RSSPerfect dual boot crypted hard disk setup with Truecrypt and LUKS
Posted on July 15, 2008 by Mikko Ohtamaa
Filed Under ubuntu, vista, windows
I have a work laptop used in Symbian and web development. I need to be able to boot both Vista and Linux. Due to client privacy, both operating systems must be crypted for the case of lost laptop. Even if I do not use Windows actively, its web browser data may contain stored password for client systems and it would be catastrophic to leak them accidentally.
Here are instructions how to encrypt your hard disk in safely but performance effective manner with Ubuntu 8.04 Hardy Heron and Windows Vista. These instructions can be applied for any version of Vista, since we use third party open source Truecrypt suite to encrypt the Windows partition. The instructions also give priority for Grub boot loader, so that the computer will boot to Linux if there is no user interaction during the boot.
- Install Windows Vista from the factory first boot installer
- Download Ubuntu 8.04 alternative install CD. The alternative install CD contains installer menus to encrypt your HD using LVM and LUKS.
- For the sake of performance, we only crypt /home directory on Linux partition which contains all user editable files. All other files in Linux, maybe excluding configuration files in /etc, are open source and encrypting them only slows your application start-up times. It is possible to encrypt /home after install, but it is much easier during the install time. Here are instructions how to set up encrypted home partition with alternative install CD.
- After this comes the exciting part. You must encrypt the Windows system partition using Truecrypt. Since Truecrypt is going to overwrite Ubuntu’s Grub bootloader on Master Boot Record (MBR), some magic is needed (detailed instructions).
- Install Truecrypt and overwrite MBR.
- Boot Ubuntu from live CD. Alternative install CD doesn’t work as it does not have grub binary. You could also try to boot from your Linux partition by giving out manual kernel root file system parameters for the CD boot loader.
- Back-up Truecrypt’s MBR to a file on /boot partition using dd
- Add Truecrypt’s MBR as a chain boot loader in Grub
- Rewrite MBR using Grub
For foreigners: You might want to keep the US keymap in hand, since the installer environment has not necessarily keymap set up correctly.
Note: Since my HP Pavilion dv9000 laptop has two 250 GB hds, the actual setup is following: windows system partition, windows data partition, rest is set up for Linux using LVM in stripe RAID containing the root partition and the crypted home. This effectively gives near 100 MB/s read speed from two 5400 RPM hds.Share This
Other posts by Mikko Ohtamaa
I use TrueCrypt for Windows and dm-crypt with lvm for Ubuntu and press ESC at the TrueCrypt boot loader on the MBR to get to GRUB on the second partition. However, I never thought about getting GRUB to chainload TrueCrypt!
So GRUB is installed on the MBR but the TrueCrypt boot loader is actually on installed on the second partition?
Well I tried it and it works! I also discovered something interesting; if you put GRUB on the MBR and on the PBR of the second partition you can go back to GRUB from the TrueCrypt loader via the ESC key (assuming when you installed TrueCrypt you told it there was another boot loader.)
Could you give (step by step) details on these parts:
4.3 Back-up Truecrypt’s MBR to a file on /boot partition using dd
4.4 Add Truecrypt’s MBR as a chain boot loader in Grub
4.5 Rewrite MBR using Grub
Those steps can be found from Ubuntu forums linked in this post.