Verbally Flimzy

Windows 7 + TrueCrypt 7.1a and Debian wheezy + encryption dual-boot with GRUB2

Posted on April 29, 2013

Getting Windows 7 (or Windows 8 or Windows Vista) with TrueCrypt to play nicely with GRUB2 is quite a chore. Although, after 2 days of fighting, I finally found a simple solution, thanks to the README file that comes with grub2tc. Unfortunately, grub2tc didn’t actually work for me, but their docs did! Here’s the step-by-step to make it all work:

1. Install Windows. In my case, this meant running the restore CD that came with my computer.

2. Install TrueCrypt, and encrypt your system drive. Be sure to encrypt only the System drive not the entire disk! Be sure to copy the TrueCrypt Rescue CD image somewhere handy. I used a USB stick, but you could burn it to an actual CD just as well. But you will need this later for this procedure.

3. Install Linux. I choose Debian, but these instructions ought to work fine with Ubuntu, or practically any other variation of Linux. If you’re doing disk encryption (and I’m sure you are if you’re reading this), be sure to create a small (~500mb should be fine) /boot partition that is not encrypted. Then configure the rest of your disk with encryption, LVM, whatever. When I had finished this step, my disk layout looked like this (from the Linux standpoint):

   • /dev/sda1 - Windows 7 Boot partition
   • /dev/sda2 - Windows 7
   • /dev/sda3 - Linux /boot
   • /dev/sda4 - Encrypted Linux volume, mapped to /dev/dm-0
   • /dev/dm-0 - LVM Physical volume
   • /dev/mapper/vg0-root - Linux / partition
   • /dev/mapper/vg0-swap - Linux swap space

   Note that it is important that your swap space is encrypted. Otherwise an attacker may be able to read passwords or other private info from the swap partition–especially if they gain access to your system while it is hybernated (suspended to disk).

   When you install Linux, be sure to install GRUB2, and install it to the MBR. Many tutorials for getting GRUB2 to work with TrueCrypt say not to do this, and instead to install to your boot partition (/dev/sda3 in this case). I had absolutely no luck with these tutorials. If one of them works for you, great. But then you wouldn’t be reading this. So, go ahead and install to the MBR for now. This wll overwrite the TrueCrypt boot loader, but we’ll remedy that shortly.

4. Configure GRUB2 to boot TrueCrypt. This is the magic you came for. The procedure, which I borrowed pretty much exactly from the grub2tc README is to:

   1. Install syslinux For Debian/Ubuntu: aptitude install syslinux
   2. Copy ‘memdisk’ file into place for use by GRUB2 Again, for Debian/Ubuntu. For other distributions, the installed location of the ‘memdisk’ file may be different. (Hint: use ‘find’ or ’locate’ to find it): cp /usr/lib/syslinux/memdisk /boot/
   3. Copy TrueCrypt rescue ISO into place If you saved the TrueCrypt Rescue ISO to a USB stick, you just need to copy the file (called TrueCrypt Rescue Disk.iso by default) to /boot/truecrypt-rescue-disk.iso. For example (as root): mount /dev/sdb1 /mnt cp /mnt/TrueCrypt\ Rescue\ Disk.iso /boot/truecrypt-rescue-disk.iso Or if you burned the image straight to a CD, you can accomplish the same thing with dd (again as root, with the CD in the drive): dd if=/dev/cdrom of=/boot/truecrypt-rescue-disk.iso
   4. Determine the UUID of your boot partition You can read this from /etc/fstab, or with the following command (substitute the proper device name for your boot partition): blkid /dev/sda3 The output should look something like this: /dev/sda3: UUID="12345678-1234-1234-1234567890" Use that UUID in the next step.
   5. Configure GRUB2 to load TrueCrypt using Syslinux For Debian/Ubuntu, the easiest way is to edit the /etc/grub.d/40_custom file. The exact file you edit may vary for other distributions. Add this to the end: menuentry "TrueCrypt ISO boot" {    insmod part_msdos    insmod fat    insmod ext2    insmod search_fs_uuid    search --fs-uuid --no-floppy --set=boot [UUID without quotes]    linux16 ($boot)/memdisk iso raw    initrd16 ($boot)/truecrypt-rescue-disk.iso }
   6. Tell GRUB2 to use the new configuration Without this step, the configuration that GRUB2 actually reads is never updated, so your changes won’t take effect. On Debian/Ubuntu, simply run the following command: update-grub It will give a short summary of output. If there are no errors, you should be set to go!

5. Test it Reboot the system. Your GRUB2 menu should now have a new “TrueCrypt ISO boot” option. If you select this option, you will see the TrueCrypt Rescue CD prompt, asking for a password. Enter the password and hit ENTER, and you should be booted into your Windows environment.

The only drawback I’m aware of for this boot method is that you see the TrueCrypt Rescue menu every time you boot into Windows. It might be slightly nicer to see the standard TrueCrypt menu (the one that doesn’t show the option to press [F8] for rescue options). But that doesn’t really bother me in the least. Plus, it might come in handy some day if I need to decrypt my Windows partition, and don’t have my rescue disk handy. If you come across any problems with this procedure, please feel free to contact me. I can’t promise to help, but I am more than happy to update my documentation to help future visitors.

Filed under: dual-boot encryption grub grub2 Linux truecrypt windows-7