TrueCrypt: Encrypt multiple Windows (system) partitions in a multiboot scenario

Discussion in 'privacy technology' started by yyzyyz, Jun 7, 2010.

Thread Status:
Not open for further replies.
  1. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    I tried to get a multiboot truecrypt a go with errors galore, I've since just moved into the virtual realm, where my main OS is linux and I can load up windows 7 etc in a VM environment. This way Trucecrypt is happy, and I am happy that my hard drive is encrypted.
     
  2. tanesiir

    tanesiir Registered Member

    Joined:
    May 5, 2011
    Posts:
    1
    First of all, I have not tried this all the way through (didn't actually write
    mbr.modified.bin into the MBR), but I see no reason why it wouldn't work.

    Why not modify a copy of mbr.bin before dd'ing it into MBR?
    You could do it with emacs' hexl-find-file but any hexeditor would work.
    This avoids the hexediting of the raw disk altogether (which
    just gives me shivers as a matter of principle, especially since the
    guide didn't spell it out as explicitly as the other parts).

    Also, as an alternative to a hexeditor, I am sure something like

    cp mbr.bin mbr.modified.bin
    echo '\001' | dd of=mbr.modified.bin bs=1 seek=405 count=1 conv=notrunc
    dd if=/mnt/sda1/boot/mbr.modified.bin of=/dev/sda

    would work just fine.

    Probably (with a light modification) the echo line above could be used as
    a single byte hexeditor in the place of the

    Next, open the MBR (LBA 0x00) in a disk editor and change byte
    at offset 0x0195 from 0 to 1


    in the original guide:

    echo '\001' | dd of=/dev/sda bs=1 seek=405 count=1 conv=notrunc

    Before using any of the ideas above, I would go consult someone who
    knows more about dd and MBR. That person is no me, I am just speculating.
     
  3. gabbsmith

    gabbsmith Registered Member

    Joined:
    Sep 28, 2011
    Posts:
    1
    Does your explanation from http://yyzyyz.blogspot.com/2010/06/truecrypt-how-to-encrypt-multiple.html apply the same for three partitions? I mean:
    1 hard drive with 4 primary partitions as follows:

    sda1 - factory backup - use as boot
    sda2 - Windows XP - unencrypted - decoy
    sda3 - Windows XP - truecrypt-ed - business use
    sda4 - Windows XP - truecrypt-ed - private use

    I am in the process of building this, so I need an answer very quick.

    BTW, I use Truecrypt 7.1, Knoppix 6.7, grub4dos-0.4.4, this is what I've found Today....

    Edit: I've tried this a few times, and works only in part. Some of the steps don't work very well with the versions or programs I have. Knoppix 6.7 does not create the directory automatically for this step "mount -t ntfs-3g /dev/sda1 /mnt/sda1", I had to login as root and create it.
    I had a hard time finding a good and easy MBR/Disk editor. The one that worked for me was http://apps.tempel.org/iBored/. I followed every step described, and I customized the "menu.lst" with the appropiate adresses and names, so the boot menu worked.
    Then, something was killing the first instalation when I did the second one. I can boot in every partition, but the fist encrypted one, hangs for a few seconds with this message "autochk program not found, skipping autocheck", and then the computer reboots. What is thid message and where it comes from?

    I've tried mounting it from outside, but it doesn't work, I cand mount the second encrypted partition, but not this one.

    What can I do now? I need this computer tomorrow, so I had to install an additional HDD for the second encrypted partition. But if there is a solution, I would really appreciate!
     
    Last edited: Sep 30, 2011
  4. ignaz

    ignaz Registered Member

    Joined:
    Nov 8, 2011
    Posts:
    1
    A heads up for anyone experiencing similar problems with Truecrypt 7.1:

    Being familiar with the whole process in setting up a number of computers with this scheme, it struck my attention that recently I couldn't get to boot the first operating system (second partition as per the guide) after installing Truecrypt 7.1. I have seen reports of similar problems in this thread. Boot would hang while trying to load the first operating system, but work normally with the rest. Retrying with Truecrypt 7.0a did the trick (I had the installer on a backup drive; hopefully the installers on the official site have no [breaking] changes).
     
