Encrypting a multi-boot USB drive

bootloaderencryptionmulti-boottruecryptusb

Goal:
Full encryption of a multi-boot USB drive containing boot CDs and confidential information

Problem:
I have been experimenting with XBoot (https://sites.google.com/site/shamurxboot/download) in order to create multi-boot USB flash drive that I can use for work (carrying around various OS and boot cds).

For those not acquainted with XBoot, it copies the various ISOs to the flash drive and creates a boot loader as a front end in either Syslinux or Grub4dos. Or can be set to not use any bootloader.

I would like to be able to carry around some bootable cds with company information preloaded onto them as well as having files stored on the drive.

For reasons pertaining to the information stored in some of what I'm carrying I would ideally like the entire drive to be encrypted.
Edit:
The ISO files as well as the partition where data is stored.

Possible Solutions I've looked into:
I understand that TrueCrypt (http://www.truecrypt.org/) is capable of using its own bootloader in order to decrypt a drive before it boots. I've used this before and understand in theory how to encrypt a drive in which I'm booting multiple operating systems.

Edit: I know that TrueCrypt doesn't support EXT filesystems but the drive would be formatted as FAT32/NTFS with all of the boot cds existing as ISOs

Is there any way that I could install TrueCrypt to the drive and point one bootloader at another (It's not the cleanest approach but in my mind it stands the best chance of working)?

Is there a cleaner/more efficient way of achieving the desired result?

Edit 2:
Ideally I'm looking for a software solution and not a hardware solution.

Edit 3:
I managed to encrypt the entire drive using TrueCrypt but the front end bootloader isn't really meant to be used like a grub type menu loader. Does anyone have any experience editing the menu?

Edit 4:
I tried using a different program as suggested by one of the responders, Easy2Boot. In functionality terms it works very similarly to XBoot in that it just creates a grub4dos boot menu front end for the ISO files. I ran into the same problem, where once this was set up, I couldn't properly point the truecrypt bootloader at this bootloader. So how would I accomplish this? I know it's possible because even from Easy2Boot, when I boot a live cd like Hirens it goes from the Grub4DOS bootloader to the Hiren's Bootloader.

Best Answer

First, for using bootable CDs you don't need multiboot, so this is a part that I don't understand.

Second, why not put all the sensitive data in one encrypted truecrypt partition that you can open from whichever OS that you boot from.

Third, if this is company data you are protecting, you could maybe justify buying hardware encryption such as Apricorn Aegis Secure Key, or Imation Defender F200 Biometric Flash Drive.

Related Solutions

Windows – How to chain GRUB2 for Ubuntu 10.04 from Truecrypt & its bootloader (multi boot alongside Windows XP partition)

This is pretty easy. Partition your disk, install Windows and Ubuntu. Use TrueCrypt on the Windows partition, which will encrypt Windows but leave Ubuntu unencrypted.

You'll then find you can probably only boot into Windows, and then through the TrueCrypt bootloader. Sounds like you're there already.

Say your disk is sda, with Windows on sda1 and Linux on sda2 (this is hypothetical, yours looks like it won't be sda2). TrueCrypt will install onto the MBR on sda and overwrite GRUB.

Use the Ubuntu distro CD to boot up a live CD, then chroot into your pre-installed system. Like so:

sudo su -
mkdir -p /mnt/ubuntu
mount /dev/sda2 /mnt/ubuntu
mount --bind /proc /mnt/ubuntu/proc
mount --bind /dev /mnt/ubuntu/dev
chroot /mnt/ubuntu

Then install the GRUB bootloader, but to sda2, rather than sda.

grub-install /dev/sda2 --force

Then, when you reboot, you'll still get the TrueCrypt loader asking you for a password to boot from sda -> sda1 into Windows. But when you press ESCAPE you'll get the option to bypass and boot straight into Linux, but from sda2 rather than the MBR.

But wait

Before you do this, one caveat: if you get your grub-install wrong, and overwrite the sda MBR, or if you do a kernel upgrade which triggers GRUB to overwrite the MBR, you'll find you need to reinstall the TrueCrypt bootloader in order to get back into Windows. This is a massive hassle if you're not prepared.

I'd suggest that before you fiddle with GRUB, you back up the TrueCrypt bootloader stuff from within Linux. That way, when you break TrueCrypt and can only get into Linux, you can easily write it back.

Back up your TrueCrypt boot loader:

dd if=/dev/sda of=~/truecrypt.mbr count=1 bs=512
dd if=/dev/sda of=~/truecrypt.backup count=8 bs=32256 # Just in case

Restore your TrueCrypt boot loader (I call this restore-truecrypt.sh):

sudo dd if=~/truecrypt.mbr of=/dev/sda count=1 bs=512
sudo dd if=~/truecrypt.backup of=/dev/sda count=8 bs=32256
sudo grub-install /dev/sda2 --force

I have both of these sets of commands in little shell scripts, which I keep handy. When I accidentially zap my bootloader (it happens) I don't want to be Googling around for the commands or reading man.

Oh, and a word on compatibility. When I write "GRUB", I meant GRUB 1 or 2. Personally, I do it with GRUB 2 on 10.04 and Windows 7... but it worked fine with older versions of GRUB, Windows and Linux.

Linux – Booting Linux live CD from USB

UNetbootin can boot any live CD image off a USB stick. (I think it works by emulating a CD drive.)

Some other options are listed here.

If you wanted to include several bootable CDs on the same USB drive, see How can I keep multiple live/bootable ISO images on a single USB drive?.

Best Answer

Related Solutions

Windows – How to chain GRUB2 for Ubuntu 10.04 from Truecrypt & its bootloader (multi boot alongside Windows XP partition)

But wait

Linux – Booting Linux live CD from USB

Related Question