Multiple operating system and full disk encryption
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hello,
I have just bought and installed Crucial MX300 2.5-inch SSD 1050 GB (http://forum.crucial.com/t5/Crucial-SSDs/Multiple-operating-system-and-full-disk-encryption/td-p/176738) and I would like to install two operating systems on it, i.e. Windows and Linux. There may be further reinstallations of operating systems and I know that Crucial supports hardware encryption. However, their tutorial requires the use of BitLocker (http://forum.crucial.com/t5/Crucial-SSDs/An-Overview-and-Setup-of-Hardware-Encryption-on-Crucial-SEDs/ta-p/145520) so I thought that it may be easier to do with VeraCrypt. Moreover, I couldn't find any entry for "full disk encryption" in your VeraCrypt User Guide.pdf and the page 31 (System Encryption) is too general.
How can I use VeraCrypt to encrypt the entire drive with ability to add or remove operating systems after encryption?
Thank you!
PS I have found in your documentation "To encrypt a system partition or entire system drive, select System > Encrypt System Partition/Drive and then follow the instructions in the wizard" but there is no menu element 'System' at all when I open VeraCrypt installed in RAM on running LiveCD.
Last edit: swietymikolaj 2016-11-05
You gotta be kidding me.
I was writing an essay and then my touchpad messed up and changed the page.
I lost my essay ;(.
Does this damn forum create and backup drafts?
Short answer is no. But you can still use encryption. How? That was in my essay damnit
Yeah whenever I write longer messages on forums, just in case I copy them to clipboard from time to time or even make a quick copy in notepad if it's really long. Try to imagine how irritated I was when I noticed that some applications even clear content of the clipboard for whatever reason.
Can you, please, at least provide me some links or keywords so that I can guess what your solution is about :-)?
I'm disappointed by Lenovo too because it looks like I can only use hardware encryption with very short passwords. Details here: http://forum.crucial.com/t5/Crucial-SSDs/Multiple-operating-system-and-full-disk-encryption/m-p/176745/highlight/false#M52851
Thanks
Hmm. First question to ask is if your copy of Windows, I assume Windows 10, is installed on an MBR partition table or on a GPT partition table? Veracrypt and Truecrypt as well can only encrypt Windows installations that are on MBR Partition Tables - it's an older and more supported standard.
This is brand new disk so nothing is installed. I want to install there Windows 7 or 10 and Linux (e.g. Debian x64). I know that dm-crypt + LUKS make a lot possible but I have little experience with that.
I would even consider installing Debian with Xen Hypervisor and just virtualising all machines (with hardware virtualisation) as needed but that may also be beyond my abilities to properly configure with encryption (which would be great to easily add and remove any OS I want or to run two systems simultaneously, but for that I would need to know how to properly set all the partitions and whatever additional configuration is needed)
Last edit: swietymikolaj 2016-11-05
If you have minimal experience with Linux, I would highly advise against Debian. Something like Linux Mint would be more suitable. As for Desktop Environment, try out MATE and Cinnamon. Choose which one you like most, though the other environments have their advantages as well.
And I'm pretty sure that means you have a GPT disk.
First I'll address your issue head on.
You cannot install 2 OS' with Veracrypt. You cannot even install Linux. Only Windows. Linux has a built in open source encryption software, which I trust. I believe it's called LUKS.
There are two ways to encrypt Windows installations with Veracrypt:
1) Whole disk encryption – encrypting the whole drive and anything in it. This would render any Linux installations/ partitions you may have unbootable. Not possible if you want to install Linux.
2) Single partition encryption. This way, only your Windows partition will get encrypted.
Both ways would over-write your MBR on your drive. If you are using Grubs or any other Linux bootloader, it will get over-written.
Honestly, I think it's easier to just reinstall Linux after you have encrypted Windows – unless your Linux bootloader was installed to the very partition where Linux was installed and not to your MBR. If this is the case, you don't need to worry about it. It will boot fine after Windows has been encrypted. You just need to press Esc at the Pre Boot Authentication screen.
