Subscribe
Notify of
guest

5 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Seba

Hi,

One information. There is no possibility to encrypt whole drive using multi boot option. You can use mutli boot only in case of windows partition encryption. You can check this. After this please update the instruction. Thanks for very good instruction. It is helpful to propagate data encryption,

Plamen

You cant encrypt when other OS is linux. When i choose non-Windows bootloader, te program says that it will be (almost)impossible

Anonymous

I have more than two Windows and some Linux, but no one knows anything about the others at boot time.

I had done that by putting Grub2 in an Ext4 logical partition (inside extended partition on a MBR scheme).

Just to simplify:
/dev/sda1/ Windows A system partition (all boot in one NTFS partition)
/dev/sda2/ Windows B system partition (all boot in one NTFS partition)
/dev/sda3/ Windows C system partition (all boot in one NTFS partition)
/dev/sda4/ Extended partition
/dev/sda5/ Linux D / (Ext4)
/dev/sda6/ Linux E / (Ext4)
… and so on
/dev/sda12/ Linux SWAP (used by all Linux)
/dev/sda13/ MyData (Bib NTFS used for my data on all Windows & all Linux)
… some more personal data partitions
/dev/sda33 /boot (ext4) for Grub2

The boot process: MBR is loaded, then Grub2 from /dev/sda33 (aka /boot), menu is shown and i select which O.S. to load, if Windows i use a chainload, if Linux, also a chainload, since on each Linux it is installed its own LiLo, Grub or whatever boot loader the distro used.

I use such /dev/sda33 (/boot) Grub2 to make isolation between sysstem partitions, so any OS only see its own system partition and none of other OS sytem partitions, for such i use Grub2 commans prior to the chainload to ‘hide’ and ‘unhide’ partitions (commans were written by myself inside the file /boot/grub/grub.conf, they were on menu.lst on old grubs, but different commands because diferent grub version).

It works like a chram, just one main menu with the OS and configuration i want, no matter how many OS i install, easy to update (no need to do grub-update and all that stuff, just only edit a text file), also let me add a boot to /boot/SystemRescueCD.iso with as a loop device, etc… and i can let each linux distro to manage its own boot loader as they want.

As i say, my /boot is with Grub2 and for isolating OS boot process.

Main objetive is: Since each OS has its own boot code on its PBR (partition boot record), i want no one to touch MBR (master boot record), installing and updating an OS is as easy as if it was alone on the disk, but with care it installs boot on PBR… with Windows this can get madness, since if allways rewrites MBR, but again SystemRescueCD and i reinstall Grub2 on MBR and dedicated partition and get solved.

Question: With VeraCrypt or old TruCrypt, what must i select in such options? I think multi-boot so it does not touch MBR, and get installed on PBR; one different install (different or same password) for each Windows.

I want to stay the same: to remove one Windows, just delete its partition and edit my self-mantained /dev/sda33 /boot/grug/grub.conf text file to adapt hide/unhide partitions and menu entries by hand.

I want to bbe sure i can overwrite MBR with what i want and do not affect booting an Encripted Windows.

After that i will search for something similar for all the Linux OS i have installed… that is more madness since i do not want to reinstall then, neither clone/restore process, i want in-line encription like VeraCrypt does on Windows… also the hability to pause and resume system partition encription.

Yes, with VeraCrypt / TrueCrypt you can shutdown the Windows in middle of process of encripting, by defer it to next boot, so part of the partition is encripted and other part not, then in tomorrow boot, while you use it it continues doing the rest pending encription.

All i saw on Linux LUCKS you are forced to destroy partition data (the whole system) prior to restore the previos clone(that also must have been done in offline mode), so ot only one time offline to encript, also two times more, one to BackUp system / partition and one more to restore it afer encrypted), why Linux does not offer in-line on-line system partition encription? I mean no off-line any second while converting a non-encripted Linux to an encripted /?

And in such case, since /boot folder is a folder inside / on each Linux, so how can it load if encripted? No way in Linux to do it, since all i read need /boot as a partition and non-encripted.

I want to encript 100% of disk (i can let /dev/sda33 on a USB and not encript it, but i have not knownledge on that jet) since i can not be sure where and what does all apps in the world saves the data… just say i saw a modern free word processing that in case of crash when re-launched it presents to you the last words you typed prior to crash among i have not even saved the document at any time, so where did it store such data? On same path as the main app executable? On /var? On the SWAP? Or where? No one can know if source code is not free! Etc. Paranoid? No, it is just that i am a developer and know a lot of bad-tactics that are done, worst if on windows, most developers write data on exe folder since there you have no problems with pernissions, etc… i hate that!

If HDD is not encripted at 100% it has no sence to encript anything, plain data could go to a non-encripted part of the disk, not to talk about SSD an their internal blocks re-map, you can not overwrite same block till all the rest free-bolcks get written, since it re-maps internally by hardware and carry a count on how much has beeing writted a block.

That in mind: Encript all and after thet fill all free-space with encripted data (random based).

Worst: In forensic labs they can recover near 50 or more previous states of each bit, so just overwrite is not enough, need to do a 128 overwrite pass with special patterns, to ensude data is not there, and such done in 100% of the disk, not just a partition boundary, etc.

SSD logical blocks for a partition can be really on any place of the SSD, so blocks of one partition can be beween other partitions, etc… that is calle internal re-map and its main objective is to enlarge life (write cicles).

With all this in mind i tend to use Virtual Machines with their virtual disk on a 100% (/dev/sdf) encripted… yes i do not put a partition scheme (i do not do fdisk /dev/sdf) on the disk, i do a mkfs.ext4 directly on the block device (/dev/sdf), then i create file containers on it, then i mount such as read-only and mount such files as read/write (hooked), so i can write the block, but not touch filesystem than holds them, sorry, this is not for novice people, since /dev/sdf is a read only ext4 partition that hooked let you write in the blocks that a file owns… file containers must be size fixed, etc, a lot of work to get it to work not to mention that you need a ext4 hooked filesystem and kernel recompile, etc… too much work for a novice!

Anonymous

How can use TrueCrypt / VeraCrypt on other cases?

1.- BIOS only PC & only one MBR disk with at least three 32 Bits Windows (want each one encrypted with its own password), better if only need to type the corresponding password
2.- BIOS only PC & only one GPT disk (need Grub2 + Memdisk + VHD files to boot) with at least five 32 Bits Windows (want each one encrypted with its own password), better if only need to type the corresponding password, warning, native install of windows is not possible
3.- BIOS only PC & only one GPT disk & only one MBR small disk (<1GiB) with at least five 32 Bits Windows (want each one encrypted with its own password), better if only need to type the corresponding password, native install of all windows is possible

Note: DiskCryptor also has problems with such configurations.

The main idea is that each Windows has at least two partitions, one for the BCD stuff (called boot) and one for itself (called sys, where WINDOWS folder is), so windows bootloaders are isolated.

Dolky

I’m having problems with the OS encryption on Truecrypt 7.1a. I go through the setup and reboots for the test, and the Truecrypt Boot Loader appears. When I enter the correct password the PC just restarts to POST and goes back round to the Truecrypt Boot Loader.

What can i DO??