Finally - Windows disk encryption with GRUB working!
Ok, so I'm a big fan of DriveCrypt from SecurStar... Particularly the Plus Pack which includes full disk encryption. I've tried CompuSec which worked pretty well, but back when I tried it, it was full disk or nothing... So you couldn't dual boot. I've also recently tried PGP whole disk encryption which also works well and will let you encrypt by partition.
However, I've only ever been able to get a dual boot working with DriveCrypt using LILO as LILO keeps it's entire code in the actual MBR. I would install Windows... Then LILO... Then add the encryption boot auth and it would wrap everything up. The kicker would be when I updated a kernel or made some other change to LILO, POOF! it would wipe out my boot authentication for the Windows disk encryption and there would go my ability to authenticate in order to read the data. So a complicated process would ensue of adding back the boot auth MBR each time LILO would update. Pain in the ass.
So I gave up for a while and started using GRUB and I loved the fact that once GRUB wrote the MBR, it never touched it again.... I could mess with kernels and other junk to my hearts content and never have to worry about re-writing the MBR. However, the catch comes with the little gray area after the first sector (MBR) of the first track... Typically this is not used and the first actual data that the system will allow to be used for regular storage is the beginning of the second track. However, programs like GRUB, encryption apps and other things that create fancy or complicated boot loaders know this and take advantage of it. DriveCrypt and just about every other disk encryption software out there uses this area of the disk to store additional data for the boot authentication process. And of course GRUB likes to use this area for it's stage 1.5.
So at long last, after trying many different scenarios... i.e., having windows boot.ini load linux, trying to get LILO in the MBR to load GRUB on the first sector or the boot partition (even though this seems like it would work, it doesn't) I stumbled across a site that actually laid out a functioning way to handle things.
The quick summary is as follows:
1. You load Windows and you load your boot authentication stuff.
2. Boot up into a Linux live CD and dd the boot auth MBR to a USB drive.
3. Load Linux as usual which will install GRUB on the MBR and kill the boot auth MBR.
4. Boot into your Linux side, tell GRUB to install stage1 in the MBR and to install stage2 directly to your /boot drive in Linux. This essentially tells GRUB not ignore stage1.5 and go directly to stage 2. This allows you to keep your encryption boot auth data in that area after the first sector of the first track on the disk.
5. Finally copy the boot auth MBR into your /boot dir and create an entry in your menu.lst to point to the boot auth MBR which will then point back to the first encrypted disk and boot up.
Now I had to tweak the directions on the original site as I like to run XFS for my main drive which usually requires me to make a little 200-300MB /boot with ext3. So here are the details... They are on the original site, but on the off chance that the site goes away, I want to document it here as it took a hell of a long time to figure it out....
So after you have Windows loaded and your encryption software is fully set up and the disk encrypted... Boot into your favorite Linux live CD, pop in a USB drive and run the following:
dd if=/dev/hda of=/mnt/usb/dcpp.mbr count=1 bs=512
Of course substitute the source drive you are working with for "if" and the output path for "of".
Once you've made this backup copy of your boot auth MBR, install Linux as normal and let it install GRUB on the MBR.
Boot up into your new Linux install and run "grub" to go into interactive mode. Then enter the following:
grub> install (hd0,1)/boot/grub/stage1 (hd0) (hd0,1)/boot/grub/stage2 0x8000 p
Edit the drive and partitions as necessary for your system. But you want to point it to whatever drive has your /boot on it.
Now the catch I ran into that took a min to figure out is that I have my /boot on a seperate partition, and therefore the path is slightly different. I had to issue the following command:
grub> install (hd0,1)/grub/stage1 (hd0) (hd0,1)/grub/stage2 0x8000 p
As you'll note, the /boot is missing as my /dev/sda2 is mounted directly as /boot so the path to stage1-2 are just /grub/stageX
Next you'll need to copy the boot auth MBR from your USB to /boot.
Once that's there, you just have to add a section into your /boot/grub/menu.lst to point to the boot auth MBR in /boot as follows:
title Windows XP Professional
rootnoverify (hd0,0)
makeactive
chainloader (hd0,1)/boot/dcpp.mbr
boot
Again, I had to remove /boot from the chainloader path as I mount it directly. Anyway, now you can boot up to GRUB, then boot Windows and it will use the copy of the boot auth MBR. It works great and now I have the freedom to mess with my kernels and what not without a big hassle.
Enjoy...
Joshua
0 Comments:
Post a Comment
<< Home