Perfect dual boot crypted hard disk setup with Truecrypt and LUKS

I have a work laptop used in Symbian and web development. I need to be able to boot both Vista and Linux. Due to client privacy, both operating systems must be crypted for the case of lost laptop. Even if I do not use Windows actively, its web browser data may contain stored password for client systems and it would be catastrophic to leak them accidentally.

Here are instructions how to encrypt your hard disk in safely but performance effective manner with Ubuntu 8.04 Hardy Heron and Windows Vista. These instructions can be applied for any version of Vista, since we use third party open source Truecrypt suite to encrypt the Windows partition. The instructions also give priority for Grub boot loader, so that the computer will boot to Linux if there is no user interaction during the boot.

  1. Install Windows Vista from the factory first boot installer
  2. Download Ubuntu 8.04 alternative install CD. The alternative install CD contains installer menus to encrypt your HD using LVM and LUKS.
  3. For the sake of performance, we only crypt /home directory on Linux partition which contains all user editable files. All other files in Linux, maybe excluding configuration files in /etc, are open source and encrypting them only slows your application start-up times. It is possible to encrypt /home after install, but it is much easier during the install time. Here are instructions how to set up encrypted home partition with alternative install CD.
  4. After this comes the exciting part. You must encrypt the Windows system partition using Truecrypt. Since Truecrypt is going to overwrite Ubuntu’s Grub bootloader on Master Boot Record (MBR), some magic is needed (detailed instructions).
    1. Install Truecrypt and overwrite MBR.
    2. Boot Ubuntu from live CD. Alternative install CD doesn’t work as it does not have grub binary. You could also try to boot from your Linux partition by giving out manual kernel root file system parameters for the CD boot loader.
    3. Back-up Truecrypt’s MBR to a file on /boot partition using dd
    4. Add Truecrypt’s MBR as a chain boot loader in Grub
    5. Rewrite MBR using Grub

For foreigners: You might want to keep the US keymap in hand, since the installer environment has not necessarily keymap set up correctly.

Note: Since my HP Pavilion dv9000 laptop has two 250 GB hds, the actual setup is following: windows system partition, windows data partition, rest is set up for Linux using LVM in stripe RAID containing the root partition and the crypted home. This effectively gives near 100 MB/s read speed from two 5400 RPM hds.

12 thoughts on “Perfect dual boot crypted hard disk setup with Truecrypt and LUKS

  1. I use TrueCrypt for Windows and dm-crypt with lvm for Ubuntu and press ESC at the TrueCrypt boot loader on the MBR to get to GRUB on the second partition. However, I never thought about getting GRUB to chainload TrueCrypt!

    So GRUB is installed on the MBR but the TrueCrypt boot loader is actually on installed on the second partition?

  2. Well I tried it and it works! I also discovered something interesting; if you put GRUB on the MBR and on the PBR of the second partition you can go back to GRUB from the TrueCrypt loader via the ESC key (assuming when you installed TrueCrypt you told it there was another boot loader.)

  3. Could you give (step by step) details on these parts:

    4.3 Back-up Truecrypt’s MBR to a file on /boot partition using dd
    4.4 Add Truecrypt’s MBR as a chain boot loader in Grub
    4.5 Rewrite MBR using Grub

  4. regarding the “magic needed” link, it should be ubuntuforums.org and not ubuntuforums.com (the former gives a ‘host not found’ error).

  5. I have just tested another interesting solution for multibooting with TrueCrypt. This one is using GRUB4DOS and ISO image of Truecrypt Rescue Disk. I wanted to have Grub showing first, and not see the Truecrypt loader until really needed (when I choose to start the TCrypted OS). The second advantage is that GRUB is used here in stage1.5 mode (des not load stage2 directly from MBR as in your example) hence it is not prone to changes to stage2 file location (e.g. during defragmentation).

    The idea is to boot the “TrueCrypt Rescue CD” ISO image from hard disk using Grub4DOS’ ability to map iso file as harddrive, when access to encrypted OS is requested. The Rescue CD behaves like a normal TC loader – when correct password is entered, it starts the encrypted OS exactly as if it was started from normal TC loader stored in MBR.

    I found the idea here:
    http://grub4dos.sourceforge.net/wiki/index.php/Mr

    My current setup looks like this:
    – partition 1: 128MB, “BOOT”, GRUB4DOS files
    – partition 2: 32GB, “WIN1-TC”, encrypted OS
    – partition 3: 32GB, “WIN2”, second OS

    GRUB4DOS is installed in MBR. It also takes a few sectors of track 1 (normally needed by TrueCrypt loader), so the trick with chainloading TC MBR from file cannot be used (chainloaded TC MBR would load rest of track 1, but it’s now GRUB’s data there and TC would hang). But we can use unique feature of GRUB4DOS – chainloading from ISO image:

    1. ISO of TrueCrypt Rescue Disk (the file generated during system encryption) should be copied to GRUB subfolder on BOOT partition

    2. In MENU.LST on boot partition, I have following entries:

    title 1st
    map –mem (hd0,0)/GRUB/TCRescueDisk.iso (hd32)
    map –hook
    unhide (hd0,1)
    hide (hd0,2)
    rootnoverify (hd0,1)
    makeactive
    chainloader (hd32)

    title 2nd
    hide (hd0,1)
    unhide (hd0,2)
    rootnoverify (hd0,2)
    makeactive
    chainloader +1

    It works without problems. When I power up the computer, GRUB is loaded, then if I choose option 2 the 2nd OS is loaded, and if I choose option 1 I get the TrueCrypt prompt, after which the 1st OS is loaded.

    I haven’t tested it, but this idea could potentially also allow having more than 1 TrueCrypt-encrypted Windows installations (normally this is not possible, as TC stores system-unique key data in track 1 of hdd, hence encrypting 2nd OS would overwrite data for 1st one): one could put more Recovery ISO images in BOOT partition (for each encrypted OS 1 ISO of it’s recovery CD) and add a similar “boot from ISO” entry to Grub’s MENU.LST file.

  6. can anyone provide me with the working link?
    step 4 looks very complicated.

  7. Pingback: Notes on chainloading TrueCrypt from GRUB2 (install GRUB2 on primary partition) : jmones, indoors


  8. regarding the ‘magic needed’ link, it should be ubuntuforums.org and not ubuntuforums.com (the former gives a ‘host not found’ error). ”

    dont you mean the latter gives an error?

Leave a Reply

Your email address will not be published. Required fields are marked *