2012-01-25

Dualboot with WDE (Whole Disk Encryption) Windows 7 and Linux Kubuntu 11.10


See the great reference http://www.iceflatline.com/2009/09/how-to-dual-boot-Windows-7-and-linux-using-bcdedit/

Introduction

I have PGP-WDE on a Windows 7 laptop, but I want to have a Linux dual boot partition and also with whole disk encryption. This is how it was done.

Detailed situation
Usually,
  • A virtual machine is convenient.
  • Home directory encryption is enough.
  • Just use PGP-WDE is possible.
But, sometimes life is not so easy. If you are in the following situation, you have the same problem with me.
Then, we need another solution.

Suggested solution
  • Windows 7 partition is encrypted by PGP-WDE.
  • Linux (Kubuntu 11.10) partition is encrypted by dm-crypt.
  • (My machine is Lenovo W520 with 500GB HD.)


How to do it?

1. Decrypt PGP disk

Use PGP Disk tool to decrypt your disk. Because you can not install Linux on a decrypted disk.  It took 8 hours for 500GB disk on Lenovo W520.

2. Partition the disk
  • Use Windows Disk Management or any other tool to shrink the Windows 7 partition.
  • Note: Windows 7 has a small extra partition (around 300MB size). This is necessary and do not delete it.
3. Install Linux (Kubuntu 11.10)

Push ThinkVantage button, and push F12 to boot other drive. I use Kbuntu 11.10 and boot via USB key.

Install Kubuntu
  • The alternate CD contains whole disk encryption menu. Kubuntu Desktop only offers home directory encryption option. (You also need a Desktop CD later)
Partition disk

  • We will have "/boot", "/", and swap partition. swap may not needed. 
  • Note: /boot should not be encripted. 
  • Choose Manual. I made following partitions 
  • primary 200MB ext4 /boot, /dev/sda4 (You should remember /boot partition's device name) 
  • logical 241GB K lvm 
  • logical 8G swap
  • I choose the / partition for lvm 
Configure encrypted volumes
  • Create encrypted volumes 
  • Choose /dev/sda6 (lvm), /dev/sda5 (swap) 
  • Encryption method: Device mapper (dm-crypt) 
  • Encryption: aes 
  • Finished encryption 
  • Input pass phrase 
Now it starts to install, but without asking where the boot loader is installed. (I was scared since I have already break Windows 7 when PGP-WDE encryption is active and master boot record is overwritten. I try to recover MBR, but, I could not fix it and need to re-install Windows 7.)

After install the base system, the installer asked us where the GRUB boot loader should be installed.
  • Say 'No' to: Install the GRUB boot loader to the master boot record? 
  • Install the GRUB boot loader in the /boot linux partition (my case, /dev/sda4) 
  • Reboot the Linux (from USB key or Live CD, not Alternate CD)4.


Dual boot set up from Windows 7 partition
  • After the reboot from Desktop CD/USB key, we will set up the dual boot.
  • Copy the relevant info to a USB key (mounted on /media/myusbkey in this example) or similar:
 sudo dd if=/dev/sda4 of=/media/myusbkey/linux.bin bs=512 count=1
  • This makes only 512 byte file.
  • Boot Windows 7.
  • Copy linux.bin from the USB key to some place on the Windows partition, e.g. C:\linux.bin
  • Run the command line tool as administrator (right click the icon for that).
  • Run the following commands:
bcdedit /create /d "Linux" /application BOOTSECTOR
  • "Linux" can of course be something else. The command outputs a long ID, use that instead of {ID} in the following commands.
bcdedit /set {ID} device partition=c:
bcdedit /set {ID} path \linux.bin
bcdedit /displayorder {ID} /addlast
bcdedit /timeout 10
5. Linux boot set up
  • I failed boot in normal mode, but I can boot recovery mode.
  • It seems normal mode make the encryption passphrase input prompt invisible. It looks like a hung up. But this seems Linux is asking disk's pass phrase.  Just we can not see the prompt.
  • I changed the grub settings. Don't do quiet mode and graphical mode. I could not find /boot/grub/menu.lst file in Kubuntu 11.10. There is a /etc/default/grub file.
  1. boot with recovery mode (You will be asked the passphrase.)
  2. sudo vi /etc/default/grub
  3. Edit the line: GRUB_CMDLINE_LINUX_DEFAULT="splash nomodeset pci=noacpi" from "quiet splash"
  4. run sudo update-grub (I think this changes /boot/grub/grub.cfg)

  • Note: If you don't have pci=noacpi here, Lenovo W520 with Linux kernel 3.0.0.15 hung up when using NVIDIA card. If you have still problem, try acpi=off. (Intel integrated graphics card has no problem.)

6. Windows 7 PGP partition encryption
  • Use the PGP tool to re-encrypt the Windows partition (not the whole disk). 240GB encripytion took 6 and half hours in my case.
  • When you want to encrypt Windows partition, you must choose: Encrypt Whole Disk, then, the PGP Desktop asked you to create new user. I choose Windows password and default settings.
7. Finished
Now your whole harddisk is encrypted except linux /boot partition. But, there is no secret here.


Thanks to Daniel, Joachim, and Joerg for many hints.

1 comment:

niriven said...

Thank you so much for this info. I have not been able to run linux for months on my w520 do to the boot process hanging at udev waiting for uevents hanging forever in nvidia discrete mode. Integrated and optimus modes worked but not ideal. I've seens others on the net with the same issue but your solution pci=nopci is the the only thing that solved my problem!