TrueCrypt: Encrypt multiple Windows (system) partitions in a multiboot scenario

Discussion in 'privacy technology' started by yyzyyz, Jun 7, 2010.

Thread Status:
Not open for further replies.
  1. yyzyyz

    yyzyyz Registered Member

    Joined:
    Jun 5, 2010
    Posts:
    9
    Background: TrueCrypt doesn't officially support encrypting more than one windows system partitions because of the limitations of the current design. As a result, many users who have multiple installations of Windows residing on the same hard drive (example XP & 7), are limited in their ability to encrypt only one of these instances, thereby compromising their privacy/security. However, it is possible to encrypt all windows partitions even with the official TrueCrypt distribution (no modifications needed), just by tweaking the boot-up sequence using grub boot loader. A detailed How-to was posted on TrueCrypt forum, but the thread was moved/deleted later for some unknown reason.

    This is a frequently requested feature on the TrueCrypt user forum, unfortunately the exact instructions on how to do this are no longer available anywhere. If there is enough interest in the community, this discussion could be continued here so that the relevant information is available to anyone who's inclined to try out this unofficial approach. Thoughts?

    _________________________________
    Edit by request to add the following:

    Detailed how-to is now posted here: http://yyzyyz.blogspot.com/2010/06/truecrypt-how-to-encrypt-multiple.html
     
    Last edited by a moderator: Jun 27, 2010
  2. Rudolf

    Rudolf Registered Member

    Joined:
    Jun 5, 2010
    Posts:
    5
    Hi yyzyyz,

    I have sent you a PM with the original thread I archived. All the original instructions are intact :). I did not get a chance to post in the original thread but I hope we can continue the discussions here.

    As mentioned in the recent TC forum post, I have been using your method to dual boot XP and Windows 7 both encrypted on a single drive and it is working wonderfully.
     
  3. livre

    livre Registered Member

    Joined:
    Jun 3, 2010
    Posts:
    11
    Do you still have the text could place here?



    And I'm trying to encrypt with Linux and Windows XP that can help me.



    Thank you.
     
  4. yyzyyz

    yyzyyz Registered Member

    Joined:
    Jun 5, 2010
    Posts:
    9
    I'm in the process of rewriting the guide - the process is a lot simpler now with recent updates to grub4dos. But it's really for encrypting multiple windows partitions on a hard drive. Is this what you're trying to do?
     
  5. livre

    livre Registered Member

    Joined:
    Jun 3, 2010
    Posts:
    11
    I'm wondering mainly encrypt the Ubuntu GNU / Linux I use here.


    I was told that encrypt the entire Linux with Truecrypt and not possible, it costs more to try ...


    If I encrypt then only Windows, Ubuntu would keep the most possible?



    Sorry I write, I'm using an automatic translator ...



    Thank you.
     
  6. Rudolf

    Rudolf Registered Member

    Joined:
    Jun 5, 2010
    Posts:
    5
    You cannot encrypt a Linux OS system partition with Truecrypt - http://www.truecrypt.org/docs/?s=sys-encryption-supported-os

    If you encrypt the Windows system partition, Ubuntu will remain unencrypted.
     
  7. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    You can achieve full disk encryption with Ubuntu by downloading, burning, and installing from the alternate CD. Once you have the alternate CD, follow this guide.
     
  8. korj

    korj Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    5
    Hi,

    I'm planning to install a triple boot system on a single hard drive (Xp, win7 and Ubuntu).


    hdd structure:

    -----------------------------------
    primary partition XP

    extended partition
    logical partition Win7
    logical partition /boot
    logical partition Ubuntu
    logical partition /home
    logical partition Ext3 (data)
    logical partition swap

    primary partition ntfs (data)

    primary partition ntfs (data)
    -----------------------------------


    XP and Win7 should be encrypted with TC (and dm-crypt for Ubuntu drives). only /root remains unencrypted.

    I assume that the mbr will be overwritten at least twice with TC bootloaders.
    I'm not sure but AFAIK theoretically the TC bootloaders could be moved from mbr to /root and then Grub (or maybe Grub2 ??) could call them (by
    adding chainloader to menu.lst). This way Grub could overwrite mbr and the let me choose between XP, Win7 and Ubuntu.

    Possible Problems:
    Due to TC (and XP) limitation only the primary partitions would be accessible in XP. This limitation is redundant.
    Win7 boot complications due to the given hard drive structure.

    I would like to know if my assumptions are correct (I'm a linux novice). I'd appreciate any opinions/advice you can give on this.
     
  9. yyzyyz

    yyzyyz Registered Member

    Joined:
    Jun 5, 2010
    Posts:
    9
    It would be much easier (if fact, I don't even know if it would be possible otherwise) to do this if you moved Win7 to the primary partition and moved one of the data partitions to logical drive. Any particular reason for not doing this?
     
  10. korj

    korj Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    5
    I would like to separate programs and data (if possible). The first data partition would be the program partition (XP and Win7) and the second one shared between the three systems. So if I move one of them to the logical partition, it would be inaccessible in XP.
     
