Perfect dual boot crypted hard disk setup with Truecrypt and LUKS

I have a work laptop used in Symbian and web development. I need to be able to boot both Vista and Linux. Due to client privacy, both operating systems must be crypted for the case of lost laptop. Even if I do not use Windows actively, its web browser data may contain stored password for client systems and it would be catastrophic to leak them accidentally.

Here are instructions how to encrypt your hard disk in safely but performance effective manner with Ubuntu 8.04 Hardy Heron and Windows Vista. These instructions can be applied for any version of Vista, since we use third party open source Truecrypt suite to encrypt the Windows partition. The instructions also give priority for Grub boot loader, so that the computer will boot to Linux if there is no user interaction during the boot.

  1. Install Windows Vista from the factory first boot installer
  2. Download Ubuntu 8.04 alternative install CD. The alternative install CD contains installer menus to encrypt your HD using LVM and LUKS.
  3. For the sake of performance, we only crypt /home directory on Linux partition which contains all user editable files. All other files in Linux, maybe excluding configuration files in /etc, are open source and encrypting them only slows your application start-up times. It is possible to encrypt /home after install, but it is much easier during the install time. Here are instructions how to set up encrypted home partition with alternative install CD.
  4. After this comes the exciting part. You must encrypt the Windows system partition using Truecrypt. Since Truecrypt is going to overwrite Ubuntu’s Grub bootloader on Master Boot Record (MBR), some magic is needed (detailed instructions).
    1. Install Truecrypt and overwrite MBR.
    2. Boot Ubuntu from live CD. Alternative install CD doesn’t work as it does not have grub binary. You could also try to boot from your Linux partition by giving out manual kernel root file system parameters for the CD boot loader.
    3. Back-up Truecrypt’s MBR to a file on /boot partition using dd
    4. Add Truecrypt’s MBR as a chain boot loader in Grub
    5. Rewrite MBR using Grub

For foreigners: You might want to keep the US keymap in hand, since the installer environment has not necessarily keymap set up correctly.

Note: Since my HP Pavilion dv9000 laptop has two 250 GB hds, the actual setup is following: windows system partition, windows data partition, rest is set up for Linux using LVM in stripe RAID containing the root partition and the crypted home. This effectively gives near 100 MB/s read speed from two 5400 RPM hds.

Printing to Windows Vista printer from Linux

Today my head hurts. It appears that Linux clients cannot access Microsoft Windows Vista shares or printers, because Microsoft changed sharing protocol from SMB to SMB2 in Windows Vista. In theory, if the client doesn’t support SMB2, Vista server should fall back to old and faithful working SMB. In practice, Linux Samba clients have a bug (still in Ubuntu Feisty Fawn and Samba 3.0.24) and this doesn’t happen.

You get this error to CUPS logs:

E [20/Aug/2007:18:43:25 +0300] [Job 141]
No ticket cache found for userid=1000

E [20/Aug/2007:18:43:25 +0300] [Job 141]
Can not get the ticket cache for moo

E [20/Aug/2007:18:43:25 +0300] [Job 141]
Session setup failed: NT_STATUS_LOGON_FAILURE

E [20/Aug/2007:18:43:25 +0300] [Job 141]
Tree connect failed (NT_STATUS_ACCESS_DENIED)

E [20/Aug/2007:18:43:25 +0300] [Job 141]
Unable to connect to CIFS host, will retry in 60 seconds...

Even worse, CUPS and Gnome UI fail silently. The printer shows a status “still printing” and no error is reported to the user

You can still print to Windows Vista server if you install LPD printer sharing on Windows Vista. Both CUPS printer manager and Vista supports LPD protocol for printing. Follow these excellent instructions.

Now, back to the work after 3 hours of unneeded bang-my-head-to-wall.

EDIT: This seems to be fixed in Samba 3.0.25.

Copyright © Red Innovation Ltd. 2008 All Rights Reserved. | Log in | XHTML
Close
E-mail It