Alternative Way to Dual Boot TrueCrypt’ed Windows and Fully Encrypted Linux

    I am a mainly Windows 7 user who needs to use Linux only sometimes, so I need a dual boot system. I also want to encrypt my entire hard drive for privacy. I used to have TrueCrypt encrypting my entire hard drive, but TrueCrypt does not really support dual boot systems with GRUB, because TrueCrypt must reside on the Master Boot Record (MBR).

    There are several guides on the Internet about how to create a dual boot system with TrueCrypt but all of them involve placing the TrueCrypt rescue disk image into a separate partition. This is an ugly solution as a mainly Windows user because it involves a few extra keystrokes to activate the rescue partition, and the rescue partition is not hidden. I came up with an alternative solution for people who wants to boot directly into Windows with a silent TrueCrypt login most of the time, but needs a few extra keystrokes to get into Linux.

    WARNING: DOES NOT WORK WITH WINDOWS 8.1 BECAUSE TRUECRYPT DOES NOT SUPPORT GPT PARTITIONS

    Make a back up of everything first! And make sure your backup is encrypted.

    This guide assumes that you have a Windows 7 installation that you are not willing to wipe, and you do not have Linux yet. My computer has 8 GB of RAM and uses a SSD so I prefer to not use swap space, which is convenient because it means one less partition to deal with.

    You will also need a few USB drives, use a 8GB for the Linux installer, 2GB for the Super GRUB2 Disk (optional step), and a 4GB for Windows 7 recovery (optional step). Also you might need a CD burner and a CD-R for the TrueCrypt rescue disk.

    1. decrypt your Windows partition
    2. Create a bootable Windows 7 rescue disk, using UNetbootin and a Windows 7 installation disk image
    3. Create a bootable USB drive containing Super GRUB2 Disk, you can try using one of these tools:
    4. Test it out, reboot into the USB drive, you may need to adjust your BIOS settings
    5. Create a bootable USB drive containing your Linux distribution (I used LinuxLive USB Creator and Linux Mint 15, make sure it supports persistent mode!
    6. Boot into the USB drive containing Linux, use persistent mode
      • Use GParted or a similar tool to resize your Windows partition to free up some space for Linux, note that Linux Mint 15 requires about 6 GB minimum, plus more if you need swap space
      • If swap space is found on your USB drive, you need to remove the swap partition. First run “sudo swapoff -v -a” in the terminal, then use GParted (or similar) to delete the swap partition. This is due to a security concern. You will encounter an error trying to make a encrypted partition if you do not do this.
      • Remember to commit your changes to the USB drive
    7. I personally would reboot into Windows right now, because we resized that Windows partition, Windows will freak out and do a disk check on the next boot. Do not interrupt this (your screen might be blank for a long time)
    8. Boot back into the USB Linux in persistent mode. Run the installer, but manually set the partitions, do not use the automatic configurations
    9. In the free space, allocate 200 MB for a EXT4 partition and set it to be mounted to /boot
    10. The rest of the free space should be set to “physical container for encryption” or something like that. During this step, you will be asked to set a password first. Then the installer should create a “/dev/mapper/xxx_crypt” entries that represent the encrpyted containers.
    11. Set the main mapped container to a EXT4 partition mounted to “/”. If you want swap space, add some.
    12. The installer should allow you to continue, go through the rest of the installer normally. Reboot after installation.
    13. On the reboot, if everything works, then you should see a GRUB menu listing both Linux and Windows options and let you pick which one to boot.
    14. Boot into Windows again, run TrueCrypt (I am using version 7.1a) and start the “Encrypt System Partition/Drive”.
      1. “Type of System Encryption” is “Normal” (unless you actually need “Hidden”, which I will not talk about since I haven’t tried it yet)
      2. “Area to Encrypt” is “Encrypt the Windows system partition”
      3. “Number of Operating Systems” is “Multi-Boot”
      4. You might get a warning regarding “inexperienced users”, click “continue” or “yes” if it asks you to continue
      5. “Is the currenting running operating system installed on the boot drive?”, my answer is “yes”
      6. “Is< a non-Windows bootloader installed in the MBR?", select "No", even though the answer is technically "Yes", TrueCrypt v7.1a doesn't know how to handle "Yes". This step tells TrueCrypt that it is OK to overwrite GRUB with TrueCrypt in the MBR.
      7. After these questions, continue with disk encryption as usual (choose algorithms, set password, etc)
      8. You will run into the step that creates a TrueCrypt rescue disk, follow the instructions and finish this step
      9. There will be a system pretest, which involves a reboot, go through this as normal
      10. Start and finish the actual encryption process as normal, this takes a long time. This is technically the last step.
    15. After it finishes, reboot, you will run into a TrueCrypt bootloader that asks for your password. You are finished!
    16. To boot into Linux, press ESC in the TrueCrypt bootloader to enter the manager, you will see a few partitions listed. GRUB is installed on the partition we allocated 200MB to. Selecting that partition will show the GRUB menu, from which you can select Linux. After you select Linux, you will be asked for the password for the Linux partition.
    17. I suggest you securely erase your USB drive

