Getting Windows 7 (or Windows 8 or Windows Vista) with TrueCrypt to play nicely with GRUB2 is quite a chore. Although, after 2 days of fighting, I finally found a simple solution, thanks to the README file that comes with grub2tc. Unfortunately, grub2tc didn’t actually work for me, but their docs did!
Here’s the step-by-step to make it all work:
- Install Windows. In my case, this meant running the restore CD that came with my computer.
-
Install TrueCrypt, and encrypt your system drive. Be sure to encrypt only the System drive not the entire disk!
Be sure to copy the TrueCrypt Rescue CD image somewhere handy. I used a USB stick, but you could burn it to an actual CD just as well. But you will need this later for this procedure.
- Install Linux. I choose Debian, but these instructions ought to work fine with Ubuntu, or practically any other variation of Linux. If you’re doing disk encryption (and I’m sure you are if you’re reading this), be sure to create a small (~500mb should be fine) /boot partition that is not encrypted. Then configure the rest of your disk with encryption, LVM, whatever. When I had finished this step, my disk layout looked like this (from the Linux standpoint):
- /dev/sda1 – Windows 7 Boot partition
- /dev/sda2 – Windows 7
- /dev/sda3 – Linux /boot
- /dev/sda4 – Encrypted Linux volume, mapped to /dev/dm-0
- /dev/dm-0 – LVM Physical volume
- /dev/mapper/vg0-root – Linux / partition
- /dev/mapper/vg0-swap – Linux swap space
Note that it is important that your swap space is encrypted. Otherwise an attacker may be able to read passwords or other private info from the swap partition–especially if they gain access to your system while it is hybernated (suspended to disk).
When you install Linux, be sure to install GRUB2, and install it to the MBR. Many tutorials for getting GRUB2 to work with TrueCrypt say not to do this, and instead to install to your boot partition (/dev/sda3 in this case). I had absolutely no luck with these tutorials. If one of them works for you, great. But then you wouldn’t be reading this. So, go ahead and install to the MBR for now. This wll overwrite the TrueCrypt boot loader, but we’ll remedy that shortly.
-
Configure GRUB2 to boot TrueCrypt. This is the magic you came for. The procedure, which I borrowed pretty much exactly from the grub2tc README is to:
- Install syslinux
For Debian/Ubuntu:aptitude install syslinux - Copy ‘memdisk’ file into place for use by GRUB2
Again, for Debian/Ubuntu. For other distributions, the installed location of the ‘memdisk’ file may be different. (Hint: use ‘find’ or ‘locate’ to find it):cp /usr/lib/syslinux/memdisk /boot/ - Copy TrueCrypt rescue ISO into place
If you saved the TrueCrypt Rescue ISO to a USB stick, you just need to copy the file (called TrueCrypt Rescue Disk.iso by default) to /boot/truecrypt-rescue-disk.iso. For example (as root):mount /dev/sdb1 /mnt
cp /mnt/TrueCrypt\ Rescue\ Disk.iso /boot/truecrypt-rescue-disk.isoOr if you burned the image straight to a CD, you can accomplish the same thing with dd (again as root, with the CD in the drive):
dd if=/dev/cdrom of=/boot/truecrypt-rescue-disk.iso - Determine the UUID of your boot partition
You can read this from /etc/fstab, or with the following command (substitute the proper device name for your boot partition):blkid /dev/sda3The output should look something like this:
/dev/sda3: UUID="12345678-1234-1234-1234567890"Use that UUID in the next step.
- Configure GRUB2 to load TrueCrypt using Syslinux
For Debian/Ubuntu, the easiest way is to edit the /etc/grub.d/40_custom file. The exact file you edit may vary for other distributions. Add this to the end:menuentry "TrueCrypt ISO boot" {
insmod part_msdos
insmod fat
insmod ext2
insmod search_fs_uuid
search --fs-uuid --no-floppy --set=boot [UUID without quotes]
linux16 ($boot)/memdisk iso raw
initrd16 ($boot)/truecrypt-rescue-disk.iso
} - Tell GRUB2 to use the new configuration
Without this step, the configuration that GRUB2 actually reads is never updated, so your changes won’t take effect. On Debian/Ubuntu, simply run the following command:update-grubIt will give a short summary of output. If there are no errors, you should be set to go!
- Install syslinux
- Test it
Reboot the system. Your GRUB2 menu should now have a new “TrueCrypt ISO boot” option. If you select this option, you will see the TrueCrypt Rescue CD prompt, asking for a password. Enter the password and hit ENTER, and you should be booted into your Windows environment.
