Windows – Making the Truecrypt bootloader less obvious on a dual Windows 7 system

This is very important! TrueCrypt system encryption partition DOESN'T CONTAIN TRUECRYPT HEADER. Non-system Truecrypt encrypted partition or file container contain header at first 128 blocks and backup copy at last 128 blocks of file/partition. So it's to impossible to decrypt systen encryption partition without backup header. Header of system partition is at the last block of hdd's first track. You can backup header:

dd if=/dev/sdx of=header.img bs=512 count=1 skip=62

If you want to access partition backup you have to clone partition to same size primary partition to different hdd and mark it as bootable. Then you have to restore header. First check if the first track is empty:

sfdisk -l /dev/sdy

If first partition strats at block 63 or more it's ok but if it's lower block number you can't continue. Restore your header

dd if=header.img of=/dev/sdy bs=512 count=1 seek=62

The you can access your backed up system partition using "Mount partition using system encryption without pre-boot authentication".

Theoretically you can convert Truecrypt system partition to standard Truecrypt parition or file container but you would have to chage some bytes in encrypted header. (decrypt header, change and encrypt again) http://www.truecrypt.org/docs/?s=volume-format-specification byte 124 and 252

This is pretty easy. Partition your disk, install Windows and Ubuntu. Use TrueCrypt on the Windows partition, which will encrypt Windows but leave Ubuntu unencrypted.

You'll then find you can probably only boot into Windows, and then through the TrueCrypt bootloader. Sounds like you're there already.

Say your disk is sda, with Windows on sda1 and Linux on sda2 (this is hypothetical, yours looks like it won't be sda2). TrueCrypt will install onto the MBR on sda and overwrite GRUB.

Use the Ubuntu distro CD to boot up a live CD, then chroot into your pre-installed system. Like so:

sudo su -
mkdir -p /mnt/ubuntu
mount /dev/sda2 /mnt/ubuntu
mount --bind /proc /mnt/ubuntu/proc
mount --bind /dev /mnt/ubuntu/dev
chroot /mnt/ubuntu

Then install the GRUB bootloader, but to sda2, rather than sda.

grub-install /dev/sda2 --force

Then, when you reboot, you'll still get the TrueCrypt loader asking you for a password to boot from sda -> sda1 into Windows. But when you press ESCAPE you'll get the option to bypass and boot straight into Linux, but from sda2 rather than the MBR.

But wait

Before you do this, one caveat: if you get your grub-install wrong, and overwrite the sda MBR, or if you do a kernel upgrade which triggers GRUB to overwrite the MBR, you'll find you need to reinstall the TrueCrypt bootloader in order to get back into Windows. This is a massive hassle if you're not prepared.

I'd suggest that before you fiddle with GRUB, you back up the TrueCrypt bootloader stuff from within Linux. That way, when you break TrueCrypt and can only get into Linux, you can easily write it back.

Back up your TrueCrypt boot loader:

dd if=/dev/sda of=~/truecrypt.mbr count=1 bs=512
dd if=/dev/sda of=~/truecrypt.backup count=8 bs=32256 # Just in case

Restore your TrueCrypt boot loader (I call this restore-truecrypt.sh):

sudo dd if=~/truecrypt.mbr of=/dev/sda count=1 bs=512
sudo dd if=~/truecrypt.backup of=/dev/sda count=8 bs=32256
sudo grub-install /dev/sda2 --force

I have both of these sets of commands in little shell scripts, which I keep handy. When I accidentially zap my bootloader (it happens) I don't want to be Googling around for the commands or reading man.

Oh, and a word on compatibility. When I write "GRUB", I meant GRUB 1 or 2. Personally, I do it with GRUB 2 on 10.04 and Windows 7... but it worked fine with older versions of GRUB, Windows and Linux.