If you are to go for single partition encryption (for the Windows OS, that is), you can then go about installing Linux. But remember that by this point Veracrypt has saved a new bootloader to the MBR. Make sure you do NOT overwrite this when installing Linux! You can accidentally overwrite it during the Linux install process by telling Linux to save the Linux bootloader to the SSD/ to the drive. MAKE SURE YOU TELL IT TO SAVE THE LINUX GRUB BOOTLOADER TO THE PARTITION WHERE YOU ARE INSTALLING LINUX. Sorry for shouting in here. So to clarify, you can install the bootloader to the drive, or to the partition insider the drive where Linux is being installed. You will see this option at the bottom of the window when you are on the drive/ partition screen. You need to select "something else" on the "installation type" screen.
If you are to use a Linux OS which is easy to use, like Linux Mint. Its install process is pretty easy and simple however the ONLY way to encrypt your Linux OS EASILY is to format the whole drive in the process. So that excludes encrypting the OS. You can however encrypt the Home folder, where Linux saves all your personal files. Though I'm too uncomfortable with not installing the OS files. So I formatted the whole disk and installed and encrypted Linux, using Windows in a Virtual Machine (VM). More on that later.
I THINK it is possible to encrypt the Linux OS when you already have a Windows partition installed. I was trying this out last year and gave up. It requires using the terminal and my terminal skills weren't quite there yet and I didn't know how to do it. I still don't know. At some point since, I gave up on trying to install Linux and Windows encrypted side by side and used an unencrypted Windows VM inside an encrypted Linux instead. In Linux, you have your home folder which you can use to encrypt but as with Windows, you can also choose to encrypt your personal files with Veracrypt - your choice where you choose to save your files but you will still need a Home folder - the only way to encrypt that one would be via Linux's built in software.
My first suggestion is to do what I did.
I got sick of having 2 OS' on my computer and worrying about backing up stuff. Because Windows took more space on my SSD, it meant a complete backup of my Windows installation took up 150GB of data (or however large my partition was).
On my laptop, I now use Virtual Machines inside Linux. I have an i3 processor and the performance of the VMs is bearable. I also have 8GB of RAM, making VMs possible for me.
So I now only have 1 OS on my laptop: Linux Mint Cinnamon. I primarily use Linux as it is, as a desktop OS for all my browsing and data storage but I do need Windows 10 for work - primarily to use Word. I bought a retail copy of Windows 8.1 Pro Student for £50 when Microsoft was desperate for 8.1 sales. It was literally just 8.1 Pro but discounted. When W10 came out, it turned into a W10 Pro copy - meaning that I can delay Windows updates thank God.
So anyways, the advantage of having Windows in a virtual machine is that if I want to install any risky Windows software, I can by:
1) Cloning the VM
2) Severing internet access to the VM via VM software eg. VirtualBox
3) Severing any access to the host OS - remove any associations such as shared folders and remove VM access to any USBs inserted. Note: your OS permission settings need to be tweaked to give VirtualBox or any other software direct access to a USB drive.
4) Install the Windows software
5) Then delete the cloned VM when I am done with it.
6) Go back to my original copy of Windows.
This means that I can test the software (provided it doesnt require internet access) without harming the integrity of any of my data AND without risking malware getting access to sensitive details and sending it off to another server.
None of my data gets changed and nothing gets sent online.
Moreover, doing all my work in virtual machines means that backing up the entire Windows installation itself becomes considerably easier as you just need to do is copy the folder where the VM is saved. It takes A LOT less space, maybe just 30GB if you set your VM to dynamically allocate storage - this means your whole VM initially only takes up a few MB but once you save more data to it, it increases in storage. Saves storage space considerably.
I am now also thinking of reinstalling Linux, turning on the firewall, and having an extra virtual machine for everything Linux related. All of my data from that point onwards would be saved in a virtual disk image - a virtual hard drive. Having a dedicated VM for Windows and Linux AND a virtual storage drive would make me much more secure from malware and make it considerably easier to perform backups!
One thing I forgot to mention, the other advantage of VM's is that they can be backed up and run on other computers without trouble – provided the state and settings of VirtualBox (or whichever software you choose to use) are the same.
Windows 10 thankfully during install allows you to skip the product key page and install Windows first. If you do this, once Windows 10 connects to the internet, it tries to verify your copy of Windows with MS' server. If it cannot, you will be able to use Windows for 30 days until Windows bricks itself. If you already had Windows installed, it 'should' (please verify this with Microsoft customer support because you have an OEM copy of Windows not a retail copy - it might not verify your copy) verify and activate your copy of Windows.
