Using GRUB to boot into Vera encrypted windows disk

[Silicomancer]

My PC has two SSDs. One containing Windows 7, one containing Kubuntu 15.04.

The Linux disk is configured as boot disk in BIOS. Its MBR contains GRUB. The Windows disk has the standard bootloader in its MBR. When booting, GRUB provides a menu that allows me to boot into Linux or into Windows.

Currently Linux is encrypted (LVM+LUKS). Windows is not. I would like to encrypt the Windows disk using VeraCrypt.

I tried to encrypt the Windows disk as if there were no other disk and no other OS installed on the computer (selecting "single-boot" in the encryption wizard).

I epected this should work... GRUB and Linux remained unchanged but when booting into Windows, no password request from VeraCrypt appeared and the PC booted directly into Windows and I got a dialog telling me that the password/boot test failed.

How can this be solved? Why don't I see the VC password request?

[Silicomancer]

Really no idea? Any body?

[Mounir IDRASSI]

VeraCrypt bootloader is installer in the the MBR of the disk containing Windows but GRUB is booting directly Windows without using our MBR.

So the solution is to extract the MBR created by VeraCrypt and put it in a place accessible by GRUB (for example /boot) and then add an entry in /boot/grub/menu.lst to boot using this MBR.

For example, if we suppose that the first disk is for Linux (sda) and the second for Windows (sdb), first start the encryption process in Windows and after rebooting to do the pre-test go to Linux (not Windows) and extract the VeraCrypt MBR using the command:

sudo mkdir /mnt/boot
sudo mount /dev/sda1 /mnt/boot
sudo dd if=/dev/sdb of=/mnt/boot/veracrypt.mbr count=1 bs=512
sudo umount /mnt/boot

and then modify GRUB menu.lst file to add an entry like this:

title Windows Encrypted
rootnoverify (hd1,1)
makeactive
chainloader (hd0,0)/boot/veracrypt.mbr
boot

After that, restart your PC and choose the newly added entry. Now, you should see the VeraCrypt prompt and after booting Windows the pre-test should be successful and the encryption process can proceed.

Anothe approach is make the Windows disk as boot disk in the BIOS and then start Windows and perform the encryption: this will succeed because Windows disk MBR will always be used.
Once the encryption is done, reboot to Linux and then perform the same steps I described above to have a new entry for the encrypted Windows.

Both solutions should work, although the second one is safer.

[Silicomancer]

Is there no way to chain-load the Vera-MBR without making a copy of it?

Anyway, your solution sounds good. But I could not find the "menu.lst" file. This is what /boot/grub/ contains:

drwxr-xr-x 5 root root    4096 Okt 22 21:42 ./
drwxr-xr-x 4 root root    4096 Okt 20 21:02 ../
drwxr-xr-x 2 root root    4096 Aug 26 23:10 fonts/
-rw-r--r-- 1 root root     712 Apr 22  2015 gfxblacklist.txt
-r--r--r-- 1 root root   17303 Okt 22 21:42 grub.cfg
-rw-r--r-- 1 root root    1024 Okt 27  2015 grubenv
drwxr-xr-x 2 root root   12288 Okt 22 21:41 i386-pc/
drwxr-xr-x 2 root root    4096 Okt 22 21:41 locale/
-rw-r--r-- 1 root root 2400500 Okt 22 21:41 unicode.pf2

[Nick M]

I am having the same issue as well, the problem is that you are using GRUB 2, which doesn't have menu.lst file by default. From reading the man pages you CAN do this but there indeed some voodoo involved. I would really like to see a solution to this problem as well.

[Hern0pa]

Same here, I tried various things in the /etc/grub.d/40_custom script in order to generate the /boot/grub/grub.cfg, and it almost worked but the VeraCrypt bootloader actually ended up failing on me saying it was corrupt ("Disk error, disk error, disk error, Loader Damaged! Repair with rescue disk").
Although I did copy exactly the 512 block size from veracrypt in the MBR as Mounir mentioned (and mentioned everywhere else), I copied it to the Windows7 boot partition (NTFS) along with its original bootloader... not sure if that was a good idea.

Anway in /etc/grub.d/40_custom I did:

menuentry "Win7 Veracrypt bootloader"{
  insmod ntfs
  set rootnoverify=(hd0,2) #/dev/sda2 the win7 system partition
  chainloader (hd0,1)/veracrypt_bootloader_copy  #/dev/sda1 the win7 boot partition
}

Would love some insight in all this. The new GRUB2 way is not very well documented when it comes to chainloading Windows quirks. >_>

Edit: tried copying the VeraCrypt bootloader with bs=512 count=32 as well as on a unencrypted /boot partition, it either say "wrong signature" or "bootloader is broken".

[Hern0pa]

After some more testing, clearly the VeraCrypt bootloader must be more than 512 in block size because even after restoring it to the MBR with either:

dd if=/mnt/veracrypt_bootloader.mbr of=/dev/sda bs=446 count=1
dd if=/mnt/veracrypt_bootloader.mbr of=/dev/sda bs=512 count=1

It still say the (restored) veracrypt bootloader is damaged.

HOWEVER, if the bootloader from MBR was copied with a bigger size like so:

dd if=/dev/sda of=/boot/vc_bootloader.vbr bs=512 count=31

(which is a file about 18432B in size) and restored with the same size to the same mbr

dd if=/boot/vc_bootloader.vbr of=/dev/sda bs=512 count=31

then the bootloader works fine again. BUT the passphrase doesn't work anymore somehow! Maybe I wrote back too many blocks and this has corrupted the integrity of the data in the payload or something? Had to do a restore key data from rescue iso.

Anyway, final question that remains to be answsered: how big is the VC bootloader supposed to be? Is there a reliable way ot copying it?

Edit: found a site mentioning count=63 for the Windows bootsector in MBR
http://edoceo.com/exemplar/ntfsclone-transfer-windows but even then, the bootloader is still "damaged" for me. Quite puzzling.

Edit: I think I got it to work by placing the (bigger) mbr copy into an unencrypted /boot partition (dev/sda3 for me), but only by keeping the Veracrypt bootloader in MBR as well. :(

menuentry "VeraCrypt bootloader copy"{
        insmod part_msdos #might not be needed
        insmod ext2 #ext2 is not recommended for grub in VBR)
        set rootnoverify='(hd0,2)' #points to windows7 encrypted partition
        chainloader (hd0,3)/vcbootloadercopy.mbr
}

So when I press ESC at the VC bootloader, I can access the grub bootloader on /dev/sda3 (in Volume boot record), which then point to the copy located on the same partition.

[Bart]

+1

[Roberto]

There's been a while. I wonder... Has anyone succeeded in nesting VeraCrypt bootloader into GRUB/GRUB2 so it can be shown as a GRUB entry yet?

[Alex]

In EFI mode it is easy because all loaders are started from ESP.

[Roberto]

Any details on how to do it in UEFI mode step by step?

[Alex]

UEFI contains boot menu and possibility to select os without GRUB.
Modification in linux command - efibootmgr

If you prefer to start VeraCrypt from GRUB - add chainloader boot menu entry like Windows boot menu but execute DcsBoot.efi
chainloader /EFI/VeraCrypt/DcsBoot.efi

[Maverick]

Hi,

I have the same problem, has anyone succesfully got this to work on standard BIOS without UEFI?

I made a 512 bytes copy of the hard disk mbr where veracrypt boot loader is installed and loading it from an usb disk with grub2 works fine, but then as soon as i replace the mbr on the hard disk with grub2 or any other bootloarder doesn't work anymore, when i try to load the mbr file says veracrypt bootloader corrupted.