Encrypted PC Triple-Boot with TrueCrypt and LUKS Howto+discussion

Impressive, thanks for this interesting read. :)

  --zoostar (Not signed in).....Thu Feb 07 15:02:05 -0800 2013


--Anonymous (Not signed in).....2015-11-25 20:16:21 -0800

DiskCryptor and Grub + memdisk do the things quite more easy, and no HDD write is needed on each boot!

The main trick is to throw away the disk the Windows boot partitions, letting on the disk only the system partitions (inside an extended partition), this can make N windows to boot; XP is a little more tricky and need Grub4DOS, but Vista, 7, 8, 8.1 and 10 work perfectly.

But then Windows can not be booted (there is no primary partition on the HDD).

We put such boot partition (a less than 32MiB NTFS primary partition) inside a VHD file (created with Windows 7 to 10 Disk Manager, Vista and XP can not create it).

To activate that partition, the VHD must be exposed (again Disk Manager can expose it), but disk manager does not allow that, must use DiskPart.

Now it is only a matter to reboot from Windows install media, run in console the DiskPart to expose the VHD and put the correct letters to each volume, then exit diskpart anr run two commands, bootsect /nt60 ... to put the boot sector onto that partition on the VHD and bcdboot ... to create the BCD.

The VHD can be 32MiB as less size (will let free only 1Mib to 5MiB), i preffer to create the NTFS as 8MiB and then grow it (to make $MFT as small as possible)

To boot Windows from Grub2 only need linux16 memdisk line and initrd16 TheVHDfile.vhd

Hard to configure for first time, but fast to boot and no need to write nothing on the disk at boot time, also you can have more than one hundred windows that way having only one disk and no primary partition on it at all. Linux can be booted from logical partitions since ages.

One step more is to create a scheduled task to expose that VHD at boot (Vista needs a letter be assigned on disk manager, 7 to 10 do not need a letter assigned)

Now to encrypt it, use DiskCryptor (do not forget to mark / check the chage password on the settings) and encrypt with the same password both, the system and the boot partitions.

XP is just the same process, except instead ot nt60 is nt52 and no bcdboot, just copy ntld, ntdetec.*, boot*.* prior to run bootsect; and for grub2 menu you mast load Grub4DOS and run a series of mapping the VHD and real drives. Encryption with DiskCryptor is the same.

On XP and Vista ignore DiskCryptor warning about not founding a boot device; and to mount the VHD you need VHDMount tool.

Since you where talking about 7 and 8 it is much simpler with Grub2+ Memdisk + VHD + DiskCryptor way.

Note: DiskCryptor is the origin of TrueCrypt, in other words TrueCrypt is a fork of DiskCryptor as VeraCrypt is a fork of TrueCrypt; but the great difference is that DiskCryptor can have boot and system partitions on different disk, so we put the boot partition inside a VHD that emulates a hard disk, that way we get one hard drive per windows.

All three have a ONE windows only per disk limitation, because they need at boot time that sectors 2 up to ? (variable) have specific data for the Windows that is loading, so more than one windows requiere more than one HDD, if a laptop can only have one, the easy is to emulate the other based on a VHD (that has native support by windows).

Please take care this scheme is for GuRu's. Noobs must not try it on real machine... so use VirtualBOX to test all this prior to go for real.

Side note: If you can not boot your Windows, boot other Windows, run DiskCryptor and mount the partition of the other Windows.

Special not: The VHDs can be where Grub2 is (they are used to boot), the corresponding copy can be on the root of the system partition for each window. Or Grub2 be on a NTFS and so each Windows can see the VHDs there and no need for copies.

--Anonymous (Not signed in).....2017-02-09 14:45:25 UTC



2110 medium
Full list of journal entries