Linux Mint Forums

[danmiddle2]

Dual Boot Linux Mint and Windows 7 – Both with full disk encryption
(albeit the boot partition will be unencrypted)

Here be Dragons disclaimer...
Firstly, if you don't understand what you are doing, this could erase your entire Operating System and all your data and leave you with an unbootable system. Therefore I accept no responsibility for any damage caused or data lost!

These instructions have been partly pieced together from a couple of other sets of instructions I found, so let's start with credit and thanks to:
http://www.steve-oh.com/blog/index.php/ubuntu-vista-dual-boot-full-encryption-with-truecrypt/
http://www.infosecramblings.com/backtrack/backtrack-5-bootable-usb-thumb-drive-with-full-disk-encryption/

I think disk encryption is extremely important, especially on mobile devices which may very well get left on the train at some point For me it's reassuring to know that, should I lose it, all my personal sensitive data is protected.

I have done this with both Mint 9 and recently Mint 12, so I thought I would write up the process in case anyone else might find it useful. There are some very slight variations between the different versions, but the variations are mainly in the Mint installer itself so I will leave you to make the relevant extrapolations for different Linux versions.

So here goes...

*BACKUP YOUR FILES BEFORE YOU BEGIN*

Firstly you need to install Windows 7 (or XP/Vista, these instructions should work without significant variance). Ensure you leave enough space for your Linux installation, or if Windows is already installed then reduce the Windows partition using the built in disk management tool, leaving enough unpartitioned space for Linux to use at a later stage.

Next you will need TrueCrypt, which you can download and install from;
http://www.truecrypt.org/
I have no afiliation but please consider donating as it's a great tool.

You then need to use TrueCrypt to encrypt the Windows system partition. Install it in a single boot configuration. This is a fairly self explanatory process, but be sure you create a recovery disk. You WILL NEED this later as we will be deliberately breaking the installed TrueCrypt bootloader.

Wait until it's finished encrypting (may take some time depending on system performance and disk size)

Next we need to install our encrypted Linux Mint System.

Firstly, you need to create a bootable Linux Mint USB stick (or a CD/DVD).
(If you're already a Linux user, you probably don't need any assistance in doing this.) For Windows users, the easiest way would be to use the USB installer, available here:
http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/

1) Select the appropriate Mint version from the dropdown list.
2) Browse to the ISO file on your hard drive (or allow the tool to download it for you).
3) Choose the correct USB drive and follow the instructions.

Boot your machine from the newly created USB stick or CD/DVD (you may need to enable booting from an external drive, and modify the boot order to get this to work).

Now that you're in Mint, you need to connect to a wireless network to get Internet access. Click on the network icon in the bottom right, or top left (depending on version) and select your wireless SSID, enter your key etc.

NB The speed and user experience at this stage is not indicative of the finished build. This is because running in “live” from USB or CD/DVD is not very fast.... at least on my systems which don't have USB 3.0.

Open a terminal by pressing ctrl+alt+t. All these commands need privileged “root” permissions, so I start with a
sudo -i
to get to a 'root prompt'. This is optional, you can prefix each command with sudo if you prefer. Using a root prompt in this fashion is not good practice for normal use, because running as root carries certain inherent risks. It's better to sudo only those commands which require higher permissions.

Next, determine which drive is which by typing;
fdisk -l

For this example let's assume /dev/sdb is my USB drive from which I had booted, and /dev/sda is the internal 256GB SSD, please be sure about your configuration before you proceed as you may lose data.

My existing partition table looked something like this;
/dev/sda1 – 150gb Windows 7 partition
remaining ~105gb unallocated space
(you may also have a recovery partition and / or a small 100mb system reserved partition)
Please be sure you understand your partitions.

So, to create the partitions.
fdisk /dev/sda

Create a boot partition and make it active (bootable).
NB This partition will remain unencrypted as this will contain the files used to boot and load the encrypted filesystem (this is loosely the same with all software full disk encryption solutions) and it's not really an issue as you shouldn't be storing user sentsitive data in the /boot partition.

If you're really paranoid you can always store the /boot partition on a USB memory stick and remove it from the laptop when not in use. This is overkill for my needs personally and have never tried this.