  11. yyzyyz

    yyzyyz Registered Member

    Joined:
    Jun 5, 2010
    Posts:
    9
    Unless I'm missing something, you have this restriction only in case of WDE (whole disk encryption). The fact that you are planning to have linux partitions rules out WDE anyways. You could have both XP and 7 in primary partitions, and move both the data partitions to the extended partition and still be able to access them from XP as well as 7. However, here's what you won't be able to do using this method:
    - Boot XP and access data on the encrypted Win7 partition (and vice versa)
    - Boot Linux and access data on the encrypted XP and 7 partitions simultaneously. You'll only be able to mount them one at a time.

    As a side note, I don't think it's a good idea to have a shared programs folder between XP and 7 (unless it's PortableApps or something).
     
  12. korj

    korj Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    5
    You're right. I have tested the case on my system and it works without any problems.

    "On Windows XP/2003, TrueCrypt does not support encrypting an entire system drive that contains extended (logical) partitions. You can encrypt an entire system drive provided that it contains only primary partitions. Extended (logical) partitions must not be created on any system drive that is partially or fully encrypted (only primary partitions may be created on it)."

    Looks like I misunderstood the truecrypt documentation or at least took it too seriously.
    And yes most of the programs I use are portable.

    Thanks for the advice. The first point was clear, but I didn't even know that the second one was possible.

    I'm still not sure about using multi-boot option in truecrypt.
    If I'm right, it only moves the bootloader out of mbr (or to be more specific, it prevents overwriting the mbr). So it's not useful for saving the bootloader and moving it to /boot partition.

    Is it possible to install and encrypt the 2 systems (XP, Win7) independently without corrupting anything?
    I have an idea how to do it, but I'm not sure if it would work.
     
    Last edited: Jun 14, 2010
  13. yyzyyz

    yyzyyz Registered Member

    Joined:
    Jun 5, 2010
    Posts:
    9
    Of course it's possible - that's what this thread is all about.

    To give you an idea how this works, when you encrypt a windows system partition, TrueCrypt stores its volume header in the last sector of Track 0 (0x3E) of the hard drive. If you try to encrypt a second windows partition, this location will be overwritten by the volume header corresponding to the second partition. Since TrueCrypt boot loader always reads the volume header from this location, it will no longer be able to decrypt the first partition. To get around this problem, we create file backups of the volume header and the MBR for both of these partitions in an unencrypted boot partition. Then we setup grub4dos in the boot partition such that depending on the user selection (XP or 7), it restores the corresponding volume header, activates that partition and chainloads the TrueCrypt MBR to continue the boot process with pre-boot authentication.

    As I mentioned earlier, I'm in the process of rewriting this guide and will be posting it soon - stay tuned.
     
  14. centaurian

    centaurian Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    1
    ;) Thank you for your work. I look forward to it. I'm planning to move encrypted XP to new much bigger HDD and do new install of Windows 7 x64 (encrypted too) and Ubuntu (of course unencrypted).

    Sorry for bad English.
     
  15. korj

    korj Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    5
    Thanks! now I have all the information needed to do it.
     
  16. yyzyyz

    yyzyyz Registered Member

    Joined:
    Jun 5, 2010
    Posts:
    9
    First post updated with the link to the detailed How-To. Thanks!
     
  17. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    /root doesn't have to remain unencrypted. If you use the Ubuntu alternate install CD and follow this guide, you can encrypt all ubuntu partitions (except for /boot).

    Though I admit I am not sure how well this will play with other partitions encrypted with TC or how the bootloader will come into play.
     
  18. korj

    korj Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    5
    Wow, what a typo! I meant /boot.

    I'm using Grub4dos in much the same way yyzyyz has described and it chainloads to Grub2.

    @yyzyyz

    Good tutorial! Nice job.

    I would suggest to get the custom track0 for each OS and use the compare command (cmp) to avoid unnecessary overwriting.
    Something like this:

    Code:
    title Windows XP
    cmp (hd0,0)/boot/track0custom.winxp (hd0)+63 || hide (hd0,2)
    cmp (hd0,0)/boot/track0custom.winxp (hd0)+63 || unhide (hd0,1)
    rootnoverify (hd0,1)
    cmp (hd0,0)/boot/track0custom.winxp (hd0)+63 || makeactive
    cmp (hd0,0)/boot/track0custom.winxp (hd0)+63 || dd if=(hd0,0)/boot/vhdr.winxp of=(hd0) seek=62
    chainloader (hd0,0)/boot/tcmbr.winxp
     
  19. Rudolf

    Rudolf Registered Member

    Joined:
    Jun 5, 2010
    Posts:
    5
    Thank you for the new guide yyzyyz. I will try the new method the next time I reinstall my OS.

