| Förstasidan | E-post | Datorrelaterat |
This document is intended to serve as my own list of things to remember the next time I need to set up a similar system. However I think it might be useful for others as well.
My original intention was to fulfill the requirements below:
Encryption:
The main reason for encryption is that I don't want anyone that steals my computer to play around with my files. (Meaning the encryption needs to be fairly safe but doesn't have to be the best of the best.)
Will be used for my home computer. Protecting files from other (legal) users has low priority. (My wife already knows my password anyway...)
Operating systems:
Windows XP (32-bit). This will be used by my children to play games. It will not be encrypted because it should be easy to boot without passwords and does not contain any sensitive information.
Windows 7 (64-bit). Encrypted.
Ubuntu 10.04. Encrypted.
There should be no need to type in a password more than once to boot any of the operating systems.
Possibility to share documents between operating systems.
Use ext4 or ext3 file systems for shared partitions.
Hard disk configuration:
Two disks
Primary disk partitions (not all of them are actually “real” partitions since they will reside within an encrypted logical volume):
Windows XP (NTFS)
Windows 7 (encrypted NTFS)
Ubuntu “/boot” (Ext4)
Ubuntu “/” (encrypted Ext4)
Linux swap (encrypted)
Ubuntu “/home” (encrypted Ext3). This will also be used from Windows to access my documents.
Secondary partition:
One large encrypted (Ext3) partition mainly for backup and ongoing work. Used from both Windows and Linux.
Windows XP (32-bit)
Windows 7 (64.bit)
Ubuntu 10.04 (64-bit). Both the regular install CD and the alternate install CD will be required.
TrueCrypt. (Versions for Windows and Ubuntu)
Ext2 Installable File System for Windows (Ext2IFS)
VirtualBox (only required for testing the setup in a virtual machine).
Daemon Tools Lite (only required for testing the setup in a virtual machine).
My plan was to achieve this by the steps described below.
Install Windows XP as usual.
Install Windows 7 as usual.
Installing Ubuntu, using the alternate installer CD (to be able to configure encryption from start). How?
Install TrueCrypt in Windows 7 and encrypt the Windows 7 partition.
Boot Ubuntu from the regular installation CD. (The Ubuntu system can not be booted because TrueCrypt boot-loader overwrites the MBR.)
Backup the MBR (Master Boot Record) created by TrueCrypt. How?
Restore GRUB. (Linux boot loader.) How?
Add the TrueCrypt boot loader as an alternative in Linux boot menu to be able to boot windows. How?
Add Windows XP as an alternative in the Linux boot menu. (So there will be no need to go through the TrueCrypt boot menu to boot Windows XP.)
Install TrueCrypt in Ubuntu and test that I can access the Windows 7 partition. (Normally I will have no need to access that from Ubuntu, but it might be useful under certain circumstances.)
Install Ext2IFS in Windows XP and 7 to be able to access ext3 partitions. (Ext4 is not supported.)
Install FreeOTFE in Windows XP and 7 to be able to access the encrypted Linux partitions.
Automatically mount the encrypted Linux partitions in Windows 7. (Since I don't want to have to enter the password again I plan to store it in clear-text in a script. This is of course a major security risk, but since it requires that the user is already logged in to the encrypted Windows 7 system I consider this acceptable in my case.)
There are a lot of things that might go wrong here, so I will use VirtualBox to test it in a virtual machine. (Note that TrueCrypt requires that an rescue cd iso file is burned during installation. This is not possible in the virtual machine because there is no CD writer. Instead use Daemon Tools Lite to mount the image, or copy it to to host and mount it in VirtualBox.)
Someone might wonder why I mess around with this at all instead of just using one operating system and run the other in a virtual machine. The answer is that I use Ubuntu for daily use. Then I need a real XP installation because it is not possible to set the screen resolution and aspect correctly for some of the child games in VirtualBox. About Windows 7 I will normally use a Virtual machine, but sometimes performance might not be good enough.