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (xxx-xxxxx, default xxx): <enter>
Using default value xxx
Last cylinder, +cylinders or +size{K,M,G} (1-xxxx, default xxxx): +2048M
Command (m for help): t
Partition number (1-4): 2
Hex code (type L to list codes): 83
Command (m for help): a
Partition number (1-4): 2

Next we will create an extended partition and a logical partition which will ultimately house the encrypted root and swap partitions:
Command (m for help): n
Command action
e extended
p primary partition (1-4)
e
Partition number (1-4): 3
First cylinder (xx-xxxxx, default xx): <enter>
Using default value xx
Last cylinder, +cylinders or +size{K,M,G} (xx-xxxx, default xxxx): <enter>
Using default value xxxx
Command (m for help): n
Command action
l logical (5 or over)
p primary partition (1-4)
l
First cylinder (xx-xxxx, default xx): <enter>
Using default value xx
Last cylinder, +cylinders or +size{K,M,G} (xx-xxxx, default xxxx): <enter>
Using default value xxxx
Command (m for help): w

Now we will need to download the tools to set up the encrypted filesystem
apt-get update && apt-get install lvm2 cryptsetup hashalot

The next step will take a very long time, but will fill the partition we have just created with random data, which is stronger from a security perspective for reasons I wont go in to here. As an indication, it took approx 20 hours on my Vaio P with 128gb drive. Some instructions I have read describe this step as optional, which is technically true, but think about why you want to encrypt your system.... my advice? Take the time to do this properly.
dd if=/dev/urandom of=/dev/sda5

If you want to monitor the progress, as it's not very intuitive, then open another tab and type
sudo -i
ps -A | grep -i dd

This should give you the process number of the dd instance which is still running in the other tab. Then send the following command which should tell you how far along it's got. The results will show in the first tab.

kill -USR1 nnnnn
(where nnnnn is the process number from the previous command)

If the drive has previously held any personal / sensitive data, then it's also a good idea to do the following, just for good measure (This will take substantially less time):
dd if=/dev/urandom of=/dev/sda2

Now we need to set up the encrypted partition and open it:
cryptsetup -y --cipher aes-xts-plain --key-size 512 luksFormat /dev/sda5

WARNING!
========
This will overwrite data on /dev/sda5 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: [type passphrase]
Verify passphrase: [type passphase]

cryptsetup luksOpen /dev/sda5 pvcrypt
Enter passphrase for /dev/sda5: [type passphrase]

Next, we need to create a root and a swap partition within the encrypted container we have just created. I have opted to use 4% of available space for this, but please adjust accordingly for your requirements.

pvcreate /dev/mapper/pvcrypt
Physical "volume /dev/mapper/pvcrypt" successfully created
vgcreate vg /dev/mapper/pvcrypt
Volume group "vg" successfully created
lvcreate -n swap -l 4%FREE vg
Logical volume "swap" created.
lvcreate -n root -l 100%FREE vg
Logical volume "root" created.

Now we need to create filesystems on the volumes we have just created:

mkfs.ext4 /dev/sda2
mkfs.ext4 /dev/mapper/vg-root
mkswap /dev/mapper/vg-swap

That's the prep done, we are now ready to install Linux Mint, but leave the terminal open as you will need it post install. We will not be rebooting at the end of the install.

MINT 12 Instructions (for MINT 9, scroll down)

Launch the Mint installer by clicking “Install Linux Mint” on the desktop, and when prompted

select language (English for me)
click continue
click continue on the next informational window (ensuring you have enough space and an Internet connection).
Then, when it says
“erase disk and install Linux Mint”
or
“something else”
select “something else, and click continue.

Now we need to select and allocate the partitions we have created
Highlight /dev/mapper/vg-root and click “change”
Use as: “Ext4 journalling file system”
Optionally tick the format box (we have already done this)
and the mount point is simply “/”
click OK

Highlight /dev/mapper/vg-swap and click “change
Use as: “Swap area”
click OK

Finally select /dev/sda2 and click “change”
Use as: “Ext4 journalling file system”
Optionally tick the format box (we have already done this)
and the mount point is simply “/boot”
click OK

Ensure “device for boot loader installation” is “/dev/sda”
and click “install now”
(this will overwrite our TrueCrypt bootloader, but we will recover that in a bit)

During the install select
your region, continue,
keyboard layout, continue
define your primary user, continue.
NB as mine is a single user machine I configure the system to log in automatically and rely on the disk encryption password to provide login authentication. If you're planning on using this as a multiple-user system then I wouldn't do that and I would also encrypt the /home/user so that it's protected from other users of the system
Select a picture, continue.

