In this post I’m going to briefly discuss the issues I’ve had getting my new X61 notebook booting with 4 OS’s, (Windows Vista, Windows XP, Ubuntu, Backtrack) encrypted.
Preamble: Our new staff laptops are pretty fantastic. Faculty has an initiative subsidizing the cost of deploying tablet notebooks to all schools in Computing and Health Science. I already had one of the few X41s which were wasting away in storage when I arrived: nobody seemed to want to use them becuase they apparently underperformed. I dusted one off and moved from the T42 I was using to the X41, and found the reduced footprint/weight to more than make up for any loss of grunt.
So the new machines have landed, and they’re the very capable Lenovo X61. I’ve had one for a month or so running alongside the X41. I would have made the transition without delay, as the new hardware is better in many respects, and I’m not that biased against Vista that I would avoid upgrading for that reason alone (Vista is mandatory on these new machines to increase staff exposure to the O/S), but theres been a major sticking point, and thats support for my favorite XP encryption solution, Truecrypt with TCGINA.
I’ve had at least one laptop stolen in recent years, and while no important data was lost / exposed via the theft, I now have a heightened awareness of the danger of carrying unencrypted data around. TCGINA does a great job in XP of hooking into the login process and pre-mounting your encrypted storage even before the user profiles are loaded, which means that data can be stored there as well. This effectively means that your desktop folder, my documents, IM data, browser (IE or FF) favorites and history and the like are all stored safely. If the device is lost or stolen, without your password, that sensitive file you left on the desktop isn’t sitting there exposed on an unencrypted diak waiting to be harvested by a forensic undelete utility.
Truecrypt 4 with TCGINA is broken on Vista
Vista takes a different (non GINA) approach to handling the login process , so TCGINA no longer gets it done. This was a real headache: I needed to be using Vista for work but wasn’t comfortable with an unencrypted portable system. (This is before TrueCrypt5 was released – more on this shortly). The X61 has a TPM and thus (any big brother TPM/Vista backdoor conspiracy theories aside) bitlocker should have been an option, but because of the partitioning setup on my notebook, it isn’t. This is because bitlocker works by creating a separate primary partition (size ~1gb or so) on your drive to stick its bootloader and encryption software.
Problem was, I already had the maximum 4x primary partitions. I’m never satisfied, so after installing Vista I went in with a linux livecd and gparted (gnome partition GUI, like travelling first class compared to being jammed in the luggage bay using fdisk) and sliced it up so I could have three additional OS’s booting natively. These were Ubuntu, Backtrack 3 Beta, and WinXP SP2 – (the latter being a real adventure to get co-habitating peacefully with the others, due to an unfortunate tendency to blat whatever bootloader I was using with its own apon install).
Eventually it all worked, with GRUB on the boot partition loading up whichever of my 4 OS/s I wanted. On a side note, whenever I messed with the size of the Vista partition (gparted handles ntfs partition resizing fine) Vista would fail to load until I went in with the vista boot dvd and ran the very simple repair/rescue procedure. Did this each time, and then it was fine.
(I’m aware that alternative bootloaders such as XOSL can supposedly work some magic when it comes to maximum / types of partitions and the O/S’s loaded from them, but I have yet to try it. )
So having reached this stage things were mostly groovy, my 4 OS’s on one machine, but with no encryption whatsoever. At this point, I would have been happy to have it on the Primary O/S only (Vista) as the others were mainly for testing and would be unlikely to have any sensitive data on there, but even that seemed out of reach due to the TCGINA/Vista broken-ness.
So what to do?
Answer: Truecrypt 5 rocks and is not broken on Vista
Midway through pondering how I was going to find a solution, a rescue came along: TrueCrypt 5 was released with a major major feature added: the ability to encrypt entire system & boot partitions.
This was pretty much holy grail stuff to me at that point.
I wasted no time in firing up the new Truecrypt on Vista to see if the promises were true. Summary: some of them are. Its good, but not perfect. It didn’t work “out of the box” (but then bitlocker didn’t work at all): There were hiccups because I had GRUB as my primary bootloader (TC5 refuses to deal with anything but the windows bootloader) and I was unable to encrypt my entire disk, as I initially thought I’d be able to do, because my partition setup included logical partitions (this scenario throws an error after you try to process a whole disk which contains logical partitions).
So to get it working? First, I had to nuke GRUB from the primary partition, and set it up on the secondary so I could still access my linux installs. This was pretty simple: I booted into Ubuntu (which is where my grub config lives) and installed it on the second partition via some simple GRUB commands which I googled and now cant remember (partition 2 happens to be where XP is installed), then booted up with my vista dvd and let it replace the primary bootloader.