Also remember to disable automatic activation of Windows until everything works as it should.
When testing this in the virtual machine I found a number of issues and had to change some plans.
It seems there is a major problem with this. In earlier versions of GRUB it was fairly easy to backup the MBR created by TrueCrypt and boot it using chain-loading. But Ubuntu 10.04 uses GRUB2 and apparently both GRUB2 and the TrueCrypt boot loader uses additional sectors after the MBR sector.
Due to that I have found no way to use them together.
I have considered the following options to get around this:
Use another boot loader that is able to handle this. I have not investigated that option any further.
Install the GRUB2 boot loader on a partition instead of the MBR. (I don't think that it is possible during the regular Ubuntu installation process, but it can probably be done afterwards.) Then the TrueCrypt boot loader must be configured to be able to boot Ubuntu through GRUB. I don't like that.
Install Windows 7 on the second hard disk instead. This was the choice I made.
I also found a problem that XP can not be booted directly from GRUB without going through Windows 7 boot loader. This is probably because Windows 7 put its boot files on the Windows XP partition. It can probably be avoided by modifying the partition table so that the Windows XP partition is hidden before installing Windows 7, but I have not investigated that further.
There are also some issues regarding the encrypted data access when using the encrypted volumes.
FreeOTFE can not be used for mounting this types of volumes in windows.
Since I made two encrypted volumes I was asked for the password twice when booting Linux. (Probably there is a way to configure Ubuntu to use the first given password for both volumes, but I have no idea how to do that.)
I did not succeed in mounting any partition in FreeOTFE from the command prompt or any other way that could be use for automatic mounting.
Because of these issues and the problem with FreeOTFE and 64-bit Windows (described further down) I will have to create the shared partitions using TrueCrypt instead.
Although Ext2IFS works fine to mount ext3 (not ext4, but ext3 is OK with me) file systems with read and write permissions it seems it can only be used for regular partitions, not the encrypted partitions mounted through FreeOTFE or TrueCrypt. I have not found another good ext-driver for Windows either.
There is also a problem to install Ext2IFS in Windows 7. It seems that running the installation program in Windows Vista compatibility mode can be used as a workaround.
This means I will have to use NTFS instead of Ext3 for partitions that should be used in both Linux and Windows. An additional problem with that is that file flags and access rights in Linux can not be maintained. So it is not a good idea to mount it at “/home”, instead I will mount it at either “/home/myuserid” or “home/myuserid/documents”. (In the last case I will need to make some application setting folders like /home/myuserid/.mozilla soft links pointing to a directory in the shared partition if I want to use it in Windows 7 as well.)
There is a problem to install FreeOTFE in 64-bit Windows 7 because the drivers are not signed. More information.
On 64-bit Windows XP I was not able to mount any partitions in FreeOTFE because it complains about missing drivers. (Not a problem since I will not use 64-bit Windows XP in the final installation, but I used it in one of the tests.)
When I finally had managed to set up the boot loader so that it should be able to boot all three systems I got a very annoying problem when booting any of the Windows systems. They seems to start to boot OK, but then VirtualBox halts the virtual machine and tells me there is a critical error.
This happens also for an unencrypted dual-boot installation with Windows XP and Ubuntu, so it seems very likely that this is a problem with VirtualBox.
(I was able to to perform my other tests with some backup/restoration of the boot records, but that's far to much work to do every time I want to switch OS.)
Due to the problems I had to revise my plans. Now it looks like this instead:
Disable the primary disk in BIOS. (Temporarily remove it in the virtual machine.) This is to make Windows 7 believe that it is installed on the primary disk.
Install Windows 7 as usual
Install TrueCrypt in Windows 7 and encrypt the system.
Enable the primary disk.
Install Windows XP as usual
Installing Ubuntu, using the alternate installer CD (to be able to configure encryption from start).
