Ubuntu Forums ubuntu.com - launchpad.net - ubuntu help  

Go Back   Ubuntu Forums > The Ubuntu Forum Community > Other Community Discussions > Tutorials & Tips
Register Reset Password Forum Help Forum Council Today's Posts

Tutorials & Tips
The place to find Ubuntu related Tips & Tricks.

 
Thread Tools Display Modes
Old April 21st, 2008   #1
epiphiny
5 Cups of Ubuntu
 
Join Date: Feb 2007
Beans: 23
HOWTO: Set up Full Disk Encryption in a Dual Boot System

Hi there, this is my first tutorial, so I apologise if it's a little rough around the edges.

What This Covers

This tutorial will allow you to create a basic dual boot system, using only free open source software, which is fully encrypted (apart from a boot partitioin).

I am by no means an encryption expert, so please do not take anything I say as cannon.

At the end of this tutorial, you will have a system in which both windows and ubuntu are completely encrypted, including swap space, the windows page file, and hibernation files.

Warnings

I have only tired this on a VMware virtual machine, and my HP 530 laptop. I cannot guarantee it will work on any computer.

Also, this is not bulletproof. It is difficult to change the LUKS passphrase, and does not support keyfiles. You will therefore have to rely upon a very strong passphrase, which cannot change.

Also, your boot files will not be encrypted. There are ways around this; you can save them to a USB key, and take that with you, or only mount your boot partition as read only. If you choose the USB option, you must allow your computer to boot from USB, which could allow an attacker to boot a malicious opperating system from a USB key. If you choose the read only option, an attacker can still modify your boot files if they are sufficiently motivated, and it will be difficult to update your kernel.

At the end of the day, you have to decide where to comprimise. As a proof of concept, my set up uses a boot partition mounted read/write.

Ok, thats the nagging over, on to the procedure

1. Install Windows XP

This *should* work with vista, but I've not tested it.

2. Install ubuntu.

During the installation, use the altnerative CD. At the partitioning phase, create a 400mb logical partitioin, and use the rest of the space to create a final parition. This should be set to 'type Physical Container for Encryption', in the part where you select filesystem.

It will write changes to disk, just follow the wizard until you get back to the format screen. The select 'set up encrypted partition' from the top of the menu. Create a partition inside the encrypted partition, and set the type to Logical Volume.

Once the LV is set up, you can create new logical volumes for home, / and swap. The standard rule is to use twice your RAM for your swap space.

Once all your disk is set up, it will ask you to create a passphrase. Make sure it is a good one!

Continue with installation until you have a working system.

3. Boot to windows, and install Truecrypt.

Within truecrypt, select full disk encryption. Allow it to encrypt the windows partition ONLY, otherwise it will ruin your ubuntu installation. Tell it windows is on your MBR. It isin't, but we will address this problem later. Follow the instructions on screen; you will have to create a rescue CD and burn it.

4. Reboot the computer, and check that you can boot to windows.

If you can, it will allow you to pass through the truecrypt boot loader, and get into windows. You can then encrypt your entire windows partition.

5. Restore GRUB

Boot to the ubuntu Desktop cd, and open a terminal. Type

ls /dev/sd* && ls hd*

This will list the hard drives on your computer, which should be in the format

hda hda1 hda2 hda3 hda4

or

sda sda1 sda2 sda3 sda4

use the command

sudo mkdir /mnt/boot/
sudo mount /dev/sda* /mnt/boot/

followed by

ls /mnt/boot/

to find your boot partition. If your first guess is wrong, use

umount /mnt/boot/

and repeat with a different partition. Your grub partition will include files grub and initrd

Now we need to copy the MBR. This is set up by truecrypt, and contains your decryption files to boot the opperating system.

The command for this is;

sudo dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
sudo dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256

Remember sda may be hda on your system.

This copies the MBR

Then start the grub sub-shell, with the command

sudo grub

remember the sudo, otherwise it won't work. In grub, type

install (hd0,*)/grub/stage1 (hd0) (hd0,*)/grub/stage2 0x8000 p

repacing * with the partition of your disk. Grub uses a diferent system to linux, so you will need to subtract one from your partition number. Thus if your boot partition is sda4, grub will require (hd0,3)
(it doesn't matter if linux says sd or hd).

Finally, you need to set up grub to chainload your the image you took earlier, to load the decryption algorithm.

All you need to do edit /mnt/boot/grub/menu.lst so that your windows sections looks like

title Windows XP Professional
rootnoverify (hd0,0)
makeactive
chainloader (hd0,*)/truecrypt.mbr
boot

Done! You should now be able to boot, see grub, and select windows. This *should* drop you to the truecrypt bootloader, which will in turn allow you to boot windows after entering your password. Similarly, selecting ubuntu should ask you for your password, then boot it.

My sincere thanks to Jari Eskelinen, who's tutorial I've borrowed heavily from. This can be found at

http://keitin.net/jarpatus/articles/...ndex_eng.shtml

I hope this helps anyone thinking of dual booting with encryption; it really is pretty easy!

