UUID:

  • blkid /dev/sda7

Copy or remember the UUID between the quotes.  Mount and change-root into the new system:

  • mkdir -p /mnt/mint
    mount /dev/mapper/vg-root /mnt/mint
    mount /dev/sda6 /mnt/mint/boot
    mount /dev/mapper/vg-home /mnt/mint/home
    mount -o bind /dev /mnt/mint/dev
    mount -o bind /sys /mnt/mint/sys
    mount -o bind /proc /mnt/mint/proc
    cp /mnt/mint/etc/resolv.conf /mnt/mint/etc/resolv.conf.bak
    cp /etc/resolv.conf /mnt/mint/etc/resolv.conf
    chroot /mnt/mint

Reinstall the disk encryption tools:

  • apt-get update && apt-get install lvm2 cryptsetup hashalot

Edit /etc/crypttab:

  • editor /etc/crypttab

At the bottom of the file, add the following line:

  1. pvcrypt /dev/disk/by-uuid/<uuid> none luks
    • Replace <uuid> with the actual UUID. An example:
    • pvcrypt /dev/disk/by-uuid/2e30603e-5b1f-417c-9f9c-3797fcca87c6 none luks

Save the file and exit the editor.

Update the initramfs image:

  • update-initramfs -u

Exit cleanly:

  • cp /etc/resolv.conf.bak /etc/resolv.conf
    exit
    umount /mnt/mint/proc
    umount /mnt/mint/sys
    umount /mnt/mint/dev
    umount /mnt/mint/home
    umount /mnt/mint/boot
    umount /mnt/mint
    exit
    exit

Shut down the Linux Mint DVD and test boot into the installed Linux Mint system.

Encrypt Windows 7

Boot into Windows 7. (Linux Mint will have detected both Windows systems as a single "Windows 8" item.)

Install TrueCrypt in Windows 7.

Run TrueCrypt and select System -> Encrypt System Partition/Drive...

Choose Normal for System Encryption.  Choose Encrypt the Windows system partition for Area to Encrypt.  Choose Multi-boot for Number of Operating Systems.  Choose Yes for Boot Drive.  Choose the correct number of system drives (1 in my case).  Choose No for Non-Windows Boot Loader.  Choose the Encryption Algorithm and Hash Algorithm that you want to use.

Enter the password you want to use to access the encrypted partition.  Make sure you get this right, as you will not be able to boot again without it.

Generate some entropy and click Next, then click Next after the keys are generated.

When asked where to save the rescue disk image, click on Browse, choose a directory on your external USB drive, and name the image "tcrescue7.iso".  Remember where you save it because you'll need it in a later step.

Make a rescue disk.

Choose the disk wiping method you want.

Go through the reboot test, and boot back into Windows 7.

Click on the Encrypt button.

Fix bootloader for Windows 7

Reboot into the Linux Mint DVD.

Start a terminal and become root again.

Reopen, remount, and change root into the installed Linux system:

  • cyptsetup luksOpen /dev/sda7 pvcrypt
    mkdir -p /mnt/mint
    mount /dev/mapper/vg-root /mnt/mint
    mount /dev/sda6 /mnt/mint/boot
    mount /dev/mapper/vg-home /mnt/mint/home
    mount -o bind /dev /mnt/mint/dev
    mount -o bind /sys /mnt/mint/sys
    mount -o bind /proc /mnt/mint/proc
    chroot /mnt/mint

Reinstall GRUB:

  • grub-install /dev/sda

Prepare to reboot into the installed Linux system:

  • exit
    umount /mnt/mint/proc
    umount /mnt/mint/sys
    umount /mnt/mint/dev
    umount /mnt/mint/home
    umount /mnt/mint/boot
    umount /mnt/mint
    exit
    exit

Shut down and reboot into the installed Linux system.

Copy the TrueCrypt ISO image "tcrescue7.iso" that you made earlier from your removable drive to /boot:

  • Open the home folder icon on the desktop.
  • Right-click on the "Desktop" icon and choose "Open as administrator" from the pop-up menu.
  • In the "Desktop (as superuser)" window, navigate to your removable drive.
  • Right-click on the "tcrescue7.iso" icon and choose "Copy" from the pop-up menu.
  • Navigate through the "File System" icon to /boot/.
  • Choose "Paste" from the "Edit" menu.

