Many people use
TrueCrypt to encrypt their systems and maintain their data as safe as possible. Encrypting your computer when you have one operating system installed and one partition is relatively easy, even with
TrueCrypt. But, what about encrypting your system drive when using a multi-boot setup? That's really complicated and this guide is here to help.
Prerequisites - What You Must Have Before You Start
There are a few things you need before moving ahead with the encryption process:
- The latest version of TrueCrypt, which can be downloaded from here: TrueCrypt Downloads.
- A blank CD on which to burn the TrueCrypt Rescue Disk. Creating this disc is mandatory and you won't be able to encrypt your system without it. If you plan to encrypt more than one computer, prepare a blank CD for each, as you cannot reuse the same disc on all computers.
- Plenty of time and patience. This process is very long, involves lots of careful reading and many steps. One wrong choice and you can encounter problems which are difficult to solve. Therefore, don't this if you don't have at least an hour to spare.
How to Encrypt the System Partition
After you install
TrueCrypt, run the tool and press
Create Volume.
The
TrueCrypt Volume Creation Wizard now opens. You are asked to select what you want to encrypt. Select
"Encrypt the system partition or entire system drive" and press
Next.
Next you are asked about the type of encryption you would like to perform.
Normal should work out for most users. Then, press
Next.
Now you are asked what area of the hard drive you want to encrypt.
"Encrypt the Windows system partition" is the best choice if you are interested in encrypting only the partition where Windows is installed. If you choose
"Encrypt the whole drive", then the whole hard drive will be encrypted with all its partitions.
Select the option you prefer and press
Next.
You are asked about the number of operating systems existing on your computer. Since this guide is about encrypting a system drive in a multi-boot configuration, I had to select
Multi-boot and press
Next.
Then, you receive a funny warning sharing that inexperienced users should never attempt to encrypting Windows in multi-boot configurations. 🙂
Have a laugh and press
Yes to continue.
Then, you are asked whether the operating system you are encrypting is installed on the boot drive. The boot drive in this context means the hard drive where the Windows boot loader (or boot partition) is found. In most cases the answer is
Yes. However, if your Windows installation is on another hard drive (not partition, but hard drive), you should select
No.
After choosing the correct answer, press
Next.
You are asked about the number of system drives on your hard drive. The language is a bit tricky here. If you have two or more operating systems installed on different partitions, you should select
"2 or more". In a multi-boot configuration, this is always the correct answer.
Then, press
Next.
You are now asked whether there are other operating systems installed on the hard drive on which the current operating system is installed. In most multi-boot configurations, users install multiple operating systems on different partitions on the same hard drive. If that's the case for you, then answer
Yes.
If the other operating systems are installed on other hard drives, the answer is
No.
Once you made the correct choice, press
Next.
Next... another important question is asked: are you using a non-Windows boot loader on your
master boot record (MBR)? If you have a Linux installation in your multi-boot setup, then the answer is
Yes. If you have only Windows installations, then the answer is
No. Make the appropriate choice and press
Next.
You are informed how the multi-boot setup will work depending on the choices you've made. I strongly recommend that you carefully read everything and only then press
Next.
You are asked to select the encryption and hash algorithms that will be used by
TrueCrypt. Don't hesitate to read the official documentation, prior to making a choice. Information can be found here:
TrueCrypt Encryption Algorithms.
Choose the algorithms you prefer and press
Next.
You are asked to set a password. This password will be used to boot your system and access the encrypted operating system and also to decrypt or recover the encrypted drive. Make sure you don't forget this password and that it is a strong password.
Write the password twice and press
Next.
If you have used a password shorter than 20 characters, you are warned by
TrueCrypt. You can choose to use the password or change it for a stronger one.
Then,
TrueCrypt collects some random data to generate your encryption keys. Move your mouse a couple of times on top of the encryption window and press
Next.
You are informed that they keys have been generated. Press
Next.
TrueCrypt now creates a rescue disc to be used in case of problems. Specify the location where it will store the
ISO image of the disc and press
Next.
Now you are informed that
TrueCrypt will use the
Windows Disc Image Burner to burn that image on a recovery disk. Press
OK and the
Windows Disc Image Burner window opens.
Insert the blank CD, press
Burn and wait for the process to finish. If you need some help using this tool, check this tutorial:
The Complete Guide to Burning Disk Images (ISO & IMG) In Windows 7.
After the disc is burned,
Windows Disc Image Burner automatically ejects it. Insert it back into the drive and press
Next in the
TrueCrypt Volume Creation Wizard, so that it verifies the burned disc. If the check is successful, press
Next to move on.
