How to make friends with Truecrypt loader and Grub 2?

Today I will tell you how to make friends with the Truecrypt encryption program loader and the Grub 2 niksovsky loader. Such a need may arise (and inevitably arises) when you try to install Windows on a single hard disk with Windows, encrypted with the free Truecrypt program, and a unix-based operating system, for example Ubuntu



The main problem is that Grub does not know how to work with truecrypt keys and cannot decrypt the Windows partition, and the truecrypt loader does not [always] know how to load other operating systems. There are two main approaches to solving the problem.

Approach the first. The master boot record (MBR) is the bootloader Truecrypt

')

In principle, this option should work out of the box (because the truecrypt boot loader can transfer boot to other boot loaders on different partitions of the hard disk) and not require any extra gestures from the user, but there are several pitfalls.



The problems are mainly due to the fact that the Windows 7 operating system creates a small 100 MByte boot partition for itself (it is required for encryption using BitLocker), and in such a situation, the script refuses to install the multi-boot loader out of the box when encrypting the system section ... At least this behavior is true for Truecrypt version 7.1a. Thus, you have to install a regular pipe script loader, which looks like this:





As you can see, it is possible to refuse to enter a password by pressing the Esc key. In this case, we will be presented with a list of partitions on the hard disk, which you can transfer control for further loading.





The pitfall is that not always the / boot partition of Linux is present in this list. In order for it to appear there, several conditions must be met. The boot partition * nix should be the primary partition (primary partiton), not part of the extended (not extended patition), should have the flag "bootable", and also have on itself a bootloader, which can transfer control.



If everything is clear with the first two conditions, and if you install the same Ubuntu, you can immediately configure the hard disk correctly, then the last condition can cause difficulties. The fact is that Grub version 2 does not like to be installed not in the MBR, since it uses a non-fault-tolerant system and it is likely that the bootloader will “fly off” from time to time. You will see a message about this when you try to execute the boot loader installation command. In order to succeed, you must use the "--force" key.

sudo grub-install /dev/sda6 --force 

where / dev / sda6 is the / boot partition of your Ubuntu.

Algorithm

Thus, the sequence of installation and configuration of all can be described as follows:

1. Install windows
2. Install Ubuntu by creating a / boot partition for it on a separate primary partition, setting the "boot" flag
3. Download Ubuntu and install Grub in the / boot partition (as described above)
4. Reboot into windows, install Truecrypt, encrypt system partition

Now we have in the MBR bootloader Truecrypt.

• To boot into windows simply enter the correct password from the system partition.
• To load Ubuntu, press Esc to refuse to enter the password and select the / boot partition

Trabshuting

In some cases, Ubuntu may overwrite the bootloader in the MBR on Grub and you will lose the ability to boot Windows. To avoid this, create a backup copy of the loader and the keys needed to decrypt the system disk.



Create a backup:

 dd if=/dev/sda of=~/truecrypt.mbr count=1 bs=512 dd if=/dev/sda of=~/truecrypt.backup count=8 bs=32256 

Restore from backup (where / dev / sda6 is your / boot partition!) In case of failure:

 sudo dd if=~/truecrypt.mbr of=/dev/sda count=1 bs=512 sudo dd if=~/truecrypt.backup of=/dev/sda count=8 bs=32256 sudo grub-install /dev/sda6 --force 

Approach the second. In the master boot record (MBR) is a boot Grub 2

But how to transfer control to the Truecrypt loader from Grub 2? It would be possible to save the loader and keys as a file and try to transfer control to it ... It would be possible to use the iso Truecrypt Recue CD if Grub 2 could download iso images as its younger brother Grub4Dos does (and he can’t! Mount the file system iso ..) I was already quite desperate in my search, but suddenly I came across a rather simple and elegant solution.



Thanks to the wonderful people who are developing the " Grub2 loves TrueCrypt " project , it became possible to convert the Truecrypt bootable rescue iso image into a format that Grub2 can work with.



So, install git to clone the repository with grub2tc, as well as ruby ​​for the program to work:

 sudo -i apt-get install git ruby git clone git://gitorious.org/grub2tc/grub2tc.git 

After this, copy the “TrueCrypt Rescue Disk.iso” image to the folder with the program and rename it to “tcrescue.iso”. We execute the command

 make 

The file “tcloader” will appear in the folder, which you need to copy to / boot.



Now it remains to edit the bootloader menu so that the Truecrypt boot point appears in it. Add to the /etc/grub.d/40_custom file:

 menuentry "Windows via TrueCrypt" { insmod multiboot multiboot /tcloader } 

Then we execute:

 update-grub2 grub-install /dev/sda 

where / dev / sda is your hard disk



Now, another important mom. The last command (when you reinstalled Grub in the MBR of the hard disk) you most likely damaged the Truecrypt keys needed to decrypt the system partition. From now on, when you try to enter a password, you will receive the message “Incorrect password”. To fix this, restore the keys from the backup file, which we carefully created for us in our grub2tc volhead directory:

 dd if=volhead of=/dev/sda bs=512 seek=62 

Where

if = volhead - file where backup keys are stored

of = / dev / sda - the device where this backup should be written by sector

bs = 512 - block size

seek = 62 - how many blocks to retreat from the beginning of the device / dev / sda (there is a Grub loader)



Now you can boot!

Algorithm

Thus, the sequence of installation and configuration of everything for this method can be described as follows:

1. Install windows
2. Install Ubuntu
3. Reboot into windows, install Truecrypt, encrypt system partition
4. Somehow we load Ubuntu :) (for example, from a bootable flash drive / disk) and perform the above described manipulations using the grub2tc program

Now we have the Grub2 bootloader in the MBR.

• In order to boot into Ubuntu, simply select this item when booting
• To load Windows, select the item “Windows via TrueCrypt” and enter the correct password

Trabshuting

If the Truecrypt loader for some reason stopped recognizing your password (the keys are damaged), then they can always be restored from a backup in the folder with grub2tc with the command:

 dd if=volhead of=/dev/sda bs=512 seek=62 

PS

Both methods are suitable for use in conjunction with dm-crypt and LVM Linux encryption, which allows you to have both-two operating systems fully encrypted :)