Add TrueCrypt as the Windows 7 boot option:

  • Navigate to /usr/lib/syslinux/.
  • Right-click on the file "memdisk" and choose "Copy" from the pop-up menu.
  • Navigate back to /boot/.
  • Chose "Paste" from the "Edit" menu.
  • Navigate to /etc/grub.d/.
  • Double-click on the file "40_Custom" and click on Display.
    • If the file /etc/grub.d/40_Custom does not exist, then choose File -> Create Document -> Empty File.
    • Rename the new file from "new file" to "40_Custom"
    • Double-click on the new "40_Custom" icon.
    • Add the following text to the new file:
      • #!/bin/sh
        exec tail -n +3 $0
        # This file provides an easy way to add custom menu entries.  Simply type the
        # menu entries you want to add after this comment.  Be careful not to change
        # the 'exec tail' line above.
    • Continue with the following directions:
  • Add the following text, making any necessary substitutions for /boot filesystem type and partition numbers:
    • menuentry "Windows 7" {
        insmod part_msdos
        insmod ext2
        set root='(hd0,msdos6)'
        linux16 ($root)/memdisk iso raw
        initrd16 ($root)/tcrescue7.iso
        }
  • Save and close the file.

Call up a terminal window: Mint Menu -> Terminal.

Update GRUB with your customization:

  • sudo update-grub

Reboot and choose the new "Windows 7" option.

TrueCrypt will ask if you're creating a hidden OS.  Answer "n".

Press F8.

Press 3 to choose "Restore key data (volume header)".

Enter your password.

Answer "y" to Modify drive 0.

At "Header restored", press Escape, then press Escape again.

Press Ctrl+Alt+Del to reboot the PC, choose the new "Windows 7" option, and enter your password.

Encrypt Windows 8

Boot into Windows 8.

Install TrueCrypt in Windows 8.

Run TrueCrypt and select System -> Encrypt System Partition/Drive...

Choose Normal for System Encryption.  Choose Encrypt the Windows system partition for Area to Encrypt.  Choose Multi-boot for Number of Operating Systems.  Choose Yes for Boot Drive.  Choose the correct number of system drives (1 in my case).  Choose No for Non-Windows Boot Loader.  Choose the Encryption Algorithm and Hash Algorithm that you want to use.

Enter the password you want to use to access the encrypted partition.  Make sure you get this right, as you will not be able to boot again without it.

Generate some entropy and click Next, then click Next after the keys are generated.

When asked where to save the rescue disk image, click on Browse, choose a directory on your external USB drive, and name the image "tcrescue8.iso".  Remember where you save it because you'll need it in a later step.

Make a rescue disk.

Choose the disk wiping method you want.

Go through the reboot test, and boot back into Windows 8.

Click on the Encrypt button.

Fix bootloader for Windows 8

Reboot into the Linux Mint DVD.

Start a terminal and become root again.

Reopen, remount, and change root into the installed Linux system:

  • cyptsetup luksOpen /dev/sda7 pvcrypt
    mkdir -p /mnt/mint
    mount /dev/mapper/vg-root /mnt/mint
    mount /dev/sda6 /mnt/mint/boot
    mount /dev/mapper/vg-home /mnt/mint/home
    mount -o bind /dev /mnt/mint/dev
    mount -o bind /sys /mnt/mint/sys
    mount -o bind /proc /mnt/mint/proc
    chroot /mnt/mint

Reinstall GRUB:

  • grub-install /dev/sda

Prepare to reboot into the installed Linux system:

  • exit
    umount /mnt/mint/proc
    umount /mnt/mint/sys
    umount /mnt/mint/dev
    umount /mnt/mint/home
    umount /mnt/mint/boot
    umount /mnt/mint
    exit
    exit

Shut down and reboot into the installed Linux system.

Copy the TrueCrypt ISO image "tcrescue8.iso" that you made earlier from your removable drive to /boot:

  • Open the home folder icon on the desktop.
  • Right-click on the "Desktop" icon and choose "Open as administrator" from the pop-up menu.
  • In the "Desktop (as superuser)" window, navigate to your removable drive.
  • Right-click on the "tcrescue8.iso" icon and choose "Copy" from the pop-up menu.
  • Navigate through the "File System" icon to /boot/.
  • Choose "Paste" from the "Edit" menu.

Add TrueCrypt as the Windows 8 boot option:

  • Navigate to /etc/grub.d/.
  • Double-click on the file "40_Custom" and click Display.
  • Add the following text, making any necessary substitutions for /boot filesystem type and partition numbers:
    • menuentry "Windows 8" {
        insmod part_msdos
        insmod ext2
        set root='(hd0,msdos6)'
        linux16 ($root)/memdisk iso raw
        initrd16 ($root)/tcrescue8.iso
        }
  • Save and close the file.

Call up a terminal window: Mint Menu -> Terminal.

Update GRUB with your customization:

  • sudo update-grub

Reboot and choose the new "Windows 8" option (Not the one that says "(Loader)" as well).

TrueCrypt will ask if you're creating a hidden OS.  Answer "n".

Press F8.