It is probably worth noting that I also had the Backtrack distro* installed on one of the logical partitions (along with a swap partition and an independently encrypted truecrypt partition), and GRUB could load Backtrack fine throughout this process, as its location didn’t change. (sda6).
After that it was as simple as running the truecrypt system/boot encryption wizard from Vista again, allowing it to create a recovery CD (backup of the volume headers in case of corruption or a changed, forgotten password) and waiting for a couple of hours while it processed my vista system partition, live.
Voila – it works. My Vista partition is now secure, and my other OS’s boot fine, albeit unencrypted. The next step is to reorganize everything so I can get rid of the logical partitions and hence do a proper whole-disk encryption to cover both my Windows and Linux installs. I’m sure theres a post in that.
* Backtrack is a Slackware based livecd distro loaded with a plethora of security tools. Since my primary laptop is usually of the subnotebook/ultraportable breed and hence doesn’t usually include a CD/DVD drive, I’ve previously installed backtrack to a USB key and booted off that, but its easier to have it integrated as a boot option, epecially with nice large hard drives making the 3GB or so loss of usable space hardly noticable.
UPDATE: I have since received a few queries about this article via email and clarified it a bit, so I’ll post the emails and responses below.
John: Hello,
i read your article Quad boot with Linux, XP and Encrypted Vista on the Lenovo
x61 Tablet, but there is not much details. My problem is that i have 2 primary
partitions, 1. is winxp, second is linux. I have grub loader. So my problem is
after i will encrypt my windows primary partition + use pre boot lock stuff from TC, how my grub loader will work? Because if i understand well TC boot lock will delete MBR a put own code overthere.
Thanks for your reply.
Hi John
I have not encrypted WinXP with Truecrypt yet, only Vista, however I suppose it is more or less the same.
To answer your question: When you encrypt your windows partition it will install the TC bootloader on the MBR, and yes it will overwrite GRUB.
What you need to do is install GRUB on your linux partition before running truecrypt in windows. You will need to boot into linux and run some “grub” commands (suggest you google them) to install it to another partition/drive. (It is ok to have the grub bootloader installed on two drives at once). Once you have encrypted your windows system partition, the Truecrypt bootloader will detect any other bootable drives on the system and give you the option of booting from them instead of your encrypted windows when you start up. (They will not be encrypted or otherwise protected by truecrypt, but they will be bootable)
John: Ok till that part its clean, u mean just install grub not into MBR but on the linux partition where the linux is. Dont understand what u mean by grub will be installed on two drives at once, u mean MBR + linux partition?
Yes, you install the grub bootloader onto your linux partition. After that grub will be *temporarily* installed two places at once, but only until you run fixboot+fixmbr, after that the Windows bootloader will be restored to the primary drive/partition.
If I recall correctly, truecrypt will not do full system encryption while you have GRUB on the primary MBR, so once you have installed GRUB on your linux parition/drive, you need to replace it on the primary with the default WinXP bootloader (easiest way is to go in with the WinXP boot cd, go to the recovery console and use the “fixboot” and “fixmbr” commands). Once you have done this, boot back into windows (should go straight on with no sign of grub) and TC should encrypt your windows system partition fine.
John: Here is a place where i completly got lost. What do u mean by primary MBR? Ok anyway why do i have to put grub to primary? Didnt u say that its enought to install grub on linux partition, and simply overwrite MBR by truecrypt? Why do i have to do fixmbr and stuf…
fixmbr and fixboot are the microsoft command line tools for restoring the default windows bootloader. You need to do this because truecrypt will not encrypt a windows partition which has grub installed as its primary bootloader. Truecrypt then replaces the windows bootloader with its own bootloader which will then launch windows (encrypted) and also any other bootable drives/partions (ie your linux one with GRUB installed) that it finds.
So a basic sequence of things you would do:
- Boot into your linux install and install the grub bootloader onto the linux drive/partition
- Boot into windows recovery console (winxp cd) and restore the default bootloader (fixboot/fixmbr)
- Take cd out and boot up normally – grub should be gone and you will get into windows.
- Run truecrypt and encrypt windows partition
- Next time you boot up, TC bootloader is there and you can boot straight into windows or grub/linux.
Hope this answers your question!
John: Thanks a lot, –=John=–
Hope this helps anyone else as well =) – Glen