    The result is a *almost* fully encrypted computer:

    • TrueCrypt bootloader in the MBR
    • Win7 Bootloader in sda1 and sda2 (encrypted)
    • GRUB2 in sda5 as /boot (NOT encrypted! Do not save anything sensitive in /boot)
    • Linux in sda6 (encrypted)

    And I boot into Windows by default, and boot into Linux with 3 extra keystrokes.

    You may hide the TrueCrypt password prompt through TrueCrypt’s system encryption settings, but it will stop you from booting into Linux because the ESC key won’t work anymore. If you must do this, you need to constantly enable and disable this option. (correction, there’s a comment below from Jeff about how to configure the ESC key correctly, thanks Jeff)

    Problems I’ve run into

    If you cannot start Windows at any point before the encryption has started, you should create a Windows 7 rescue disk and run startup repair from it. UNetbootin is capable of doing this if you have the Windows 7 installation disk image.

    If you cannot access GRUB at any point, you can try using the Super GRUB2 Disk I’ve asked you to create. It should be able to automatically find Windows for you, but it might have trouble finding the encrypted Linux partition. Try asking it to look for the GRUB2 configuration file, and it might be able to bring GRUB back. If not, then you need to run “boot-repair” (see below)

    My GRUB2 didn’t install right, on reboot, it gave me a simple “grub>” prompt. This issue was resolved by…

    1. I used my Windows 7 rescue disk because I still needed to do work in Windows, this will remove GRUB from MBR
    2. Use the Linux installation USB drive in persistent mode
    3. Install boot-repair
    4. Mount the encrypted Linux partition before running boot-repair
    5. Run boot-repair, it is mostly automatic, with a few prompts that give you some commands to run, read the prompts and run the commands.
    6. Now GRUB2 should run when the computer reboots. If it doesn’t then you need to consult the Linux community, because I don’t know what is wrong.

    I had trouble creating a “physical volume for encryption” because there was swap space on my USB drive. The solution is supposed to be disabling the swap space using “sudo swapoff -v -a”, but that didn’t help. This is actually a bug in the installer. Getting an updated installer didn’t help. So the final solution was for me to delete the swap partition.

    During the creation of the “physical volume for encryption”, I had an error while it tried to create a keyfile. This turns out to be because I was running the installer in “live mode” instead of “persistent mode”, so it had trouble saving the file. Running in “persistent mode” solved the problem. But since the keyfile is created on the USB drive, I recommend securely erasing the USB drive after everything is done.

    Even though Windows will show up in the GRUB menu, booting into it from GRUB will never work once Windows is encrypted by TrueCrypt. Keep that in mind.

5 thoughts on “Alternative Way to Dual Boot TrueCrypt’ed Windows and Fully Encrypted Linux

  1. articulos seo

    Simply wanna comment on few general things, The website design is perfect, the content material is very great. “The way you treat yourself sets the standard for others.” by Sonya Friedman.

    Reply
  2. Jeff

    You wrote that after changing the Truecrypt-bootmessage (hide password-prompt) there is no way to use ESC to get to the bootmenu.
    That is not correct. There is an option in Truecrypt: System > Settings > Security Options:
    enable/disable ‘Allow pre-boot authentication to be bypassed by pressing the ESC key (enables boot manager)’

    I like this manual. I will try it sometime.

    Reply
  3. Peter

    Hello,
    I restored a TC loader after boot-repair on linux and Windows just screwed up. Loaders works like you described but Windows don’t. Recovery won’t work due to encryption I suppose?

    Reply

Leave a Reply to Jeff Cancel reply

Your email address will not be published. Required fields are marked *