And wait for the install to finish.

VERY IMPORTANT
At the end ensure you click “continue testing”, as we now have an installed & encrypted system that won't boot if you click restart

Now scroll to below the Mint 9 instructions, to continue.

MINT 9

Launch the Mint installer by clicking on the “Install Linux Mint” icon on the desktop and, when prompted;

select language (English for me)
click forward
select location
click forward
select keyboard layout
click forward
select specify partitions manually
click forward

Now we need to select and allocate the partitions we have just created
Highlight /dev/mapper/vg-root and click “change”
Use as: “Ext4 journalling file system”
Optionally tick the format box (we have already done this, but it wont do any harm)
and the mount point is simply “/”
click OK

Highlight /dev/mapper/vg-swap and click “change“
Use as: “Swap area”
click OK

Finally select /dev/sda2 and click “change”
Use as: “Ext4 journalling file system”
Optionally tick the format box (again, we have already done this)
and the mount point is simply “/boot”
click OK

click forward
now define your primary user,
click forward.
NB as mine is a single user machine I configure the system to log in automatically and rely on the disk encryption password to provide login authentication. If you're planning on using this as a multiple-user system then I wouldn't do that and I would also encrypt the /home/user so that it's protected from other users of the system

Click forward, (twice more, I think) and it will begin installing.

Now wait for the install to finish.

VERY IMPORTANT
At the end ensure you click “continue testing”, as we now have an installed & encrypted system that won't boot if you click restart

MINT 12 (and 9) USERS, CONTINUE FROM HERE

So before we reboot we now need to configure the newly installed system to read the encrypted filesystem (it will prompt for your passphrase during the boot process).

In the terminal, type:
blkid /dev/sda5
/dev/sda5: UUID="1a123bc4-5de6-7891-f0gh-1i1112j13kl1" TYPE="crypto-LUKS"

make a note of the UUID, as we will need this in a bit.

mkdir /mnt/mint
mount /dev/mapper/vg-root /mnt/mint
mount /dev/sda2 /mnt/mint/boot
mount -o bind /dev /mnt/mint/dev
mount -o bind /sys /mnt/mint/sys
mount -o bind /proc /mnt/mint/proc
chroot /mnt/mint

Now we essentially have a terminal prompt on the newly installed system so we need to reinstall the disk encryption tools:
apt-get update && apt-get install lvm2 cryptsetup hashalot

And edit
nano /etc/crypttab

add a new line which looks like the following, using the UUID we got before
pvcrypt /dev/disk/by-uuid/<uuid from above> none luks
ctrl+x
y
<enter>

so your line should look something like this;
pvcrypt /dev/disk/by-uuid/1a123bc4-5de6-7891-f0gh-1i1112j13kl1 none luks

And finally...

update-initramfs -u

That should be it... fingers crossed... reboot. You should now have a single boot installation as the TrueCrypt is gone.

Once rebooted, if you want to fix the boot splash image and get it looking 'pretty' you need to click on the Mint menu icon, load the Control Centre. Under system click on start-up manager. On the boot options tab change the resolution to 1024x768 and the colour depth to 24bit and tick the show boot splash and show text during boot box. Click close... and next time you restart you should have a prettier boot splash.

Now we need to downgrade from Grub 2 to Grub 1. This is because I don't know of a way to chainload in Grub 2.

Launch a terminal by pressing CTRL+ALT+T

Optionally backup Grub2, personally I dont bother with this
sudo cp /etc/default/grub /etc/default/grub.old
sudo cp -R /etc/grub.d /etc/grub.d.old
sudo cp -R /boot/grub /boot/grub.old

Next, remove Grub2 completely
sudo apt-get purge grub-pc
The system will be unbootable until another bootloader is installed.