Configure an entry for Windows 7 in the GRUB boot menu. (There will already be an entry for this, but it will not work because the disk Windows was installed to is now the secondary disk. The entry for Windows XP should work without any further actions.) How?
Make sure all three systems can be booted.
Boot Windows 7. Create and encrypt the partitions that should be used in both Linux and Windows. Configure TrueCrypt to mount them automatically every time Windows is started.
Boot Ubuntu. Add a script that automatically mounts the shared encrypted partitions every time Linux is started.
Disk configuration:
Primary disk:
NTFS-formatted partition for Windows XP.
Ext4-formatted partition mounted as “/boot” (1 GB will be more than enough for this partition.)
Encrypted volume (LUKS/dm-crypt) containing:
Ext4-formatted “partition” mounted as “/”
Linux swap
NTFS-formatted partition, encrypted with TrueCrypt. I will put my documents here.
Secondary disk:
NTFS-formatted partition. (Small partition that will be created by Windows 7 without asking me...)
NTFS-formatted partition encrypted with TrueCrypt for Windows 7.
NTFS-formatted partition, encrypted with TrueCrypt.
There are several ways around this, but none of them seems very good. The method I selected is the following:
Open a command prompt with administrative rights and type “bcdedit.exe /set TESTSIGNING ON”. Then reboot. Now the sign check has been turned of permanently. (Unfortunately it can not be done for specified drivers only.)
What also happens is that there will be an ugly permanent warning message shown on the desktop background. On my system it says:
TestMode
Windows 7
Build 7600
This text comes from user32.dll.mui (several copies of this file exists on the system). There exists a crack to get rid of the message, but I prefer not to use that. (I have opened the file in a hex editor to see if I could get rid of the message, but it does not seem to be a matter of simply replacing strings.)
Boot from the TrueCrypt rescue disk
Press F8
Press 2 to restore boot loader
Confirm with 'y'
Boot from Windows XP installation CD.
Press R for Recovery Console.
Enter a number to select the Windows installation.
Enter the Administrator password.
Type “FIXMBR” and press enter.
Confirm with 'y'
Enter 'exit' to reboot.
Boot from Windows 7 installation CD
Select “Repair your computer” instead of “Install now”.
Select “Use recovery tools...” and mark the Windows installation. Press “Next”
Press “Cancel” when Windows is searching for problems. (It will take a while to search and the problem will not be found anyway.)
Select “View advanced options for system recovery and support”
Select “Command prompt”
Type “e:\boot\bootsect /nt60 d:\ /mbr” (Assuming that e: is your cd drive and d: is the Windows 7 system partition. This might not be the case, so verify this by e.g. list some directory.)
Reboot
Use the alternate install CD to install Ubuntu
When installation reaches “Partition disks”, select “Manual”
To create a regular partition:
Select the “FREE SPACE” where you want to create the partition.
Select “Create a new partition”.
Set “Use as” and “Mount point” to selected values.
(Some straight-forward steps have been omitted.)
To create encrypted volumes:
Select “Configure encrypted volumes”
Select “Create encrypted volumes”
Select existing partions and/or free space to be included in the volume
Enter password
(Some straight-forward steps have been omitted.)
To configure logical volumes:
Select “Configure the Logical Volume Manages”
Select “Create volume group” and give the group a name
Select devices to be included. (E.g. the encrypted volume /dev/mapper/sda5_crypt.)
Select “Create logical volume” and select the volume group you want to use.
Give the volume a name
Back in the “Partition disks” screen, select the volume
Set values for “Use as” and “Mount point” to selected values. (As you would do for regular partitions.)
(Some straight-forward steps have been omitted.)
To encrypt the partition /dev/sdb3, give the command:
sudo cryptsetup luksFormat -c "aes-cbc-essiv:sha256" /dev/sdb3
Then follow the instructions. Any existing data will be lost. Make sure the partition is not mounted.
The encryption parameters above is selected so that it should be possible to mount the encrypted partition in Windows with FreeOTFE.
