TrueCrypted Windows and LUKSed Linux in peaceful coexistence
If you have already encrypted your Windows installation with TrueCrypt but want to have a dual-boot machine with Linux as a second choice and have full disk encryption on both systems, making it as flawless as possible, here is the step-by-step guide, prepended by a way-too-long introduction.
Do I need this?
Everyone deserves their data to be secure from prying eyes. No matter if it's a database of your clients and their confidential project documents, a draft of your fantastic novel, your scanned IDs and medical records or just these intimate e-mails from your beloved one - it's yours. No matter if it's a foreign industrial spy, a robber stealing your home PC (and that portable disk you kept backups on), a service technician repairing your laptop or a border guard on an airport in United States or United Kingdom - your data is none of their business and you have right as well as tools to ensure nobody can poke through it. Yes, you should encrypt your data and no, it's not a rocket science.
Putting some volume of logic into management
This guide will show you how to shrink existing encrypted Windows partition and use the saved space for setting up a LUKS-encrypted GNU/Linux installation with LVM logical volumes. LVM (Logical Volume Manager) is a very elastic mechanism to manage a disk space - way more flexible than old partitions concept. It's not my goal to write a 101 tutorial for it here, there are some good sources on the net - read them first if you have no idea what LVM is. Why is it a good choice in this case? Because no matter if you plan to have Linux installation on one root (/) volume for a small system or make a complex setup (eg. separate volumes for /home, swap for working hibernation and one more for virtual machine images), you will only have one LUKS encrypted container. We will use it as a LVM PV (Physical Volume) and divide the space inside it according to the needs.
This guide will give your data a reasonable protection against cases like laptop theft or crooked service guy - random situations in general. It's a basic recipe, a bare minimum that everyone can and should utilize in my opinion. If you expect someone to target you and your disk's contents, there are many attack vectors they can try. Their arsenal contains tools from malware links sent to your email saying "just found ur naked pics on the web, click here", to cold boot attacks, to Evil Maid attack (on both Windows and GNU/Linux) to so-called rubber hose cryptanalysis in worst case. I'm not going to discuss epoxying your RAM to the mainboard or physically locking your Firewire or ExpressCard port (if you are really interested, start searching and reading now). But in the end even if you know that someone might break the window to enter your house, it's not a reason to leave the door unlocked for every possible passerby.
This guide assumes you have some basic knowledge about Linux, you know what a partition and mount point is and how to execute commands in terminal as root.
Trusting the tools
I mentioned in the previous post that open source is a must when it comes to critical security applications. Disk encryption software is probably a best example. So LUKS is a no-brainer in case of Linux: it's the standard tool included in most distributions. And for Windows - if you have to use it - there is actually only one open-source option: TrueCrypt (even though its license raises some controversies, we still wait for the independent security audit and only recently we got a proof that published binaries match the source). Still, way better than nothing.
Note that for Ubuntu 12.04 LTS (when it comes to Ubuntu, I prefer LTS releases exactly because of the prolonged support) you have to either use a Ubuntu alternate install CD (see download page), which uses a text-mode GUI or manually set up LUKS and LVM prior to the actual installation if you want to stick to graphical installer - I will discuss the first method here. The process got simpler in newer versions Ubuntu since version 12.10 where graphical installer contains full disk encryption option thanks to Electronic Frontier Foundation. Still, if you want to use 12.10 or newer in a similar dual-boot case, look into the steps below, especially the one about GRUB installation.
If you want to make a bootable USB drive from the ISO (to spare a blank CD or set up a small laptop with no optical drive), Unetbootin is a great tool for that.
Initial machine state: One physical hard disk, Windows 7 Professional installed, existing partition(s) on the disk occupying 100% of the available space. TrueCrypt 7.1a installed, System encryption applied to all existing Windows partitions with the following options used:
- type of system encryption: normal
- encrypt whole drive
- encrypt host protected area: no
- single boot.
Goal: make the machine dual-boot without additional boot media (CDs/USB keys etc.) with Ubuntu 12.04 LTS as a second system, fully encrypted with LUKS (if you want to pick Debian instead, the process is almost identical).