Now install Grub-legacy
sudo apt-get install grub
(Some distro's do this automatically upon the removal of grub-pc, but it's best to be sure )
sudo grub-install /dev/sd a
sudo update-grub

Reboot to ensure this still works.

Next thing we need to do is restore the Truecrypt bootloader. Boot from the TC recovery CD you made earlier. From the recovery options, restore the bootloader (I have to restore the crypto as well). And boot into Windows to ensure that this works.

It's a bit convoluted, I know, but this is the only way it worked for me, so bear with it.

Now you need to shutdown and once again boot from your Mint Live USB memory stick. From a terminal, do the following:
sudo -i
mount /dev/sda2 /boot
dd if=/dev/sda of=/boot/truecrypt.mbr count=1 bs=512
dd if=/dev/sda of=/boot/truecrypt.backup count=8 bs=32256
nano /boot/grub/menu.lst

Add the following entry
title Windows 7
rootnoverify (hd0,0)
makeactive
chainloader (hd0,1)/truecrypt.mbr
boot

ctrl+x
y
[enter]

sudo apt-get purge grub-pc
sudo apt-get install grub
sudo grub-install /dev/sd a

That should be it. Reboot, remove the USB and the TrueCrypt bootloader... and you should now be able to boot into Windows or Linux from Grub.

These instructions worked for me, and will hopefully be of use to others, but bear in mind that some have been written up from memory... so please let me know any corrections.

Good luck!

[siz182]

Hi,

I initially found your guide when I was intending on dual booting with Windows 7. However, I decided to use it as a guide for a full disk encrypted install of Mint 13 with the /boot partition located on a removable USB key instead.

I followed through line by line (with the exception of changing device names appropriately i.e. /dev/sda1 for boot instead of /dev/sda2 as in the guide), from creating the partitions to updating initramfs without error messages. However, after restarting the system, I have a black screen and flashing cursor. No boot menu, no prompt for a password.

I thought I may have made a mistake by adding the USB key to the mix, so I repeated the entire procedure only this time leaving the /boot partition on the same disk as per the guide. Upon booting, I had exactly the same results.

I was hoping you might have some suggestions for troubleshooting. I haven't been able to find much via search engines that deal specifically with troubleshooting failures in this area. Any suggestions would be greatly appreciated.

[attackroomba]

Sorry for dredging an old thread, however, I do have something to add, and would also like to provide my thanks for posting these instructions.

The main changes were around the limitations of the TrueCrypt boot loader, and how it works together wtih Grub2.

I chose to seek out how get my system to boot without an MBR on the disk. Instead, booting would be performed from an external USB drive.

I tried to use grub2tc, however, I was unable to get this to work, and now thinking about it, using the method that I used ultimately may also work for the grub2tc method as well. I ended up utilizing the raw ISO that is generated when the Windows partitions are encrypted by TrueCrypt.

These steps were performed having had the system installed on the hard drive, so the contents of /boot were already available, and I simply copied them to the USB drive post-install. If the USB drive is prepared prior to installation of the system, the /boot volume can be selected in the installer, and the MBR may be installed onto the USB drive at that time using it instead. This will place all of the boot files into the /boot volume on the USB drive automatically. Also, the installer can be used to format the USB drive instead of gparted.

Start by preparing the USB drive to contain the MBR, and a partition in which to contain the boot files (initrd, kernel, grub.cfg, etc):
I did this with gparted while booted using a Linux Mint ISO so these steps aren't very specific, plus depending on the drive they wouldn't be anyway.

Code: Select all

1. Open gparted, and select the drive to be partitioned. Make doubly sure you've got the right drive selected.
2. If you don't want to remove the existing partitions, then moving them should be an option.
3. Allow for some free space infront of the first partition (I gave 10MB). Less space is probably an option too, 1MB may be enough. This partition can be formatted fat.
4. Allow for some free space after the first partition, I chose the classic 100MB, as this will soon be the linux /boot volume.
5. Create a second partition in that 100MB free space, using the rest of the drive. This partition can be ext2/3/4/fat.
6. Make sure you've got the right drive selected again, and apply your changes.

Since I did this post-install I have some other steps which will also have to be performed when a kernel update is needed (because initrd and kernel are stored on the USB drive). The following steps can be performed in the OS (post-install) or from a live CD (and having your / parition mounted at /mnt/mint and chrooted like in the instructions above).