The boot alternatives for GRUB2 are stored in /etc/grub.d/grub.cfg. However that file is generated automatically every time it needs to be updated, so it is a bad idea to edit it directly.
Instead the entry for Windows 7 can be added in /etc/grub.d/40_custom by the following lines:
menuentry "Windows 7 (TrueCrypt)" {
insmod chain
set root=(hd1)
devicemap -s hd0 hd1
chainloader +1
}
The important stuff here is the devicemap-entry that will swap the disks so that Windows 7 will think that the secondary disk (where it is installed) is the primary disk.
(It is not needed to add it to 40_custom, this is a sample file for adding manual entries. It is possible to create a new file in the same directory and add the entry there. The numbers in the beginning of the file name defines the order the entries will be shown in. Don't forget to flag it as executable.)
When the file has been updated and saved then run:
sudo update-grub
Reboot and test that the new entry works as expected.
TrueCrypt encrypted partitions can easily be mounted from the command prompt.
The following command will attempt to mount the Windows system encrypted partition /dev/sda1 in /cryptmount using the password “mysecretpassword”:
truecrypt --mount-options=system --fs-options=uid=myuser,gid=myuser,umask=0007,utf8 --password=mysecretpassword /dev/sda1 /cryptmount
(The arguments given to fs-options are simply forwarded to the Linux mount command.)
To unmount from the command prompt use:
sudo truecrypt --dismount /dev/sda1
To automate mounting I have created the file /etc/init.d/tcmount with the following content:
#! /bin/sh
### BEGIN INIT INFO
# Provides: -
# Required-Start: -
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: -
# Description: -
### END INIT INFO
mount() {
truecrypt --keyfiles="" --protect-hidden=no --fs-options=uid=myuser,gid=myuser,umask=0007,utf8 --password=mysecretpassword /dev/sda4 /cryptmount
}
umount() {
truecrypt --dismount /dev/sda4
}
case "$1" in
start)
mount
;;
stop)
umount
;;
restart|force-reload)
umount
mount
;;
*)
echo "Bad luck..." >&2
exit 3
;;
esac
:
I had to add the "--keyfiles" and "--protect-hidden" switches to get this working. I don't know why, because they are not needed when mounting/unmounting directly from a shell prompt. I also had the problem that "uid" and "gid" did not work, root always become the owner. This seems to have something to do with the NTFS filesystem created with TrueCrypt 7 on Windows XP. A normal reformatting in Windows solved the problem. If someone knows more, please send me a mail.
To make the script run automatically run:
update-rc.d tcmount defaults
Make sure to flag as executable. (Also set the owner to root and remove read access to the file to prevent anyone from read the clear-text password. Of course the script needs to be located on an encrypted partition, otherwise this will make a nice entry into the system for anyone that steals your computer.)
Backup MBR of sda:
sudo dd if=/dev/sda of=/somedir/backup.mbr count=1 bs=512
This will backup the 512 byte MBR. (Note that some boot loaders uses additional sectors.)
Restore is performed the same way, just specify /somedir/backup.mbr as input file and /dev/sda as output file instead.
Boot from Ubuntu installation CD.
Select “Try” (not “Install”).
If you don' have a US keyboard it might be a good idea to check System->Preferences->Keyboard->Layouts
Open a terminal
Now you need to do some updates to /boot. A problem is that what currently looks like /boot is not “the real” /boot but /boot of the Ubuntu you are now running from the CD, so you will need to do something about that. In my case /the real /boot were located within the partition /dev/sda3. I have tried two ways around that: (“chroot” did not work for me for some reason, so that's why I tried the other way.)
Enter:
sudo mkdir /mnt/boot
sudo mount /dev/sda3 /mnt/boot
sudo chroot mnt
sudo grub-install /dev/sda
Or:
sudo mv /boot /boot_junk
sudo mkdir /boot
sudo mount /dev/sda3 /boot
sudo grub-install /dev/sda