If anyone has questions, please feel free to reply and I'll do my best to answer them (remember, I'm defiantly not an expert).
Also, if there is interest I will try and coax VMware into letting me take to screenshots to clear up the more confusing parts!

Last edited by epiphiny; April 27th, 2008 at 09:28 AM.. Reason: Implemeting changes recommended by Distue
epiphiny is offline   Reply With Quote
Old April 22nd, 2008   #2
staticsage
Just Give Me the Beans!
 
Join Date: Jul 2005
Beans: 71
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

Thanks for this! I've been meaning to try the dual boot full disk encryption with Truecrypt ever since they offered full disk encryption. I'll do this in a VM as soon as I find time to test it. If it works out for me, it'll go on my laptop.

Thanks again.
staticsage is offline   Reply With Quote
Old April 27th, 2008   #3
Distue
First Cup of Ubuntu
 
Join Date: Jul 2006
My beans are hidden!
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

Hello,

first thanks for the tutorial. It worked for me with Kubuntu 8.04 and Windows Vista Business.

I just had to do these modifications:

#1

The dd commands need "sudo" in my case:

Quote:
dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256
to

Quote:
sudo dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
sudo dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256
#2

I have a boot partition, where the mount point is /boot, so /boot is not necessary:

Quote:
install (hd0,*)/boot/grub/stage1 (hd0) (hd0,*)/boot/grub/stage2 0x8000 p
to

Quote:
install (hd0,*)/grub/stage1 (hd0) (hd0,*)/grub/stage2 0x8000 p
Thanks again
Distue is offline   Reply With Quote
Old April 27th, 2008   #4
Distue
First Cup of Ubuntu
 
Join Date: Jul 2006
My beans are hidden!
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

Another point:

I've read somewhere that is not that good idea to create the swap partition with the logical volume manager due performance reasons.
Distue is offline   Reply With Quote
Old April 27th, 2008   #5
epiphiny
5 Cups of Ubuntu
 
Join Date: Feb 2007
Beans: 23
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

Thanks Distue, good point well made - it's always easy to leave out stuff! I've edited the post to include the changes.

You can certainly create another logical partition for encryption, set it to swap, and set it to have a random passphrase (its in the screen where you set the options like AES encryption etc). That said, I haven't noticed any performance issues, but you can certainly change it if you think it will make a difference.
epiphiny is offline   Reply With Quote
Old May 2nd, 2008   #6
siouzi
Just Give Me the Beans!
 
Join Date: Nov 2007
Beans: 46
Ubuntu Jaunty Jackalope (testing)
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

You don't actually have to restore the grub, because you can ESC-key out of the truecrypt bootloader residing in MBR and it will look for any other bootable partitions. That is unless of course you want the linux bootloader to be on MBR and load linux by default (truecrypt bootloader will just sit there and wait for your input).

1. Install windows whatever
2. Install linux whichever way you want for dual or multi boot. Verify that you can still boot to windows and linux.
3. In linux install the grub to a bootable partition e.g. the /boot partition when using LUKS.
Code:
$ sudo grub
# n = the /boot (or root) partitions number minus 1
# e.g. if boot partition is the second partition on your drive, n = 1
grub> root (hd0,n)
grub> setup (hd0,n)
4. Install truecrypt in windows and encrypt the windows partition. Because of step 3 you can safely let truecrypt install the bootloader to MBR.
5. On boot, hit esc in the truecrypt prompt if you want to load linux (you'll see the grub menu).

Truecrypt is really good and smart software =)
siouzi is offline   Reply With Quote
Old May 2nd, 2008   #7
epiphiny
5 Cups of Ubuntu
 
Join Date: Feb 2007
Beans: 23
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

That should work, but on my system it couldn't find the grub bootloader. The way I wrote the tutorial should work regardless of how you've set up your system...
epiphiny is offline   Reply With Quote
Old May 3rd, 2008   #8
laltopi
Spilled the Beans
 
Join Date: Oct 2005
Beans: 12
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

Has anyone successfully encrypted an existing installation of ubuntu; or is a fresh install needed?
laltopi is offline   Reply With Quote
Old May 6th, 2008   #9
jesiah97
First Cup of Ubuntu
 
Join Date: Feb 2008
Beans: 1
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

perhaps you can detail the windows truecrypt procedures described in step 3. It is a little confusing to a new user and one could easily ruin their ubuntu installation (like I may have!)

Thanks
jesiah97 is offline   Reply With Quote
Old July 15th, 2008   #10
-X-
5 Cups of Ubuntu
 
Join Date: Apr 2006
Beans: 27
Dapper Drake Testing/
Send a message via ICQ to -X- Send a message via AIM to -X- Send a message via MSN to -X- Send a message via Skype™ to -X-
Re: HOWTO: Set up Full Disk Encryption in a Dual Boot System

Thannks a lot for the guide, worked well for me
-X- is offline   Reply With Quote

Bookmarks


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 10:23 AM.


vBulletin ©2000 - 2010, Jelsoft Enterprises Ltd. Ubuntu Logo, Ubuntu and Canonical © Canonical Ltd. Tango Icons © Tango Desktop Project. lingonberry