How do I get Grub2 to boot a Truecrypt-encrypted MBR?

Question

Given the following system:

/dev/sda1 Windows, encrypted using TrueCrypt
/dev/sda2 /boot
/dev/sda3 /, encrypted (LUKS or how it is called)

I now need GRUB2 to boot my truecrypt mbr ): Any hint on this? I found some guides for GRUB2 and TrueCrypt, but they all assume that the linux root partition is not encrypted, which is the case in my situation ):

What is your current bootloader? How are you booting Linux/Windows now? — ish, Jul 09 '12 at 23:14
Linux not at all as time of writing, but see my answer below for more details ;-) — me.at.coding, Jul 10 '12 at 13:19
@stefan.at.wpf can your sollution be used after encrypting windows? and what do you mean "make windows partition active"? — genek, Apr 16 '15 at 14:35

score 2 · Answer 1 · edited Oct 16 '14 at 14:28

@stefan.at.wpf's solution is the one recommended all over the Internet. It would not work for me. At all. But I found another solution, which did work for me.

Essentially, you chain-load GRUB2 to load SYSLINUX, which in turn boots the TrueCrypt Rescue ISO image, which allows you to boot into Windows.

I have documented the full details here. The summary version, though, would be:

Install syslinux:
```
sudo aptitude install syslinux
```

Copy files into place:

sudo cp /usr/lib/syslinux/memdisk /boot/
sudo cp TrueCrypt\ Rescue\ Disk.iso /boot/truecrypt-rescue-disk.iso

Determine the UUID of your boot partition:
```
sudo blkid /dev/sda2
```
Output should look something like this:

/dev/sda3: UUID="12345678-1234-1234-1234567890"

Configure GRUB2:

Add the following to /etc/grub.d/40_custom:

menuentry "TrueCrypt ISO boot" {
    insmod part_msdos
    insmod fat
    insmod ext2
    insmod search_fs_uuid
    search --fs-uuid --no-floppy --set=boot [UUID without quotes]
    linux16 ($boot)/memdisk iso raw
    initrd16 ($boot)/truecrypt-rescue-disk.iso
}

Re-load GRUB2 configuration
```
sudo update-grub
```

Note that this will show you the [F8] Repair options every time you boot into Windows, as we're fooling the system booting the TrueCrypt Rescue CD image from the hard drive, rather than the "normal" TrueCrypt boot method. But it seems like a small drawback to me (and might even be considered an added feature!)

You forget to add Restore key data (volume header) on first recovery run after GRUB reinstall procedure. Grub overwrites sector 62 where the volume header is stored. So far grubs core.img is smaller than that and it is safe to overwrite sector 62, it may be changed in future. Although the procedure needs to be repeated after every grub reinstallation i.e. after every major linux update — ZAB, Dec 17 '17 at 14:00
@ZAB: No, I did not forget anything. The answer I provided worked, as described. Although that was over 4 years ago. There's an excellent chance those instructions are no longer precise. But I assure you, I did not forget. — Flimzy, Dec 17 '17 at 15:59
It may be not always the case but many other commenters noted this missed step under your blog entry. Also the grub2tc where you found the solution described this step as well. Why not just add it here too in the end with asterisk mark to help others in troubleshooting — ZAB, Dec 17 '17 at 23:17

score 1 · Answer 2 · answered Jul 10 '12 at 13:21

Solution: Before encrypting windows, install GRUB2 to /boot using

grub-install /dev/sda2 --force

Ignore the warning. Then install Truecrypt, make Windows partition active (e.g. using diskpart on windows 7 setup cd). ESC in TC bootloader now leads to grub - all fine :-) Mounting the encrypted root using luks from a live cd and instal grub2 using chroot should also be possible, I forgot this simple solution.

score 0 · Answer 3 · answered Dec 08 '15 at 20:38

0

Flimzy's answer didn't work for me, and I did not feel like spending hours decrypting and re-encrypting Windows to try stefan.at.wpf's suggestion. Out of desperation, I tried fiddling around in the Grub command line, gave up and typed exit to go do something else, and was presented with the TrueCrypt bootloader.

I was stunned.

I edited my /etc/grub.d/40_custom file to read

menuentry "Windows 7" { exit }

And it totally works.

Obviously YMMV, but here's my set up: TrueCrypt-encrypted-Windows owning the entirety of one disk, and Linux and Grub 2.02~beta2-29ubuntu0.1 owning the entirety of another disk. My Dell BIOS is set to boot from USB, then CD, then the Linux disk, then finally the Windows disk. I'm not sure how or why this works, but I'm happy it does.

answered Dec 08 '15 at 20:38

Linkz57

79

has this method given you any problems since then? have you tried this with veracrypt? – James Draper Oct 12 '17 at 18:24
This method worked for me! I'm running linux mint cinnamon 18.2 as my first boot disk with my veracrypt-ed Win7 up second. – James Draper Oct 12 '17 at 19:50
The two disk setup is the standard usecase for grub, there is nothing to fix here already. The question was about two linux/windows partitions on the same drive, which is tricky. – ZAB Dec 17 '17 at 14:10

How do I get Grub2 to boot a Truecrypt-encrypted MBR?

3 Answers3

Linked