Dual boot Windows + Linux with encryption

I'm looking at having a dual boot system with Windows and Linux where both are encrypted.

I have one single hard drive where Windows and Linux shall both resides.

It could be with or without bitlocker, veracrypt, luks, UEFI, Secure Boot, TPM. As long as both OS are encrypted and I can dual boot when starting the computer.

I didn't try this link below, looks like it might work but it seems like a hack. I'm looking for more of an official/easy way to do this.

How to encrypt a dual boot system with Veracrypt?

EDIT: Well I did try the link and it's not working. I've spent a whole day on this trying pretty much everything and nothing works. I'd just like a dual boot system where both OS are encrypted, no matter how it is achieve.

Zurd

Posted 2018-01-22T06:07:09.327

Reputation: 193

What lead you to believe this is possible? Also windows has encrypted file type so does Linux why does the hard drive itself need to be encrypted? With UEFI you would need the UEFI driver for hard drive to do this. – marshal craft – 2018-01-22T07:13:17.917

There are probably companies which make drives with drivers that encrypt the hard drive. Without dedicated hardware though read/write to hard drive would take performance hit. – marshal craft – 2018-01-22T07:19:17.110

What makes you think I want the hard drive to be encrypted? I just said as long as both OS are encrypted, whatever the solution is. – Zurd – 2018-01-22T23:17:15.750

Sorry I wasn't and still am not aware of any other way to "encrypt the os", that is different from what I said above. – marshal craft – 2018-01-24T06:08:42.590

Answers

I'm quite sure it is possible to achieve a dual-boot system with Windows and Linux where both are encrypted on only one hard drive, unfortunately, I did not achieve it.

As a solution, I bought a second hard drive, installed Windows on it with BitLocker. Unplug it, plug the second hard drive, installed Linux with cryptsetup on the whole hard drive. Shutdown, plugged both, boot in Linux (configurable in your BIOS to know which one to boot), update grub, something like "sudo update-grub", it will automatically detect the other hard drive as Windows. Then when you reboot, you will have the GRUB interface, no password asked but after you select Windows or Linux, you will be asked for the password of the encryption. It's a perfect solution but you do need 2 hard drives.

Zurd

Posted 2018-01-22T06:07:09.327

Reputation: 193

Encryption is inside the O/S, so as I understand it, you would need to encrypt inside of Windows and inside of Linux (whatever flavor you choose) after the O/S loads. Even if you use the same product (like Veracrypt) you need to use the Windows version and the Linux version because it is different code for each. This would give you encryption on both systems without any hardware encryption, which is a generally accepted standard of security.

You will need to have the operating systems & preferably data in different locations -- partitions, drives or have one on a VM. And use a bootloader such as GRUB to choose a system at startup.

From my perspective, it is easier to encrypt at install time and I would separate the systems at least through a partition. Make sure you have bootable rescue media on hand, because it is pretty easy to make the system unbootable with all of these changes. Here's an answer on Stack Exchange with more details: https://unix.stackexchange.com/questions/366437/windows-linux-dual-boot-full-disk-encryption .

Adir Akerman

Posted 2018-01-22T06:07:09.327

Reputation: 86

Having encryption inside the OS and having a boot partition unencrypted makes sense but whenI use VeraCrypt in Windows it also seems to encrypt the MBR. And then when I go on to install Linux, I cannot set encryption and I cannot touch the MBR, else it will mess up Windows. There's probably a way to do it with luks, I just can't figure it. Note that the VeraCrypt version of Linux doesn't allow to encryption the root partition, there's no menu "System / Encrypt System Partition/Drive...', Windows do though. – Zurd – 2018-01-23T01:21:07.083

The "easy and official" way would include a machine with TPM. If your machine has an Intel vPro brand on it, you're guaranteed to have device-level encryption, OS-independent (either way both OS you mention are supported, not so sure about direct hardware access stuff like DOS of the olden days, but who cares for all practical intents and purposes?). The rest will require some work.

Alex Parshikov

Posted 2018-01-22T06:07:09.327

Reputation: 1