    I appreciate your efforts :)
     
  20. axium

    axium Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    1
    First off, I am new variations of what TC can do... I have used it for years, but;

    I have a situation at a friends house that involves the following:

    He has a desktop with an external drive with a TC file on it that is on xp OS;

    He also has a laptop with windows 7, and another desktop with xp;

    I shared the drive letter through windows that contains the TC file;

    I tried to mount the TC from other networked computers to no avail. I get a message that says "the file is in use; enter a new name or close the file that is open". I have read that sharing the TC is not supported/is very difficult to do. I was wandering how to get the TC file shared over a network with a password and if this is possible. I saw the link that is posted directing to a procedure, but what I dont know is if that is what I need to do.

    Also, if there is a better way to do all of this he is very open. This is all happening on fresh copies of OS's. Does he need to TC the whole drive?

    He wants to mount the TC file on multiple computers is all.

    I hope this isnt a challenge to reply to. Any ideas would be grateful, as this would give me a basis to help solve the problem through other means.

    Axium
     
    Last edited: Jul 23, 2010
  21. Sneiv

    Sneiv Registered Member

    Joined:
    Sep 17, 2010
    Posts:
    1
    Hi,

    I followed yyzyyz's guide to the point, where it describes, that I need to:
    As I don't have much practise in advanced Disk encryption and manipulation I would be pleased, if someone could tell me which disk editor is suitable to be used from within a linux live cd and which steps I need to take to edit the MBR.

    Alternatively there would also be the possibility to acess the drive from an external OS (W7, Xp, Linux).

    I am trying to set up a system with a kind of structure korj mentioned before:


    -----------------------------------
    primary partition boot (NTFS)
    primary partition XP (crypted NTFS)
    primary partition Win7 (crypted NTFS)
    logical partition shared (NTFS (not yet crypted))
    logical partition Ubuntu (ext3)
    logical partition swap
    -----------------------------------
    At the moment I set up a crypted XP and Win7 system like mentioned in the tutorial and when finished I will try to get the alternate Version of Ubuntu 10.4 running on the Device as third OS.


    ps: sorry for my broken language - I am not a native speaker.
     
  22. akartavt

    akartavt Registered Member

    Joined:
    Oct 8, 2010
    Posts:
    1
    Hi,

    I have tried to use the above method to encrypt two Windows 7 partition (one for work and one for testing, one of them is a clone of the other) and encountered the following problem: after entering the correct password, I get a message "bootmgr is missing, please press ALT+CTRL+DEL to reboot" . Could you help me to resolve this issue ?

    Here are some details on my system:

    1 hard drive with 4 primary partitions

    sda1 - factory backup
    sda2 - boot
    sda3 - Windows 7 (work)
    sda4 - Windows 7 (test)

    - I have cloned the Windows 7 version that came with the laptop (I have neither the installation CD nor a CD-ROM :) ) from sda3 to sda4 and used easyBCD to add the second Windows to the start menu.

    - Next I have encrypted the system on sda4, extracted track0,vhdr and tcmbr and stored them in the boot partition.

    - Next I have Installed the custom MBR and grub4dos (copied grldr to the root directory and renamed to bootmgr), booted the system on sda3 and encrypted it. After that extracted track0,vhdr and tcmbr for this Windows installation and again saved it in boot.

    - After having installed the custom MBR code and edited the menu.lst file I can start the "please enter password" page.

    The problem is that after entering the password I get a message "bootmgr is missing". I suppose, this is because true crypt is trying to chainload the windows boot manager which has been replaced by grub4dos.

    Is there any solution to this problem ?
     
  23. yyzyyz

    yyzyyz Registered Member

    Joined:
    Jun 5, 2010
    Posts:
    9
    You mentioned that you used easyBCD to add second windows to the start menu. If you carefully go through the method I detailed, you'll realize it works on standalone windows installations (i.e., that have their bootloader reside on the same partition). I'm not too sure if that's the case here...

    Also, are you able to boot one of the two instances or none at all?
     
  24. wizeltop

    wizeltop Registered Member

    Joined:
    Feb 26, 2011
    Posts:
    1
    Hi,

    Thanks for your guide, it is well laid out I spent a day working through it, given some of the low level operations that were unfamilar to me. Anyway, I have 2 Windows 7 installations, Alpha and Beta that i installed following your steps, religiously. I have the grub boot menu come up, I select the first installation (alpha) I get the truecrypt prompt and then an error message:

    Windows Boot Manager

    Windows failed to start. A recent hardware or software change might be the cause to fix...bla bla.... status 0x0c000000e Info: The boot selection failed because a required device is inaccessible.

    The second install (beta) loads flawlessly

    Any ideas what might be the problem. The only thing i can think of is the ATI control center and driver I installed on the second install (beta) while waiting for it encrypt, could this have flashed the BIOS causign alpha to have a hw conflict of some kind ?

    Also i was wondering what modifications to the steps you would make if only one installation is to be encrypted and other not.

    Your guide is excellent, a couple of suggestions though to make it really dummy proof: It goes a bit light on the mbr.bin stuff in the 1,2,3 steps and a suggestion on a good disk editor would be nice.

    Thanks!
     
  25. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Nevermind.
     
Loading...
Thread Status:
Not open for further replies.