Press 3 to choose "Restore key data (volume header)".

Enter your password.

Answer "y" to Modify drive 0.

At "Header restored", press Escape, then press Escape again.

Press Ctrl+Alt+Del to reboot the PC, choose the new "Windows 8" option, and enter your password.

How to boot into Linux from now on

Choose the Linux distro version and kernel version you want to boot into in GRUB.

Enter your password when prompted.

How to boot into Windows from now on

To boot into Windows from now on, choose either one of the "Windows 7" or "Windows 8" entries you made in GRUB with these instructions.

When asked if you're creating a hidden OS, press "n".

Press F8 to choose Repair Options.

Press 3 to choose Restore key data (volume header).

Enter your password.

You'll be warned that drive 0 contains  a valid header and asked to modify drive 0. Press "y".

At "Header restored", press Escape, then press Escape again.

Enter your password again.

Choose the same version of Windows you chose in GRUB.

Do not choose the wrong version, or Windows will fail to boot.  If you make this mistake, then restart the PC and choose the right version.

Comments

+discussion

Impressive, thanks for this interesting read. :)

  --zoostar (Not signed in).....Thu Feb 07 15:02:05 -0800 2013


http://istruecryptauditedyet.com

--Anonymous (Not signed in).....2015-11-25 20:16:21 -0800

DiskCryptor and Grub + memdisk do the things quite more easy, and no HDD write is needed on each boot!

The main trick is to throw away the disk the Windows boot partitions, letting on the disk only the system partitions (inside an extended partition), this can make N windows to boot; XP is a little more tricky and need Grub4DOS, but Vista, 7, 8, 8.1 and 10 work perfectly.

But then Windows can not be booted (there is no primary partition on the HDD).

We put such boot partition (a less than 32MiB NTFS primary partition) inside a VHD file (created with Windows 7 to 10 Disk Manager, Vista and XP can not create it).

To activate that partition, the VHD must be exposed (again Disk Manager can expose it), but disk manager does not allow that, must use DiskPart.

Now it is only a matter to reboot from Windows install media, run in console the DiskPart to expose the VHD and put the correct letters to each volume, then exit diskpart anr run two commands, bootsect /nt60 ... to put the boot sector onto that partition on the VHD and bcdboot ... to create the BCD.

The VHD can be 32MiB as less size (will let free only 1Mib to 5MiB), i preffer to create the NTFS as 8MiB and then grow it (to make $MFT as small as possible)

To boot Windows from Grub2 only need linux16 memdisk line and initrd16 TheVHDfile.vhd

Hard to configure for first time, but fast to boot and no need to write nothing on the disk at boot time, also you can have more than one hundred windows that way having only one disk and no primary partition on it at all. Linux can be booted from logical partitions since ages.

One step more is to create a scheduled task to expose that VHD at boot (Vista needs a letter be assigned on disk manager, 7 to 10 do not need a letter assigned)

Now to encrypt it, use DiskCryptor (do not forget to mark / check the chage password on the settings) and encrypt with the same password both, the system and the boot partitions.

XP is just the same process, except instead ot nt60 is nt52 and no bcdboot, just copy ntld, ntdetec.*, boot*.* prior to run bootsect; and for grub2 menu you mast load Grub4DOS and run a series of mapping the VHD and real drives. Encryption with DiskCryptor is the same.

On XP and Vista ignore DiskCryptor warning about not founding a boot device; and to mount the VHD you need VHDMount tool.

Since you where talking about 7 and 8 it is much simpler with Grub2+ Memdisk + VHD + DiskCryptor way.

Note: DiskCryptor is the origin of TrueCrypt, in other words TrueCrypt is a fork of DiskCryptor as VeraCrypt is a fork of TrueCrypt; but the great difference is that DiskCryptor can have boot and system partitions on different disk, so we put the boot partition inside a VHD that emulates a hard disk, that way we get one hard drive per windows.

All three have a ONE windows only per disk limitation, because they need at boot time that sectors 2 up to ? (variable) have specific data for the Windows that is loading, so more than one windows requiere more than one HDD, if a laptop can only have one, the easy is to emulate the other based on a VHD (that has native support by windows).

Please take care this scheme is for GuRu's. Noobs must not try it on real machine... so use VirtualBOX to test all this prior to go for real.

Side note: If you can not boot your Windows, boot other Windows, run DiskCryptor and mount the partition of the other Windows.

Special not: The VHDs can be where Grub2 is (they are used to boot), the corresponding copy can be on the root of the system partition for each window. Or Grub2 be on a NTFS and so each Windows can see the VHDs there and no need for copies.

--Anonymous (Not signed in).....2017-02-09 14:45:25 UTC

 

Journals

2110 medium
Full list of journal entries