3

I'm interested in setting up a laptop that dual boots Windows 7 and openSUSE. The plan is to encrypt the openSUSE partition and require a USB thumb drive with the encryption key for it to boot. Where if the USB drive is not plugged in at boot time it will instead boot to an unencrypted Windows 7 partition without looking too suspicious.

So what I'm curious about is whether this is doable and whether it's a reasonable thing to do.

roboChan
  • 33
  • 2
  • So the goal is not only to encrypt, but hide the existence? No, this not a good way. a) There is still the partition etc. b) Getting Grub etc. to not show Linux unless an USB is plugged in will be tricky. – deviantfan Jun 14 '18 at 05:20
  • @deviantfan you can install grub only on the USB drive, configure BIOS to try to boot from USB first, HDD next, and you are done. But that will not hide the Linux partitions. – ThoriumBR Jun 14 '18 at 12:51
  • @ThoriumBR Good point in *Grub* being on Usb :) – deviantfan Jun 14 '18 at 21:32

3 Answers3

2

Is this doable? Of course yes.

Is this a reasonable thing to do? It depends on what you goal is. If you only want that your child or girl friend can play winmine with little to no risk for you sensitive openSUSE partition, that is fine. That means a reasonable protection against mistyping on a keyboard without true malice. And if your girl friend is not a computer specialist, it can even be enough to hide the mere existence of the second system.

If you are looking towards plausible deniability, it is no longer reasonable at all. Anybody with standard knowledge on computers will see immediately that:

  • the windows partition does not use the full disk size
  • another partition exists and looks bootable - I'm not an expert on openSUSE encrypted partition, but as the goal is only to protect data, I would suspect that it is easy to guess that the other partition contains a Linux system.

VeraCrypt documentation contains a full chapter about it explaining the limits of their solution which is still accordingly the linked Wikipedia pages among the best existing and maintained ones.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
1

Concerning booting differently depending on the presence of a USB key :

What I would do is have tow grubs. One on the PC, which boots immediately to windows, without any hint that anther system exists. A second grub would be installed on the USB key. This one would give you the actual boot options, and have the key to decrypt the partition. Then, you can specify in your bios/uefi to boot from usb by default. You will then obtain your desired behaviour. Keep in mind though, enabling USB boot can be dangerous. You have to know if this is a concern for you. (To reduce this risk, look into using secure boot. Don't quote me on this, but I believe some UEFIs let you specify your own keys for the OSs to allow boot for.)

Concerning "hiding" the suse partition :

As has been already said, the Suse partition cannot be invisible (except maybe if you play with the HDDs firmware?). However, depending on the filesystem you chose for it, it is very possible that it would not be visible from within windows, to a user who is not looking for it. (Windows alone cannot read ext4 for example, and so any partition formatted in ext4 would not appear in "My Computer". It can still be found with the appropriate tool though.)

Whether it's "reasonable" to do :

This is really subjective. This technique would add a layer of security, which, by principle, is always a good thing. But it really is not a robust protection scheme. "Hiding" the partition will make absolutely no difference in case your attacker is skilled and determined. Off the top of my head, The only case where this would be actually useful is for airport security checks. Sometimes security officers ask you to boot your PC, and can become very suspicious if you have a "strange" OS running. Then you can just show them the Win7 boot they want to see.

Encrypting your important partition and keeping the key on an external device, though, is definitely a go !

Vince
  • 151
  • 1
  • 3
-1

Whether it is a reasonable thing to do it completely up for debate. My personal opinion on such matters is this, so you guys can decide that part.

As far as it being doable, I think it is, even with the GRUB menu issues. I don't think it's too big of an issue. The way to do it would be to give boot priority to Win 7 and it will always boot up without showing the grub menu. You will have to use the 'F10 boot manager' system to login every time but it's not too complicated. The USB stick will act as the decryption and logger system. As far as the Partition being seen is concerned, Off the top of my head you can have a sudo malware in your system that shows the OpenSUSE partition as the other drive in your system (As far as I know it's a basic .bat file command but I can be wrong). This will showcase that the system has two drives and can fool most simply because either they see your laptop with two drives, or they find out that you have an infected laptop, none of that screams "Secret Partition".

These are just guidelines, it might take a significant time to create this however I think you should spend more time across forums to find this because I think something like this already exists and making one from scratch is a big project. All the Best !

[Edit] You can also try using Win 8 and 10, because these OS try real hard to not let any GRUB menu show up inherently (I say that from personal experience).

Shubhanshu Dixit
  • 41
  • 2
  • The other partition would be **trivially** obvious to anyone with access to either the booted windows image or the hard drive. – vidarlo Jun 14 '18 at 06:29
  • I just gave one way to do it sire. There are ways to default everything. Also, trivial to you might not be trivial to other my smart community member. – Shubhanshu Dixit Jun 15 '18 at 11:49
  • It's trivial in the sense that **anyone** remotely familiar with computers looking for it will find it. It's not security by a long shot. – vidarlo Jun 15 '18 at 22:24