Truecrypt Windows system encryption and Linux/Unix

This document describes how to install multiboot system-encrypted Windows partition and Linux (or any other OS). Please note that you cannot use whole-drive encryption (only system partition).

Althought truecrypt 1.6 documentation says it is not possible, it works. I use it on many computers.Caution: If you do not understand any of below commands, please do not attempt to follow these instructions. In any case, it's highly recommended to have burned truecrypt system rescue CD and as many backups as possible. You've been warned. Don't blame me for losing any data.

This guide assumes you already have installed TC system encryption and system boots using truecrypt to Windows. Other OSes may be installed, but not bootable.

Backup of first track

All essential data are stored in first track of your system hard drive. Backup can be made using:
dd if=/dev/sda of=track0.bin bs=512 count=64   # (Linux)
dd.exe if=\\?\Device\Harddisk0\DR0 of=track0.bin bs=512 count=64   # (Windows)
Sector 0 contains truecrypt loader, secotrs 1-62 contain truecrypt resident boot-time decryptor (two mirrored copies), sectors 63 and 64 contain mirrored truecrypt system volume header. This header is encrypted and contains keys for system volume decryption.

To simplify installation, create also two other files:

dd if=/dev/sda of=tc-mbr.bin bs=512 count=1 skip=0   # (Linux)
dd if=/dev/sda of=tc-code.bin bs=512 count=61 skip=1   # (Linux)
dd.exe if=\\?\Device\Harddisk0\DR0 of=tc-mbr.bin bs=512 count=1 skip=0   # (Windows)
dd.exe if=\\?\Device\Harddisk0\DR0 of=tc-code.bin bs=512 count=61 skip=1   # (Windows)
You should see 0x55aa mark at end of tc-mbr.bin and two mirrored sections in tc-code.bin. For your convenience you may also wish to backup headers (skip=62 count=2)

Linux installation

If you have the above files saved on safe disc (i.e. usb-flash, network, etc), you can install Linux. If you already have Linux installed and it is just not accessible (due to truecrypt loader), just proceed the next section. Please note that Linux installation will prevent you from booting to Windows!

Installing it

  1. Boot Linux recovery CD.
  2. Mount your root partition and /boot (if there is any) under /mnt (/mnt/boot)
  3. Copy tc-mbr.bin to /mnt/boot/tc-mbr.bin
  4. Add new section to /mnt/boot/grub/menu.lst (or grub.conf):
    title Boot Win (truecrypt)
    	root (hd0,X)
    	chainloader /boot/tc-mbr.bin
    
  5. If truecrypt track0 code was overwritten by Linux installation, recover it using:
     dd if=tc-code.bin of=/dev/sda bs=512 seek=1
     
    grub setup command usually overwites first track with stage1.5.

    If you are unsure, you can skip this step and repeat it if truecrypt was overwritten.

  6. Reinstall grub:
      grub-install --root-directory=/mnt /dev/sda
     

Try booting

Now try to reboot. Both Linux and truecrypted windows should boot. If you get "GRUB" message all over screen, it means that stage1.5/stage2 is not properly installed and you will have to do step 6 once more. If truecrypt says any error message, tc-code.bin was not properly written to the first track (repeat step 5).

Related links


Copyright (c) 2009 Martin Hinner, martin.hiner.info