If the check is not successful, you will receive an error message similar to the one below. You won't be able to move ahead until the disc is burned and verified.
You are getting close to starting the encryption process. First, you are asked if you want
TrueCrypt to wipe the empty space existing on the drive (so that any data still left on it is not recoverable) prior to encrypting your computer. Choose the
Wipe mode you prefer and press
Next.
Now, a pre-test is necessary, to confirm that your settings will work without problems, prior to encrypting the drive. Read the information presented by
TrueCrypt and press
Test.
You are shown some notes on what to do if Windows cannot start. Read and/or print the information displayed and press
OK.
Now you are asked if you are OK to restart your computer. Press
Yes.
Windows restarts and, before you boot, you need to enter the
TrueCrypt password you have set. If entering the password works fine and you log into Windows,
TrueCrypt resumes the encryption wizard and informs you that the pretest was completed.
NOTE: If for some reason your keyboard doesn't send the password while you type it, it means it was not initialized properly. Check your BIOS settings to make sure it is initialized at startup and your input is sent to the computer.
To finally start the encryption process, press
Encrypt.
You are shown some additional information on how to use the
TrueCrypt Rescue Disk you created earlier. Read the information being displayed and print it if you consider it useful. Then, press
OK.
The encryption starts and takes quite a bit of time. Luckily, you can use your computer while the encryption is performed.
When done, you are informed about its success.
Press
Finish to close the
TrueCrypt Volume Creation Wizard.
The encrypted system partition is now shown in the
TrueCrypt window.
Conclusion
Encrypting your system drive, when using a multi-boot configuration is a painful and lengthy process. However, it can be done by almost anyone. You just need to make sure you read everything carefully, choose your options wisely and you have the rescue disc available in case of issues.
Discussion (5)
I’m having problems with the OS encryption on Truecrypt 7.1a. I go through the setup and reboots for the test, and the Truecrypt Boot Loader appears. When I enter the correct password the PC just restarts to POST and goes back round to the Truecrypt Boot Loader.
What can i DO??
How can use TrueCrypt / VeraCrypt on other cases?
1.- BIOS only PC & only one MBR disk with at least three 32 Bits Windows (want each one encrypted with its own password), better if only need to type the corresponding password
2.- BIOS only PC & only one GPT disk (need Grub2 + Memdisk + VHD files to boot) with at least five 32 Bits Windows (want each one encrypted with its own password), better if only need to type the corresponding password, warning, native install of windows is not possible
3.- BIOS only PC & only one GPT disk & only one MBR small disk (<1GiB) with at least five 32 Bits Windows (want each one encrypted with its own password), better if only need to type the corresponding password, native install of all windows is possible
Note: DiskCryptor also has problems with such configurations.
The main idea is that each Windows has at least two partitions, one for the BCD stuff (called boot) and one for itself (called sys, where WINDOWS folder is), so windows bootloaders are isolated.
I have more than two Windows and some Linux, but no one knows anything about the others at boot time.
I had done that by putting Grub2 in an Ext4 logical partition (inside extended partition on a MBR scheme).
Just to simplify:
/dev/sda1/ Windows A system partition (all boot in one NTFS partition)
/dev/sda2/ Windows B system partition (all boot in one NTFS partition)
/dev/sda3/ Windows C system partition (all boot in one NTFS partition)
/dev/sda4/ Extended partition
/dev/sda5/ Linux D / (Ext4)
/dev/sda6/ Linux E / (Ext4)
… and so on
/dev/sda12/ Linux SWAP (used by all Linux)
/dev/sda13/ MyData (Bib NTFS used for my data on all Windows & all Linux)
… some more personal data partitions
/dev/sda33 /boot (ext4) for Grub2
The boot process: MBR is loaded, then Grub2 from /dev/sda33 (aka /boot), menu is shown and i select which O.S. to load, if Windows i use a chainload, if Linux, also a chainload, since on each Linux it is installed its own LiLo, Grub or whatever boot loader the distro used.
I use such /dev/sda33 (/boot) Grub2 to make isolation between sysstem partitions, so any OS only see its own system partition and none of other OS sytem partitions, for such i use Grub2 commans prior to the chainload to ‘hide’ and ‘unhide’ partitions (commans were written by myself inside the file /boot/grub/grub.conf, they were on menu.lst on old grubs, but different commands because diferent grub version).
