Encrypting a Dual-Boot Hard Drive

2

2

I have a computer dual-booting Windows 7 and Arch Linux. The Arch installation has already been encrypted with LUKS and LVM, as follows:

sda  Computer's Hard Drive, GRUB2 in MBR
|   sda1  Preinstalled, ignorable partition
|   sda2  Preinstalled, ignorable partition
|   sda3  Windows 7
|   sda4  Extended partition
|   |   sda5  Arch - LUKS Encrypted Container
|   |   |   archcrypt  LVM Container
|   |   |   |   arch-root   Arch /
|   |   |   |   arch-swap   Arch swap
|   |   sda6  Arch - unencrypted /boot

I believe that everything under the LUKS container is ignorable, as everything works right now. I would like to encrypt the Win7 partition as well, using TrueCrypt. How would I go about this? Is it OK to install GRUB2 into a partition's boot sector? What configuration changes would I need to make to GRUB2 to work with the new setup?

thirtythreeforty

Posted 2013-01-30T06:02:30.707

Reputation: 946

Answers

1

I threw my windows out of my laptop some months ago, so this is only a rough idea how it works than a step by step guide. Of course you should do a backup before, as encryption always comes with the risk of data loss.

  1. When installing Truecrypt it destroys your current MBR, after you're done, save the rescue disk *.iso to your boot partition.
  2. As Grub is now lost you have to use a live system to chroot back in your old system and restore Grub. This is a process rather specific to each system, I could tell you how it works for my gentoo, but not for Arch, sorry. (Another way would be to save and rewrite the MBR with dd).
  3. Make Grub able to boot from *.iso (helpful for a rescue disk live system, too), some Versions are already capable, some have to be compiled to be. Tell it to chainload the Truecrypt rescue iso. I prefer to edit my grub.cfg by hand, you could use grub-mkconfig and edit the /etc/grub.d/custom file to include it.
  4. After you made sure grub boots your linux again, boot into the rescue CD. You wont be able to boot to your windows, as you receive some strange error. You have to do a small repair to your local filesystem and this should make you able to boot into windows again (next few times without repairing).

Take care to not rewrite your MBR again, this happens inevitably after every Truecrypt update, so be prepared to restore Grub every now and then. You should use the iso-boot and store a rescue disk iso on your /boot.

One addition: Are you sure that both preinstalled partitions are ignorable? If one of them is the Windows System partition (100MB) this might get a bit more complicated. You can install windows into one partition, I don't know what happens if you don't, the above steps assume that this has been done.

Baarn

Posted 2013-01-30T06:02:30.707

Reputation: 6 096

To clarify, sda1 is a ~ 40 MiB fat16 partition. The BIOS probably uses it or something. sda2 is ~20 GiB (!) and is labelled RECOVERY. Also, do you know if it would be easier to install GRUB to the boot sector of sda6 (is it safe, can it be done, will Truecrypt chainload it, etc.)? – thirtythreeforty – 2013-01-31T07:49:09.093

Asked: 2013-01-30T06:02:30.707

Viewed: 553 times

Active: 2013-01-30T08:09:55.597