  5. yyzyyz

    yyzyyz Registered Member

    Joined:
    Jun 5, 2010
    Posts:
    9
    I don't use this method anymore, but I was curious to find out what might have changed in v7.1 that would cause this to not work properly. I recreated the same setup (BOOT-XP-7) in a virtual machine, encrypted both the system partitions and have no issues booting into either of the operating systems.

    Also, I'm not sure how exactly did you downgrade to v7.0a if you weren't able to boot into XP at all? Do you remember where it was failing and what error were you seeing? Perhaps it was some other issue...
     
  6. coolnicklas

    coolnicklas Registered Member

    Joined:
    Dec 12, 2011
    Posts:
    2
    Location:
    Sweden
    yyzyyz: I have followed your guide with the exception of installing Grub4dos on a USB-stick instead of using the customized MBR bootstrap. I also use two XP partitions instead of a Win 7 partition. Thanks a lot for your detailed guide.

    My menu.lst looks a bit different since booting from a USB-device adds some extra work:

    title Windows XP 1
    map (hd0) (hd1)
    map (hd1) (hd0)
    map --hook
    hide (hd0,1)
    unhide (hd0,0)
    rootnoverify (hd0,0)
    makeactive
    dd if=(hd1,0)/vhdr.winxp1 of=(hd0) seek=62
    chainloader (hd1,0)/tcmbr.winxp1

    title Windows XP 2
    map (hd0) (hd1)
    map (hd1) (hd0)
    map --hook
    hide (hd0,0)
    unhide (hd0,1)
    rootnoverify (hd0,1)
    makeactive
    dd if=(hd1,0)/vhdr.winxp2 of=(hd0) seek=62
    chainloader (hd1,0)/tcmbr.winxp2

    Why the mapping needs to be executed is described here:
    http://forums.truecrypt.org/viewtopic.php?t=18882&postdays=0&postorder=asc

    Everything works except I get the same error as gabbsmith; the first system gets corrupted and during Windows boot the message "autochk program not found, skipping autocheck" is followed by a BSOD (c000021a)

    It feels like it is very close to get this setup working. Any help to solve this is very appreciated!
    /Nicklas
     
  7. coolnicklas

    coolnicklas Registered Member

    Joined:
    Dec 12, 2011
    Posts:
    2
    Location:
    Sweden
    Problem solved: The partition type for the first Windows XP partition had been set to 97 (linux hidden). I used a paragon rescue disk to change partition type to 0x17 (hidden ntfs) and now it works perfect.

    The first partition type got the wrong type id when I used gparted within Ubuntu Live to hide the partition as a preparation for installation of the second XP installation. Use another tool to explicitly hide the partition by setting type ID to 0x17.

    If any want to try the setup with Grub4dos installed on a USB-stick, follow the instructions here:

    http://it.dennyhalim.com/2009/02/install-grub4dos-make-usb-bootable-from.html
     
  8. mercur79

    mercur79 Registered Member

    Joined:
    Feb 28, 2012
    Posts:
    1
    Location:
    Hungary
    Hi there
    What is the situation, when I want to change the password for one of the partitions.
    I set up my system based on your howto, but used dummy passwords during the process. I thought that I would be able to change the password later.
    Naturally I am not :)
    Although, I can change the password, it won't have any effect, as the vhdr is restted at every start.
    The interesting thing is, that when I change a password, and than boot from a pendrive, create backups from the vhdr, tcmbr and track0, to the boot directory on the boot partition (backing up the original backups), and grub4dos uses the newly created backups, (basically doing the same process as when encrypted the system) the system (with the changed password) is unable to boot. I always get back to the Grub menu.
    What can be the problem?
     