The only drawback I’m aware of for this boot method is that you see the TrueCrypt Rescue menu every time you boot into Windows. It might be slightly nicer to see the standard TrueCrypt menu (the one that doesn’t show the option to press [F8] for rescue options). But that doesn’t really bother me in the least. Plus, it might come in handy some day if I need to decrypt my Windows partition, and don’t have my rescue disk handy.
If you come across any problems with this procedure, please feel free to contact me. I can’t promise to help, but I am more than happy to update my documentation to help future visitors.
You have my eternal gratitude. Finding this after days of searching through years (if not a decade) old tutorials with dozends of steps in the boot process is just wonderfull.
One thing you might (ore might not) want to add before update-grub is to edit
/etc/default/grub
by placing a # at the beginning of GRUB_HIDDEN_TIMEOUT=true so its
#GRUB_HIDDEN_TIMEOUT=true
otherwise, one would have to press shift to get to the boot menu, which to my mind is a bit annoying.
This worked almost cut and paste perfect even with Fedora 19. Only real difference was where memdisk was hiding (/usr/share) and the update command (grub2-mkconfig).
Many thanks!
First of all: Thanks for this great guide! It was exactly what I was looking for. I nearly have the same configuration except that Windows 7 and Debian Wheezy are installed on separate hard drives.
So far everything works but I still have one problem and I wonder if anyone here might be able to help me out:
After selecting “TrueCrypt ISO boot” in the GRUB bootloader the TrueCrypt bootloader shows up and asks for my password.
When I type it in the TrueCrypt bootloader always says “Incorrect password” which is not the case since accepts my password when only the hard drive on which Windows 7 is installed is connected via an SATA cable.
It must have something to do with the keyboard layout (I have a German one but I don’t use keys which have a different value on a US keyboard).
Any ideas?
Calculon, it’s possible that your truecrypt key for Windows has been overwritten in the process. Just tell the rescue disk to reinstall the key, restart, and input the password again.
After following this tutorial, I can boot into Debian just perfectly, but when I select the Truecrypt ISO option in the grub menu, it says it cannot find the right disk, also it sayst that the kernel should be loaded first.
Any ideas?
Hello. Firstly thanks for the great tutorial. Really apretiated it.
I run into the problem tho.
When I try to boot the true crypt rescue from GRUB it will tell me something like this.
Device doesn’t exist
Please load your kernel first.
And thats it.
I bould checked if my UUID is dev3/boot and yet its seems the case. Any idea what could be the issue?
Thank you very much.
I have found that imge copied from my USB drive was bad. When I copied one from the CD it was all working fine. Thank you a lot for the guide once more, you did us great favour.
Thanks
Sigh….there seems to be no end of problems.
I also want to have one disk for data, encrypted also to share data between both linux/win. So as its 5th drive it can no longer be primary partition. So I had to make extended partition for win7&data drive. Seemed to be no problem, but after I had everything intalled and tried got to windows my passphrase was invalid. In the repair options I choosen 3 Restore key data with hope it will sort the problem, but no it brough even worse No bootable partition and I’m screwed..
Its my 3rd day trying to set this up and I’m slowly loosing hope. Everytime I think I got it something will fu.. me up :/
Any idea whats wrong this time?
Thank you
So I managed to get it working today. My final (and running) setup is.
/dev/sda1 (primary-boot flag ON) 100MB system reserved NTFS (for MBR)
/dev/sda2 (extended-logical-both encrypted) 2x65GB Kali Linux(ext4)/Win7(NTFS) system drives +3BG encrypted SWAP
/dev/sda3 (primary) 500MB (ext4) /boot
/dev/sda4 (logical-encrypted) 350GB (NTFS) for data storage between OS’s
My previous issue was that /boot drive got flagged as BOOTABLE and for that reason my MBR didn’t respond to TrueCrypt requests and I was not able to boot.
Now after second time I had problem with Invalid password message. Good way to make sure your typing in right password is to select option 3 in the rescue, type in wrong password and then the right one. If the right one is ok it should ask “write changes to disk” yes/no. If it gives you Invalid password instead your typing in something wrong. After I used option 3 to reinstall key header luckily my win7 started to boot up fine and take my password.
So for now it seems i’m finally fine.
As I spent last 3 days doing this I think I got myself a little bit of understanding the process so if anyone would be in need of advice feel free to poke me on ICQ:288895037. I’ll do my best to help.
The solution to my problem was to reinstall the TrueCrypt header with the Rescue ISO.