If you do not have a product key and don't want to pay, you do have the choice of subscribing to Windows' Insider Program – you get a full free copy of Windows 10 for that machine and can can more free copies for more PCs by setting up new Microsoft accounts. The catch? You're testing new Windows features so you get newer, more fancy updates and features, but it means that Windows will be less secure and less stable. I'd avoid the program if you can because of that. Either way, I would suggest you install Spybot Anti Beacon if you have an 'actual' copy of Windows 10 or if you use the Insider copy of Windows 10. It preserves your privacy by disabling a lot of Microsofts data gathering features, but I'm not sure if it will work fully on the Insider version of Windows since the very purpose of that Windows 10 copy is to gather as much of your use of Windows as possible.
My second suggestion if you want a 'complete' installation of Windows:
If it is on a GPT, are you willing to reinstall your Windows installation so that it can be installed on an MBR instead? You cannot convert a GPT drive to an MBR drive!
If you do re-install Windows to an MBR PT, this is the process, starting from the language screen when you boot a Windows USB/ DVD installer:
Hold Shift and press 'F10' to open command line
enter "diskpart"
enter "list disk" - take a note of your drive's number
enter "select disk #" - where # is the disk #
enter "clean" to format drive
enter "convert mbr" to convert disk to mbr partition table
enter "exit" twice
Now go through the installation process until you get to where the disks are located. If you want an unencrypted 100MB boot partition, just go ahead as normal. If like me, you are uncomfortable with Windows being closed source and hence not knowing what unencrypted data is being written to your 100MB partition, create 1 partition on the drive which takes up all the space and go then click next/finish/etc.. This way, Windows' installer will be forced to install the system reserved (I think that's what it's called) partition inside the single Windows partition. This way, Veracrypt can encrypt the whole Windows partition. But I believe the 100MB is used to boot Windows. If it gets corrupted, you will not be able to repair it unless you decrypt your whole partition, writing potentially sensitive data unencrypted to your SSD. If you don't encrypt the 100MB (or however large it is under Windows 10 – I think it was 100MB under 8.1) partition, you can repair it at Veracrypts pre-boot authentication screen and I believe via Windows' USB/ DVD installer as well.
You're trading a possible privacy/ security advantage for convenience.
Taking several steps back: after you reinstall Windows, you can easily re-partition your copy of Windows – which will (unless you choose to keep the small partition) be on 1 partition only.
NOTE HOWEVER that I believe verifying your copy of Windows would require a retail copy. I'm not sure it would allow you to reinstall your OS like this because you have a Lenovo laptop/OEM copy of Windows. I might be wrong though. It's worth looking up or asking Microsoft if your reinstalled copy would be verified or not.
You will also need a copy of the drivers and everything else that the Lenovo laptop came with - ask Lenovo for this but from my experience with their laptops, their customer service is crap.
If you don't need the performance benefit of a dedicated Windows installation, I would recommend sticking to the VM route. That way, there'll be no need to go through the Windows trouble of encrypting your Windows OS because your VM(s) will be saved inside a drive which would already be encrypted.
Your third option is to install Windows and encrypt it and then install Linux to a USB or SD Card – this way you can encrypt it using the default option in the GUI Linux installer. It will obviously be slower. You will need your Linux USB to boot your Linux OS and you could have a partition on your SSD for storage only – maybe have a partition on your SSD as your Home folder or make it a Veracrypt-encrypted partition which can be shared between your Windows and Linux OS.
If your home folder is on your SSD, be careful not to lose your Linux USB though. Or keep it backed up, as should everything be anyways. You lose your Linux OS, you need to follow these instructions inside of a Live CD to access your home folder's data:
http://www.cyberciti.biz/faq/ubuntu-mounting-your-encrypted-home-from-livecd/
I hope this thesis helped you out a tonne! Feel free to reply back and ask if something didn't make sense.
I spent well over an hour on this :D But twas worth it.
To conclude, the easiest option would be to go the virtual machine route. At least it was for me. Your choice what you want to do :)
Seeing as how you have an OEM copy of Windows, you could ask Microsoft if they could send you a copy of Windows for your virtual machine - on the same computer of course.
Note though that in a VM you won't get any of those Lenovo-exclusive software.