  9. AdrianK_IT

    AdrianK_IT Registered Member

    Joined:
    Jun 1, 2012
    Posts:
    3
    Location:
    UK
    I'd appreciate clarification of the phrase 'symmetric encryption algorithm' in the 'How To ... ', please. Are some of the encryption algorithms offered in Truecrypt not symmetric, and therefore not suitable? If so, which, please? With thanks.
     
  10. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    They're all Symmetric. Asymmetric would require Public/Private keys.

    PD
     
  11. AdrianK_IT

    AdrianK_IT Registered Member

    Joined:
    Jun 1, 2012
    Posts:
    3
    Location:
    UK
    Thanks, PaulyDefran, I should have realised - that phrase just spooked me, made me think there was something about the choices to be made when system encrypting with Truecrypt I didn't understand. I assume using the 'same' encryption algorithm is significant, though?
     
  12. AdrianK_IT

    AdrianK_IT Registered Member

    Joined:
    Jun 1, 2012
    Posts:
    3
    Location:
    UK
    First, many thanks to yyzyyz for the 'howto' and the mbr.bin file.

    Adapting the advice, I have managed to system-encrypt a pre-existing multiboot PC (Vista on C:, Seven on D:). The main complication in doing this is that the Windows installations are not independent, they share a BCD store on C:, so I set out first to use the Grub4Dos/hidden partition route to solve that problem. I was also keen to do it one OS at a time; I didn't want to be left PC-less in case it all went wrong!

    That is, the plan was:
    a. Separate the OSs, so each boots via Grub4Dos using its own BCD store.
    b. Encrypt one OS partition, so I can boot that via TC, the other normally.
    c. (If that works) encrypt the second OS partition, so both boot via TC.

    I got to b. on the first attempt (encrypting Vista), but hit a snag with Seven. The pretest failed; after entering the password, and getting the 'Booting ... ' message, the process stalled. I had created my boot partition after the two OS ones, and this apparently falls foul of TC's expectation of default Seven installation setup ie it boots from a partition preceeding it on the disk. (See TC Troubleshooting page.)

    So, I restored everything to the pre-existing state, created a boot partition between Vista and Seven, and tried again, and this time it worked (encrypting Seven first this time). The following is my log of the steps taken:

    Initial state of main disk: Vista on 1st partition (C:), Seven on 2nd partiton (D:), visible to each other, followed by unallocated space. (Note: I have given the relevant TC files different names from those used by yyzyyz; I don't like random .suffixes in Windows, they get interpreted as file extensions!)

    Requirements:
    a. BIOS set up (temporarily) to boot from CD first, then main (hard) disk
    b. Partitioner eg Easeus Partition Master v9.1.1
    c. Grub4Dos (Recommended version: Grub4Dos-0.4.5b-2011-08-25)
    d. yyzyyz's 'mbr.bin' file
    e. 'SRCD': Linux Live CD eg SystemRescueCD v2.7.1

    Stage 1: Create independent Windows installations
    01. (From Vista, using Easeus) Move/resize a partition to leave (> 1GB) unallocated space between the Vista and Seven partitions
    02. (From Vista, using Disk Management) Create an NTFS 'Boot' partition with the new unallocated space, giving it a free drive letter
    03. (From Seven) Allocate Boot partition the same drive letter
    04. (From Seven) Extract Grub4Dos files, copy 'grldr' to Boot partition and rename it 'bootmgr'
    05. (From Seven) Create a Boot\boot folder, and create the following (empty, text) files in it: vistahdr, vistambr, sevenhdr, sevenmbr, track0-1, track0-2, track0-3
    06. (From Seven) Copy 'mbr.bin' into Boot\boot
    07. (From Seven) Create the following menu.lst file in the (root of the) Boot partition:

    title Windows Vista
    hide (hd0,2)
    unhide (hd0,0)
    rootnoverify (hd0,0)
    makeactive
    chainloader /bootmgr