I successfully installed using this TUT with Debian and Win7 with a few tweaks and some of the same problems noted. But. I found it impossible to install it with Fedora and Win7. I’m not sure what went wrong, but it may have something to do with Anaconda. I will attempt it again some time and post notes here. Thanks for the TUT.
Hello again
I have tracked down the issues that prevented me from using this technique with Fedora, and I will explain it as followed:
Step 1: It is the same.
Step 2: It is the same, but take careful note to name your Truecrypt Rescue Disk and save it to the USB. I named mine truecrypt-rescue-disk.iso. You need to know this later.
Step 3: This is the same.
Step 4: 1:) If you need Syslinux, it is the same.
(2:) Take Bill K’s advice and change your directory and enter the following: cp /usr/share/syslinux/memdisk /boot/
(3:) I used the second part of this and drag and dropped my file into the terminal after: dd if=’/run/media/howl/PENDRIVE/truecrypt-rescue-disk.iso of=/boot/truecrypt-rescue-disk.iso
(4:) Now, I logged out and logged back in as root, then I did the same.
Step 5: Since I am logged as root, I can browse to the directory where 40_custom is and make changes to it without using any terminal commands. This is how I added the lines to 40_custom:
menuentry “TrueCrypt ISO boot” {
insmod part_msdos
insmod fat
insmod ext2
insmod search_fs_uuid
search –fs-uuid –no-floppy –set=boot 12345678-1234-1234-1234567890
linux16 ($boot)/memdisk iso raw
initrd16 ($boot)/truecrypt-rescue-disk.iso
}
You will notice two things here. I have removed all the spaces at the beginning of each new line, and I have removed the brackets where I entered my UUID. I am not sure why the spaces were causing problems in Fedora and not Debian.
Step 6: Instead of entering update-grub, I entered the following: grub2-mkconfig -o /boot/grub2/grub.cfg
Step 7: I needed to restore key data (volume header).
???
Profit.
Is it possible with this technique to create and boot a SECOND encrypted Windows 7 ?
Result should be:
/dev/sda1 boot
/dev/sda2 WIN7-A
/dev/sda3 WIN7-B
/dev/sda4 /
It doesn’t work, seriously. I get all the time a request for the missing Kernel.
My output is
/etc/grub.d/40_custom: 1: /etc/grub.d/40_custom: menuentry: not found
Error: could not load module part_msdos: No such file or directory
Error: could not load module fat: No such file or directory
Error: could not load module ext2: No such file or directory
Error: could not load module search_fs_uuid: No such file or directory
/etc/grub.d/40_custom: 6: /etc/grub.d/40_custom: search: not found
/etc/grub.d/40_custom: 7: /etc/grub.d/40_custom: Syntax error: word unexpected (expecting “)”)
I use Ubuntu 13.04 and Truecrypt 7.1a
Brilliant! Trully saved days of work! Thanks for sharing.
Examining the TrueCrypt recover ISO, it just has a variant of the standard MBR loader and nothing else… So, this leads to the thought, why can’t we use the standard TC MBR loader?
So if you don’t really want the rescue options…
Grab the 1st 63 sectors from the disk *while TC is the bootloader* (or after you’ve restored the TC loader from TrueCrypt rescue) (Assuming sda and used 64 but 63 should be the right #):
dd if=/dev/sda of=truecrypt.mbrplus count=64
Then from the above, replace linux16/initrd16 with (assuming you copy truecrypt.mbrplus to /boot):
linux16 /memdisk edd c=1 s=63
initrd16 /truecrypt.mbrplus
Since truecrypt.mbrplus is <4MB, it will be a floppy and we adjust the "geometry" (c/s) so things work. edd is required since it's a "floppy". Tested under 14.04.
None of the insmod were required nor did I need to give the path ($boot) but your mileage may vary.
All good for now…
Wonder if it's possible to patch things so the TC MBR loader reads from the memdisk instead of the disk?
—
By the way, there's an underlying issue that'll come to bite eventually. TrueCrypt writes volume information to sector 62 (0x7c00). As we know, this gets overwritten by grub-install and restoring it with the rescue ISO works. This is all good as long as the core.img does not exceed 31232 bytes. If it does, then if you rewrite the TC header after grub-install you'll be rewriting parting of core.img which is *a very bad idea*.
From what I read, usually core.img is small enough it's not an issue, but one day it may well come to bite… http://savannah.gnu.org/bugs/?33229 talks about a possible patch to fix this, but it's not in grub2 yet.
Oh well.
Pingback: Fix: How to chain GRUB2 for Ubuntu 10.04 from Truecrypt & its bootloader (multi boot alongside Windows XP partition)? #computers #dev #development | StackCopy