Mount the USB drive at /boot:

Code: Select all

mount /dev/sd#2 /boot

Note: Replace the # with your USB drive letter.

Make the grub entry in /etc/grub.d/40_custom:

Code: Select all

menuentry "Windows 7 (ISO from USB drive)" {
    insmod part\_msdos
    insmod fat
    insmod ext2
    drivemap -s hd0 hd1
    linux16 /memdisk iso raw
    initrd16 /tcrescue.iso
}

Note: The key part of the entry above is the swap of the drives using the drivemap. Reason being is that when grub2 loads, it sees the USB drive as hd0, and when the tcrescue.iso is loaded, it looks at hd0 for the TrueCrypt boot info and doesn't find it and will fail. This is the part where grub2tc could probably work if i swapped in the bits for that instead of the ISO method. The ISO method doesn't require any conversion of the ISO using a third party software, though. If TrueCrypt chooses to change the ISO format, and grub2tc doesn't accomodate, it can break that method. This is probably the most stable method.

Next set up the device.map that update-grub2 will use when building a new grub.cfg (among other files). The goal is to tell update-grub2 where the USB drive currrently is, and what it should call it when building the boot files. This allows it to be called by the correct name when booting because if the system is booting off of the USB drive, the USB drive will always be detected as hd0. If the system is currently booted up either on the HDD, or using a Live CD, it will not be detected as hd0, and it will be called something else in grub.cfg. So the goal is to sort it out for update-grub2 so that when the system boots, it's looking at the correct drive.

The file to edit is normally /boot/grub/device.map (if your boot partition is not mounted on /boot, the grub directory will be located where it is mounted instead). In my fooling around with getting the system booting, I deleted this file entirely. The one that's created by the system automatically may contain more information than what is provided in my example.

Code: Select all

(hd0) /dev/sdb
(hd1) /dev/sda

It could probably be gotten away with only having hd0 defined since nothing is directly done with hd1 by grub2. Once the kernel and initrd are gotten from hd0, the encrypted partition is located via UUID instead of block device from within the initrd. I've included both just because, and also for clarity. From the example above, my system is currently booted, and /dev/sda is my HDD, and /dev/sdb is the USB drive which has my boot partition. When my system boots, the USB drive will be hd0, and the HDD will be hd1, so I want my grub.cfg to use hd0 instead of hd1 which is what it would do without the device.map telling it to do that.

Once the above changes are made, the boot files have to be rebuilt:

Code: Select all

update-grub2

Then install the grub2 boot loader onto the device:

Code: Select all

grub-install /dev/sd#

Note: The loader is not being installed to the /boot partition, but to the device itself.

At this point reboot and boot from the USB drive, and confirm that it works to boot both the Linux and Windows OS.
-----------------------------------------------
Great, now that it works. The MBR can be cleaned from the HDD to prevent booting to either OS without the external USB drive.

After booting into Linux, mount up the USB drive /boot volume, to make a backup of the existing MBR/Partition Table:

Code: Select all

mount /dev/sd#2 /boot

Make a backup of the existing MBR/Partition Table:

Code: Select all

dd if=/dev/sd# of=/boot/sd#.mbr bs=512 count=1

For more info on MBR layout, check out the wikipedia article: https://en.wikipedia.org/wiki/Master_boot_record

Unmount the USB drive, and remove it from the system to ensure the safety of the your HDD's MBR:

Code: Select all

umount /dev/sd#

Next, wipe the TrueCrypt Boot strap code from the HDD:

Code: Select all

dd if=/dev/zero of=/dev/sd# bs=63 count=1

Note: A lot of folks say to wipe out 446 bytes of this section of the drive. This would leave the partition table (very important), but wipe the MBR boot code, however, this will prevent TrueCrypt from loading properly regardless of the system booting from the ISO. There is apparently some information stored in the 64-446 bytes that it needs in order to boot. This information is probably similar to partition table information.

Reboot the system, and confirm that it no longer boots from the HDD.

Plug in the USB drive, and reboot (may need a power cycle, or hitting of the reset switch), and confirm that the system boots off the USB drive to both Windows and Linux.

Congratulate yourself on not borking your system.