Truecrypt

xm
2008-08-06
2013-04-26
  • xm

    xm - 2008-08-06

    Can Truecrypt (http://www.truecrypt.org) bootloader / system encryption coexist with the mbldr?

     
    • Arnold Shade

      Arnold Shade - 2008-08-07

      Dear xm,

      I have not tried Truecrypt. I would appreciate if you try and report back the result. In theory it should work. There are few links I have found on the similar topics that can be interesting:

      http://www.boot-land.net/forums/index.php?act=Print&client=printer&f=66&t=5274
      http://freed0m.org/forum/index.php?topic=20.msg124

      Best regards,
      Arnold Shade

       
      • xm

        xm - 2008-08-07

        Yeah, I have found these by Google too, but e.g. the boot-land.net one talks about the Truecrypt bootloader in the MBR (so obviously incompatible with the mbldr). Personaly I think that this is not true - according to the the Truecrypt documentation theirs bootloader occupies some space at the end of the boot-sector and not the MBR(?)

        I have not tried such combination (mbldr + Truecrypt boot loader / system encryption) yet, so if there is someone willing to share a practical experience...

        Bye
        Ondrej

         
        • Arnold Shade

          Arnold Shade - 2008-08-07

          Dear Ondrej,

          I may try to set-it up by today in my vmware session under Win2k.

          Best regards,
          Arnold Shade

           
        • Arnold Shade

          Arnold Shade - 2008-08-07

          Encryption of system partition is not supported under Win2K, so I have tried WinXPSP2. TrueCrypt was successfully installed (I have encrypted primary system partition, not the whole drive), but after mbldr installation then it failed to load. Most probably it is needed to play with TruCrypt's settings "1 or 2 operating systems installed" and "native or 3rd party boot loader".

           
          • xm

            xm - 2008-08-07

            Many thanks for the testing, I am going to setup my production laptop someways (multi-boot 2xXP/Vista/Linux with the mbldr as the "isolating" boot manager, all systems at its own primary partition) and I am looking for a solution how to apply the Truecrypt system encryption (they really speed up the AES256 in the latest version on multiple CPU, so the encrypted disk speed does not bother me anymore!) on one of them.

            > Encryption of system partition is not supported under Win2K,
            ---------
            ah, I forgot to say that, sorry, hope you did not spend a lot of time with the W2K, newer Truecrypt builds with the system disk encryption ability does not support the W2K

            > ...TrueCrypt was successfully installed (I have encrypted primary system partition, not the whole drive)
            ----------
            yes, that is exactly what I am looking for

            > ...but after mbldr installation then it failed to load. Most probably it is needed to play with TruCrypt's settings "1 or 2 operating systems installed" and "native or 3rd party boot loader".
            ----------
            so, Truecrypt DOES touch the MBR somehow, how unwelcome

             
            • Arnold Shade

              Arnold Shade - 2008-08-20

              Dear Ondrej,

              Suddenly an idea came to my mind. Mbldr may be able to deal with the configurations where MBR is needed by other software like TrueCrypt by chainloading. "Old" MBR produced by TrueCrypt can be stored somewhere on a first track (sectors between 2 and 63 on track #0) on cylinder #0. If then this sector is referenced by mbldr (stored in MBR), chainloading may function correctly. What is your opinion?

              Best regards,
              Arnold Shade

               
              • xm

                xm - 2008-08-20

                I like that idea, indeed, but there is a possible catch - if the Truecrypt system encryption uses the same area (and I know that it does have some code in the first cylinder of the boot drive) then how we ensure to not overwrite each other?

                Anyway I am willing to be a tester if you decide to give it a try.

                 
                • Arnold Shade

                  Arnold Shade - 2008-08-20

                  Yes, Truecrypt (and others) can use the same area. I suggest to warn a user if movement of "old" MBR contents is done to a non-empty sector (not filled by zeroes). In fact mbldr installation program may look through the available sectors and find for an empty one.

                  Before implementing this approach I will try to do the same thing manually by patching MBR in hex-mode and copying sectors in the disk-editor. Today I have installed TrueCrypt on my vmware session (yes, again :-)). Tomorrow I try to do the rest. Hope to be able to report results back soon. If we are lucky to have a working "manual" sample I may then implement the generic approach in mbldr (not sure it can be done quickly).

                   
                  • xm

                    xm - 2008-08-20

                    promising conception, I am very curious about the results...

                     
                  • Arnold Shade

                    Arnold Shade - 2008-08-21

                    It works fine. I have done the following:

                    1. Installed Windows XP SP2 with only one hard disk and only one NTFS system partition on vmware
                    2. Installed TrueCrypt and encrypted system partition. Rebooted several times. The MBR was updated by TrueCrypt
                    3. Using TinyHexer I found first unused sector on a first track (actually track #0, cylinder #0). There are only 63 sectors, the first available (completely filled by zeroes) which was found has a number #28 (I used #30 which was empty as well)
                    4. I copied sector #1 (the very first sector in the disk has a number of #1, not #0) to sector #30 with a help of TinyHexer. Partition table was copied of course too.
                    5. Checked that TrueCrypt is still able to boot my system, the sector #30 is not overwritten at boot time, so it is a safe copy.
                    6. Installed mbldr adding one primary partition to its configuration. The option controlling partition hiding was switched off (no hiding)
                    7. Can't reboot until further manual changes are done:
                    7.1 Using TinyHexer correct value at offset 0x171 (it was a first byte right after boot menu). The offset may vary depending on the contents of boot menu, but it represents the offset of the partition to boot from. Old value was 0x3F (the boot record of first and the only partition). I have corrected it from 0x3F to 0x1E (what is a decimal 30 representing a number of chainload-sector to use).
                    7.2 The second change should be to disable the functionality of marking partitions active/inactive. Without this change the NTFS partition becomes inactive (mbldr marks because the offset has been modified from 0x3F to 0x1E). So we fill two bytes responsible for marking to NOP-opcodes. Here are they: offset 0x97 - from 0x88 to 0x90; offset 0x98 - from 0x04 to 0x90.
                    8. Save the changes in TinyHexer and finally reboot.
                    9. Mbldr will appear first, then TrueCrypt.

                    Not sure how other operating systems may coexist with the options "not to hide other primary partitions" and "not to mark active/unactive partitions" in case of multi-boot. Probably you may spend some time to check.

                    P.S. I am now leaving for vacation for a week with a half, so talk to you later in September.

                    Cheers,
                    Arnold Shade

                     
                    • xm

                      xm - 2008-08-21

                      I propose to name this as "chainloading anywhere" ;-)

                      I will have to re-read your results few times and think about it, but if such ability will be secured and extended to multi-booting, it will be a great achievement, no doubts.

                      Have a good time, see you then
                      Ondrej

                       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks