2

I installed Ubuntu today as a dual boot on my Win 7 laptop and everything seems to work fine. I have a Win 7 partition, an Ubuntu partition, and a data partition. Both Win 7 and Ubuntu access the data partition successfully. Ubuntu handles the boot choice between Win 7 and Ubuntu.

Before I installed Ubuntu, I used Veracrypt for full disk encryption (FDE). I travel with this laptop and I want to be absolutely sure that if it's lost or stolen my data can't be accessed.

I've been reading about how to resume using Veracrypt for FDE and I'm not sure I can do that anymore. Specifically, I want to enter the Veracrypt boot first, and then arrive at a screen that lets me choose between Win 7 and Ubuntu. Is there a way to do that?

I'm not seeing anything that says that's possible. It looks like I should use Veracrypt to encrypt the Win 7 partition and the data partition but use Ubuntu to encrypt its own partition. Is that correct?

Here's what I think I need to do. Am I correct?

1 - Remove Ubuntu so I can reload it differently.

2 - Restore the Win 7 boot loader so the system works as it did before I installed Ubuntu. (How do I do this?)

3 - Reinstall Ubuntu (Using an Alternate install?) and place it's boot loader on the same partition as Ubuntu, not in the laptop's MBR. Also have Ubuntu encrypt it's own partition at the same time.

At this point, I should be able to turn on my laptop and see the Veracrypt Boot Loader. To log into Windows I should enter the Veracrypt password. To boot into Ubuntu I should press ESC which will send me to the Ubuntu loader and ask me for Ubuntu's decrypt password.

I'm not sure how the data partition would be accessible via each operating system, but I think I just need to re-read the right posts OR ask that in a separate post.

Thanks, Bob

karel
  • 114,770
user447969
  • 23
  • 1
  • 3

1 Answers1

1

1 - Remove Ubuntu so I can reload it differently.

That depends on how different. You could use only home folder encryption (PAM & ecryptfs) if that is sufficient for you (it obviously is good enough to land in the next version of Android) and avoid reinstalling. Alternatively you could also encrypt your home partition and mount it during login (PAM & LUKS).

2 - Restore the Win 7 boot loader

This was answered here: How to create or recover Windows Bootloader after deleting Ubuntu boot drive

Ideally you should get rid of MBR and its limitations (and therefore Windows 7), but a UEFI loader for Veracrypt may still take a while to develop and release. Using one hard drive for each OS is always the best option, no matter if booting MBR or UEFI

It's possible to chainload an image of the Truecrypt MBR loader in Grub to boot Windows and loading Veracrypt MBR should be possible too. (How do I get Grub2 to boot a Truecrypt-encrypted MBR? Remember to always backup your headers, some solutions even make use of backed up headers and rescue images.)

So this would be my suggestion for MBR with one HDD and 3-4 primary partitions (try to avoid extended partitions):

  • Grub installed by Ubuntu for OS selection
    • boot unencrypted Ubuntu Root
      • encrypted home with LUKS or ecryptfs (PAM_mount)
    • boot chainloaded Veracrypt Windows

Related: Is there a reason to use TrueCrypt over VeraCrypt?

Community
  • 1
LiveWireBT
  • 28,763
  • (Twice) The comment about installing Ubuntu a different way meant uninstalling and using one of the "Alternate" options on the install menu vs. the "Along side windows". Answer two above says maybe not. – user447969 Sep 06 '15 at 17:03
  • (Sorry, I keep hitting ENTER - Bad typing habit or odd comment window.I did see this article http://www.7tutorials.com/how-encrypt-your-system-drive-truecrypt-multi-boot-configuration about using Truecrypt to encrypt a dual boot system. It seems like it should work, what do you think? If I read answer two correctly you are saying to 1) Leave the Grub loader where it is and controlling the choice between Windows and Ubuntu 2) At any old time, just encrypt the Ubuntu home directory, not necessarily part of this boot issue solution. 3) Chain Load Veracrypt Windows. – user447969 Sep 06 '15 at 17:08
  • Ok, enough of the Enter key. This is probably another reason to switch to Linux. So what is the chain Veracrypt Windows method? I see chain loading mentioned but don’t know how to do it other than pressing ESC instead of entering a password in Veracrypt is involved. I’m new to Linux and playing with boot processes so toss in a little extra detail if you can. Thanks, Bob (NOW I’m ready to submit!) – user447969 Sep 06 '15 at 17:11
  • @user447969 I updated my answer. Don't hesitate to ask if you need more information. (Comments only support a very limited set of markup, hitting the enter key accidentally sometimes happens, but you can and should remove your comments yourself.) – LiveWireBT Sep 06 '15 at 21:46
  • 1
    Ok, I'll follow up your with those links, I really appreciate you taking the time to add them. I'll also look a little more into comments vs. answers. This site is a bit different than other forums I've used. – user447969 Sep 07 '15 at 02:17