    title Windows Seven
    hide (hd0,0)
    unhide (hd0,2)
    rootnoverify (hd0,2)
    makeactive
    chainloader /bootmgr

    title Reboot
    reboot

    08. (From SRCD) (Mount Boot) and 'dd' mbr.bin to main disk
    09. (From SRCD) (Unmount Boot) and 'lde' the main disk, changing the value at 0x0195 to 02 (from 00)
    10. (From SRCD) (Mount Boot) and 'dd' first track of main disk to file in Boot\boot (track0-1)
    11. (From SRCD) (Mount C: & D:) and copy (folder) C:\boot to D:\boot, and (file) C:\bootmgr to D:\bootmgr
    12. Reboot to Grub4Dos, choose Windows Vista; this will lead to the original Windows boot menu.
    13. Choose Windows vista; when logged in, check that the Seven partition is hidden, then amend BCD entries so that Boot Manager and Boot Loader both only refer to Vista, on the correct drive letter
    14. Reboot to Grub4Dos; choose Windows seven; this will lead to the original boot menu
    15. Choose Windows Seven; when logged in, check that the Vista partition is hidden, then amend BCD entries so that Boot Manager and Boot Loader both only refer to Seven, on the correct drive letter
    16. Each OS should now boot directly from its entry in the Grub4Dos menu. Additional entries (eg to boot Linux) can be added to either the Grub4Dos menu, or one (or both) of the BCD stores

    Stage 2: Encrypt Seven
    17. (From Seven) Truecrypt system encrypt following normal procedure for a single-boot system
    18. (From SRCD) (Mount Boot) and 'dd' the Truecrypt MBR and volume header to files in Boot\boot (sevenmbr and sevenhdr)
    19. (From SRCD) 'dd' Boot\boot\mbr.bin to main disk
    20. (From SRCD) (Unmount Boot) and 'lde' the main disk, changing the value at 0x0195 to 02 (from 00)
    21. (From SRCD) (Mount Boot) and 'dd' first track of main disk to Boot\boot\track0-2
    22. (From SRCD) Replace the 'chainloader' line in menu.lst Seven entry with these two lines:

    dd if=(hd0,1)/boot/sevenhdr of=(hd0) seek=62
    chainloader (hd0,1)/boot/sevenmbr

    23. Reboot to Grub4Dos, and choose either Vista (normal boot) or Seven (needs Truecrypt password)

    Stage3: Encrypt Vista
    24. (From Vista) Truecrypt system encrypt following normal procedure for a single-boot system
    25. (From SRCD) (Mount Boot) and 'dd' the Truecrypt MBR and volume header to files in Boot\boot (vistambr and vistahdr)
    26. (From SRCD) 'dd' Boot\boot\mbr.bin to main disk
    27. (From SRCD) (Unmount Boot) and 'lde' the main disk, changing the value at 0x0195 to 02 (from 00)
    28. (From SRCD) (Mount Boot) and 'dd' first track of main disk to Boot\boot\track0-3
    29. (From SRCD) Replace the 'chainloader' line in menu.lst Vista entry with these two lines:

    dd if=(hd0,1)/boot/vistahdr of=(hd0) seek=62
    chainloader (hd0,1)/boot/vistambr

    30. Reboot to Grub4Dos, and choose either Vista or Seven (both need Truecrypt password)

    I have one outstanding issue. From neither OS can I change the 'System Settings' so the TC boot menu does not display, or (if it does display) disallows use of the 'Esc' key. In each case 'The required version of the Truecrypt Boot Loader is currently not installed'. Since this happens on both OS it would suggest this functionality has been removed by mbr.bin. Any ideas?
     