It works like a chram, just one main menu with the OS and configuration i want, no matter how many OS i install, easy to update (no need to do grub-update and all that stuff, just only edit a text file), also let me add a boot to /boot/SystemRescueCD.iso with as a loop device, etc… and i can let each linux distro to manage its own boot loader as they want.
As i say, my /boot is with Grub2 and for isolating OS boot process.
Main objetive is: Since each OS has its own boot code on its PBR (partition boot record), i want no one to touch MBR (master boot record), installing and updating an OS is as easy as if it was alone on the disk, but with care it installs boot on PBR… with Windows this can get madness, since if allways rewrites MBR, but again SystemRescueCD and i reinstall Grub2 on MBR and dedicated partition and get solved.
Question: With VeraCrypt or old TruCrypt, what must i select in such options? I think multi-boot so it does not touch MBR, and get installed on PBR; one different install (different or same password) for each Windows.
I want to stay the same: to remove one Windows, just delete its partition and edit my self-mantained /dev/sda33 /boot/grug/grub.conf text file to adapt hide/unhide partitions and menu entries by hand.
I want to bbe sure i can overwrite MBR with what i want and do not affect booting an Encripted Windows.
After that i will search for something similar for all the Linux OS i have installed… that is more madness since i do not want to reinstall then, neither clone/restore process, i want in-line encription like VeraCrypt does on Windows… also the hability to pause and resume system partition encription.
Yes, with VeraCrypt / TrueCrypt you can shutdown the Windows in middle of process of encripting, by defer it to next boot, so part of the partition is encripted and other part not, then in tomorrow boot, while you use it it continues doing the rest pending encription.
All i saw on Linux LUCKS you are forced to destroy partition data (the whole system) prior to restore the previos clone(that also must have been done in offline mode), so ot only one time offline to encript, also two times more, one to BackUp system / partition and one more to restore it afer encrypted), why Linux does not offer in-line on-line system partition encription? I mean no off-line any second while converting a non-encripted Linux to an encripted /?
And in such case, since /boot folder is a folder inside / on each Linux, so how can it load if encripted? No way in Linux to do it, since all i read need /boot as a partition and non-encripted.
I want to encript 100% of disk (i can let /dev/sda33 on a USB and not encript it, but i have not knownledge on that jet) since i can not be sure where and what does all apps in the world saves the data… just say i saw a modern free word processing that in case of crash when re-launched it presents to you the last words you typed prior to crash among i have not even saved the document at any time, so where did it store such data? On same path as the main app executable? On /var? On the SWAP? Or where? No one can know if source code is not free! Etc. Paranoid? No, it is just that i am a developer and know a lot of bad-tactics that are done, worst if on windows, most developers write data on exe folder since there you have no problems with pernissions, etc… i hate that!
If HDD is not encripted at 100% it has no sence to encript anything, plain data could go to a non-encripted part of the disk, not to talk about SSD an their internal blocks re-map, you can not overwrite same block till all the rest free-bolcks get written, since it re-maps internally by hardware and carry a count on how much has beeing writted a block.
That in mind: Encript all and after thet fill all free-space with encripted data (random based).
Worst: In forensic labs they can recover near 50 or more previous states of each bit, so just overwrite is not enough, need to do a 128 overwrite pass with special patterns, to ensude data is not there, and such done in 100% of the disk, not just a partition boundary, etc.
SSD logical blocks for a partition can be really on any place of the SSD, so blocks of one partition can be beween other partitions, etc… that is calle internal re-map and its main objective is to enlarge life (write cicles).
With all this in mind i tend to use Virtual Machines with their virtual disk on a 100% (/dev/sdf) encripted… yes i do not put a partition scheme (i do not do fdisk /dev/sdf) on the disk, i do a mkfs.ext4 directly on the block device (/dev/sdf), then i create file containers on it, then i mount such as read-only and mount such files as read/write (hooked), so i can write the block, but not touch filesystem than holds them, sorry, this is not for novice people, since /dev/sdf is a read only ext4 partition that hooked let you write in the blocks that a file owns… file containers must be size fixed, etc, a lot of work to get it to work not to mention that you need a ext4 hooked filesystem and kernel recompile, etc… too much work for a novice!
You cant encrypt when other OS is linux. When i choose non-Windows bootloader, te program says that it will be (almost)impossible
Hi,
One information. There is no possibility to encrypt whole drive using multi boot option. You can use mutli boot only in case of windows partition encryption. You can check this. After this please update the instruction. Thanks for very good instruction. It is helpful to propagate data encryption,