Before you start: plan your disk space accordingly. Which system will you use primarily, where do you want to keep your data? If you are doing this on a blank machine, install Windows first* and just leave a required amount of disk space unoccupied. A Windows 7 installation that you're not going to use heavily may fit on a 15GB partition (just turn off hibernation or reduce swap size). On the other hand, for a minimal Xubuntu installation without swap 8GB is enough - of course all depends on extra software you are going to install. If you have small space planned for Linux, use one big /root volume inside encrypted container. If you have more, want to use swap or separate volume for /home, make a LVM PV ("physical volume") in the encrypted container and use LVM to divide the space according to your needs. For example I tend to put virtual machine images onto separate volume - you may want to do that with big multimedia files, temporary directories etc.
- Make sure your backup is in place and up to date. If it's a desktop computer, connect it to a UPS if possible. A mistake during this process is very likely to cost you all data on the disk.
- In order to shrink the Windows partition effectively, defragment it first using standard Windows defragmentation tool. I did this on a rather fresh system with not many space occupied but it helped anyway.
- Run diskmgmt.msc as administrator, right-click on the partition you want to make smaller and click Shrink. If after a few minutes of meditation Windows offers you less than you need, you can free more space on the partition or turn off paging (swap) or hibernation. You may also try another defragmentation tool.
- After shrinking, reboot from the Ubuntu installation disk and get through initial steps (language, keyboard, timezone, account name, password). If your machine requires manual IP configuration, do it.
- When asked for encrypting the home directory, choose No. We're going to make a more complex setup.
- On Partition disks step, select Manual. Any other option would take up the entire disk and erase your windows installation.
- You'll be presented a list of existing partitions on the disk. The example below shows an example 30GB virtual machine's disk with two partitions created by Windows 7 installer: a small boot partition (seen as /dev/sda1) and the main Windows partition (/deb/sda1, mapped on Win as C: drive) that was shrunk to 15GB, leaving around 14.9 GB free.
- We are going to set up two logical partitions now: a small 200 MB one for /boot and the other taking whatever space is left for the encrypted LUKS container. First press Enter on the FREE SPACE. On next screens type 200 MB as size, select Beginning as the location and Logical as partition type (yes, boot partition does not have to be primary). On next screen, make sure Mount point is set to /boot and Ext4 filesystem is chosen. Select done setting up the partition. Boot partition is ready - take note which one is it (e.g. /dev/sda5 in this example).
- Now, the encrypted container. Select Configure encrypted volumes. When asked, say Yes to Write changes to the disk and create encrypted volumes? and then choose Create encrypted volumes from next menu.
You will be presented a list of partitions including a "free space" position at the end. Select it.
On next screen set Erase data to yes. Make sure Encryption is set to aes, Keysize is 256 and IV algorithm is cbc-essiv:sha256. Exit with Done settting up the partition option. Note: be aware that erasing data is a must from security perspective but it will take a while, especially if the partition has several hundred gigabytes.
- Once again confirm writing changes to the disk and select Finish in Encryption configuration actions.
Choose your encryption passphrase. Really take to heart the information on that screen regarding passphrase length and complexity.
- The installer has now created an encrypted volume (called sda6_crypt on the example picture) and will allow you to utilize its space. In other words, you can now access the contener as it was an ordinary partition. You now have two options, as discussed above:
- One big / (root) filesystem with no swap: just press Enter on the encrypted volume (not on the logical partition holding it!) and you'll see a familiar Partition settings window. Press Enter on Use as and select Ext4 filesystem, then for Mount point: select / - the root filesystem. Finally confirm with Done setting up the partition - the result should look like this (mind the / sign showing that the filesystem will be mounted as root one):
- LVM with separate swap and other volumes: press Enter on Configure the Logical Volume Manager and select Create Volume Group. Name it shortly (vg00 is a good idea). Next window contains list of volumes available to be utilized by LVM. Select only one position: /dev/mapper/sda6_crypt - this is the location where encrypted volume contents are presented to the OS by LUKS as a regular block device. Now use Create logical volume as many times as you need to create the LVs. Name them descriptively, e.g. lv_root, lv_home, lv_swapetc. Choosing Finish will take you back to main installer screen. Now press enter on each newly created LV and select proper mount point and file system (use Ext4 for / (root) and /home and swap area for swap). Final effect should look similarly to the screenshot:
Booting the systems
After the reboot you'll be greeted with the familiar TrueCrypt password prompt. Typing the passphrase will boot you to Windows. So how to access Linux? Just press Esc instead of typing the password. When you do that, TrueCrypt bootloader searches for other partitions with a valid boot record. It will find one on /dev/sda5 and run GRUB from it and GRUB in turn will boot our fresh GNU/Linux installation (if you have more bootable partitions, TrueCrypt bootloader may instead ask you, which one you want to boot from). After a few seconds you'll be asked for LUKS passphrase to unlock the container stored on /dev/sda6 and then by Ubuntu login screen.