  13. bobbybriggs

    bobbybriggs Registered Member

    Joined:
    Aug 12, 2012
    Posts:
    1
    Location:
    Hungary
    Hi There,

    first of all, many thanxx to yyzyyz for that tricky, yet roboust method!

    ive originally used the following guides:
    http://yyzyyz.blogspot.hu/2010/06/truecrypt-how-to-encrypt-multiple.html
    http://yyzyyz.blogspot.hu/2010/06/custom-mbr-ignore-active-flag-bootstrap.html

    , for building unencrypted win7 and truecrypted winxp dualboot scenario (corporate and private laptop in one), and for around a year it is worked beautifully...
    but now (2012 q2) no more...i used ntfs(win7/winxp formatted)for boot partition, and suddenly i discovered that the lately created win7/winxp ntfs partitions while booting droping "read error" message, in case truecrypted ntfs partition is active(boot flag), BEFORE loading the desired bootmgr/ntldr (in this case grldr renamed).
    my solution in this case was creating the ntfs part/fs from linux(mkfs.ntfs) (knoppix644).

    so the desired boot chain was:
    ->cracked mbr.bin->hardwired(0x0195) primary ntfs partition->bootmgr/ntldr file, wich is grldr->start up grub4dos->continue boot

    and in case winxp/win7 created ntfs boot part, and truecrypted ntfs part is active, the boot chain was:
    ->cracked mbr.bin->hardwired primary ntfs partition->read error message


    ive spent few hours to discover this, hope it ll be useful for someone.



    have fun!


    salute


    ps.: when im not the first coming up whit this problem, i appologize, but its really early for me now, i dont read the older posts :S
     
  14. trabandura

    trabandura Registered Member

    Joined:
    Sep 23, 2012
    Posts:
    1
    Location:
    Barbados
    Guys, thank you very much for the info here ! I used yyzyyz's commands, but i felt his way to backup the volume header very uncomfortable - wait the loading of Live Linux CD and etc. I noticed the size of TrueCrypt's recovery cd is the same everytime when i build it. I realized that TrueCrypt puts the volume key header on specific address in the ISO file. After little search i found this magical address 0x14c00 :D So i modifyed yyzyyz's command in this way:

    dd if=(hd0,0)/truecrypt.iso of=(hd1) bs=512 count=1 skip=166 seek=62

    where (hd0,0) is the USB from which i boot and (hd1) is the HDD where are the operating systems.

    You must have one legal operating system (in my case Windows XP licensed) on the 1-st active partition from which the PC will boot everytime ! Also you must remove TrueCrypt boot loader from the HDD, because you don't want someone to see it there (in my case with Paragon Hard Disk Manager -> Update MBR) ;) The loading of the encrypted system will be from the USB !
    Here is my code for USB booting of encrypted operating system with TrueCrypt's recovery cd image :

    title Start True Crypt CD
    dd if=(hd0,0)/truecrypt.iso of=(hd1) bs=512 count=1 skip=166 seek=62
    map (hd0) (hd1)
    map (hd1) (hd0)
    map --hook
    hide (hd0,0)
    hide (hd0,2)
    unhide (hd0,1)
    makeactive (hd0,1)
    root (hd1,0)
    map /truecrypt.iso (0xff) || map --mem /truecrypt.iso (0xff)
    map --hook
    root (0xff)
    chainloader (0xff)

    When you boot the legal operating system on the 1-st partition (in my case Windows XP licensed), you need to unhide it and make it active with these commands:

    title Windows XP Professional Boot
    unhide (hd0,0)
    hide (hd0,1)
    hide (hd0,2)
    makeactive (hd0,0)
    root (hd0,0)
    chainloader /ntldr

    Don't forget :
    1. Leave 1-st primary partition legal and not encrypted, from which the PC will boot everytime with the help of GRUB ! Boot encrypted systems from USB with the help of BIOS boot menu ( ASUS motherboards's shortcut is F8 ) !
    2. Make primary partition for each operating system + extended partition for the not encrypted archive partition which will be visible for all !
    3. When installing operating system on each primary partition, you must make it active and hide the other primary partitions - this also applies when you load OS on each primary partition !
     
    Last edited: Sep 26, 2012
Loading...
Thread Status:
Not open for further replies.