I call them bloatware. Not having them is a plus for me. There's very few times I like 'bloatware'
Any feedback? Did I write too much? :p
*type
I do believe the current Linux kernel is capable to handle dm-crypt, LUKS, TrueCrypt and VeraCrypt volumes. Also GRUB boot loader has that capability, so Linux boot partition can be encrypted. So it should be possible to have GRUB in (system) disk MBR (GRUB will fit under 2048 sectors boundary just before the first partition begin) and all Linux partitions under one LUKS physical partition, and Windows under VeraCrypt one. So I think olny two disk partitions required, at least for moderately sized SSD (so no immediate need or benefit from GPT partition scheme). Also, Windows (at least Windows 7) should run from a single partition just fine (not UEFI boot). Thus the only thing when planning new disk partitions would be making right size split between Windows and Linux. That in turn depends on use case, what would your primary OS, etc. As to security from GRUB tampering by "random guy in the middle" the Linux has tools to check that on every boot. So I think HW based spy utilities need to be installed, but just put some glue or firm foam inside onto your laptop motherboard and disk interfaces and feel more relaxed than ever :)
@Alir
thank you for the kick ass post
My instalation contains 3 OS. Windows 10 encrypted OS,Windows 10 hidden encrypted OS, Ubuntu Linux.
Computer is EFI boot. VeraCrypt 1.20B2.
It works like in the demo
http://sendvid.com/px9jirm6
What's the advantage of VeraCrypt in boot vs. GRUB? In your setup, you're forced to switch boot drives which have own VC/GRUB, right? What if GRUB will do everything alone, will Windows install succeed?
How can you plausably deny the facts:
1. that your outer Windows takes only around half of a drive;
2. that its logs, cache and specific key files showing you aren't using it in daily fashion?
What if one starts to write big files onto outer volume, will the hidden one be damaged/lost without a warning?
Switch boot drive - no. The drive attached contains key. Loader is VeraCrypt-DCS configured.
1. Second volume is VeraCrypt data volume. (scenario can work with one drive with 3 OS and USB key)
2. Logs, cache and other OS activity. It is possible to mount first os or Linux and simulate any activity.
Big file write - it will erase hidden volume.
Last edit: Alex 2017-01-30
My point about so called "plausible" deniability is that besides the local files there is also network traffic that shows things like MAC addresses, routers, connection destinations, ports and times. Plus browser's fingerprints. You will not be able to show e-mail check/sent was from the outer/opened OS, thus it will point you have to have another OS from/within the same machine/router.
Big file erasing the actually important OS and data will require having the several (at least 2) physical devices with similar deniability features. Practically, that would mean you'll have to manage at least 4 to 6 (as in your example of mixed Windows/Linux usage) different OSes! Imagine the nightmare of keeping all those OS's, apps and data in sync and hiding traces of that syncronization as well!
VeraCrypt is tool only. Plausible deniability - it is art...
I have a similar situation or desire except to make perfectly clear, I have several separate drives (SSDs) in the machine. Multiple Os are not installed on the same drive. But, separate drives.
that is, Windows 10 primary boot lives on SSD0.
Windows 10 clone of the above lives on SSD1.
Linux - I plan to install on SSD2.
There is also drive number currently used for data but I could theoretically put an operating system on it as well.
So yesterday I experimented with the latest VeraCrypt version and installed it on my SSD1, which is a test drive more or less, I can do whatever I want on it without affecting the primary SSD0 which is my default boot drive.
I did the full disk encryption while booted into SSD1. Rebooted the machine. To my horror, I discovered that (1) I no longer got the prompt for which drive I want to boot into, SSD0 or SSD1 and it immediately prompted me for the password. How is that possible since presumably while on SSD1 it only encrypted the MBR of SSD1 and left alone SSD0?
My horror compounded when the password I set did not work.. repeatedly, I thought I hosed the computer for sure. I removed the SSD1 drive and still had issues.
I think there is a serious bug in VeraCrypt as it pertains to multiple drives on the machine with multiple operating systems.
When I did the encryption, it said "TEST" and then it went back to normal so I never really encrypted the drive but this was scary enough to the point I don't think I will engage full disk encryption.
I am trying to process this article but it's not helping:
https://medium.com/@lankycyril/using-veracrypt-with-a-uefi-dual-boot-setup-27d1eacbf36b
Using VeraCrypt with a UEFI dual boot setup
Or how I learned to stop worrying and love the bootloader