Post installation steps.
- Install the updates. Whether you prefer Update Manager GUI, apt-get or aptitude - just do it right now.
- Does your processor support hardware AES acceleration (aka AES New Instructions)? If so, check that you're making use of it. Check processor manufacturer website (here is the Intel list) or run cat /proc/cpuinfo and search flags for aes. If you find it, make sure that the proper kernel module is loaded by executing lsmod | grep aesni. If nothing appears, try to execute modprobe aesni_intel as root and then lsmod | grep aesni again. If module loads successfully, you need to add aesni_intel line to two files: /etc/modules and /etc/initramfs-tools/modules. First one ensures the module is loaded (and thus used to accelerate disk reads/writes) on system boot, the other one controls which modules are used by initramfs, ie. during the boot process. After the change to initramfs config files you also need to rebuild it with update-initramfs -u command (as root).
Note:Intel website states that for some CPUs AES support is enabled by BIOS update (ie. some HP Probook 63xx models). If this is your case, update BIOS first.
- Do you use any device with FireWire interface? If not, it's a good idea to blacklist the relevant kernel modules to prevent inteption tool attack. All it takes is to create (as root) a file /etc/modprobe.d/blacklist-firewire.conf (name does not matter as long as it ends with .conf) and add two lines to it:
Note: disabling FireWire in BIOS/UEFI is also a good idea but will not save you from inserting a FireWire card to laptop's PCMCIA or ExpressCard slot.
- Think of backing up your Linux installation. Tools like rsync or duplicity do a good job here. Make sure not only your files but also vital LUKS and LVM structures are backed up (see my recent post). It's a good idea to keep your backups encrypted as well.
I am planning to discuss ways to access Truecrypt volume from Linux and LUKS containers under Windows in some future post.
Alternative: anti-theft bait OS
Even if you don't use Windows at all but bought a laptop with
Microsoft tax Windows license, you may consider sacrificing some disk space and installing a "bait" OS, the one you won't use at all but leave it unsecured so a potential thief may try using it for some time. Set up a pure Windows installation without encryption, passwords etc. and install an anti-theft application which will help locating your laptop if a person who stole it powers it on and connects to the Internet. It seems the only software of that type that at least tries to act in open-source manner is Prey; there was also Adeona which aimed to have some really reasonable security assumptions but it looks like a dead project now. Note: remember that by installing such software you expose yourself to the company behind it. Fork Ltd., The company behind Prey is operated from Chile or Hongkong (their website does not state it clearly) and the some serious issues were found in the software. That's why I would only recommend to install it on a system you do not use on a daily basis.
The bait OS idea is taken from a fantastic post by Mike Cardwell, who also wrote about setting up OpenVPN client on such system. This way all the traffic from the stolen machine is sent through a server which is under his control, giving him chance to learn more about the attacker by spying on the traffic they generate.
You may also consider leaving a "My address.txt" on the desktop with your contact data - just in case your machine is lost and found by someone with good intentions._______
*) "Install Windows first" is a general rule of thumb when making a dual-boot Windows/Linux setup; Microsoft installers completely ignore non-Microsoft OSes while GNU GRUB bootloader used by almost all GNU/Linux distros detects and boots Windows partitions properly.