PDA

View Full Version : Encrypt Your Dual boot Fedora and Windows



Cylinder57
31st August 2013, 03:39 AM
Hello everyone,

Do you want to dual-boot both Windows (e.g. Windows 7, Windows XP) and Fedora, and have both operating systems encrypted? Here's a guide on this topic.

Notes:
- This guide assumes that you're starting off only with an unencrypted Windows operating system.
- This guide also assumes that Fedora and Windows are on the same drive.
- You'll need an USB drive.
- This guide uses Diskcryptor.
- This post is for Fedora Live CD installs only.
- EDIT: If you want to verify Fedora.iso, please click on the following link and read the guide there:
http://www.forums.fedoraforum.org/showthread.php?t=294058
- EDIT: If you want to dual-boot encrypted Fedora (installed with DVD or netinstall) and encrypted Windows, please see:
http://www.forums.fedoraforum.org/showthread.php?t=294256 . It also covers verifying Diskcryptor.


1. Reduce the size of the existing Windows partition. You may or may not need Easeus Partition Master (See http://www.partition-tool.com/landing/home-download.htm .)

2. Note that this step and the next one are about encrypting Windows.

Download Diskcryptor. (See http://diskcryptor.net/wiki/Downloads/en .)

3. Install Diskcryptor. Then encrypt Windows with it.

4. Download the Fedora iso. (See https://fedoraproject.org/en/get-fedora-options#desktops .)
Then burn whatever downloaded iso file you have to a CD or a DVD.

5. Backup the MBR to a USB drive.

To do this, after restarting your computer and booting from a live CD:
- Enter a terminal
- Type “su” (without quotes)
- To back up the MBR to a USB drive, type the following code:

dd if=/dev/sda of=/run/media/liveuser/USBDRIVE/dc.mbr count=1 bs=512

USBDRIVE can be replaced with whatever name your USB drive is.
(Note that your USB should have been automounted.)

6. Note that steps 6 (this one) to 11 are about actually installing Fedora. I'll only explain the steps that pertain to encrypting Fedora.

After you selected the language that you would use during the installation process, you should be at the “Installation Summary” screen.

This means you should see something along the lines of this:
25392

7. At this point, please click on “Installation destination.”

8. You should see something similar to the following screen:
25393
Press the “Done” button.

9.
25394
Click on the box that says “Encrypt my data. I'll set a passphrase later.”

If you want, you can click on the button saying “I want to review/modify my disk partitions before continuing.” However, you will have to do some additional things between step 10 and 11.

Then click on “Continue.”

10.
25395
Type in your password. Then press down to scroll to the “Confirm” button. After that, confirm your password. Finally, click on “Save Passphrase.”

11. You should be at the “Installation Summary” screen. Please click on the “Begin Installation” button.

12. After you installed Fedora, you can only boot Fedora. Steps 12 (this one) to 15 are about allowing the encrypted Windows system to boot as well.

- Log in to Fedora. Then open a terminal.
- Type “su” (without quotes)
- Copy the MBR file (which is in the USB Drive) to the boot partition (/boot)

cp /run/media/USER/USBDRIVE/dc.mbr /boot/dc.mbr

Again, USBDRIVE can be replaced with whatever name your USB drive is. Also, USER can be replaced with whatever your username is.

13. To add a Windows boot option:
- Create a file named 11_windows in the /etc/grub.d directory:

rnano /etc/grub.d/11_windows

rnano can be replaced with any other text editor. Just make sure you use either a restricted text editor as root (e.g. rvim instead of vim) or use sudoedit as a user.

This quote from https://wiki.archlinux.org/index.php/Security#Editing_files_using_sudo explains why:

Using a text editor like vim as root is a security vulnerability as it allows one to execute arbitrary shell commands, and does not log the user who executed the commands.

14. Then, write the actual content in the 11_windows file:



#!/bin/sh -e
echo “Adding my Windows partition to my Grub 2 bootloader”
cat << EOF
menuentry "Windows" --unrestricted {
set root=(hdA,B)
parttool (hdA,B) boot+
chainloader (hdA,C)/dc.mbr
}
EOF


Replace A with your drive number. Note that drives are numbered starting from 0. If you're using the first hard drive, A would be 0. If you're using using the second hard drive, A would be 1.

Replace B with your Windows partition number. Note that partitions are numbered starting from 1.

To find the number B:
- In another terminal, type: fdisk -l (Or just open GParted.)
- Find what device Windows is represented as. Note that the Windows partition would have a HPFS, exFAT, etc. filesystem. Is the Windows system in /dev/sda1, /dev/sda2, /dev/sdb1, etc.?
- If the Windows operating system is in the first partition (e.g. /dev/sda1,) then B would be 1. If Windows is in the second partition (e.g. /dev/sda2,) then B would be 2.

Replace C with your /boot partition number. Again, note that partitions are numbered starting from 1.

To find the number C:

- Again, in another terminal, type: fdisk -l (Or just open GParted.)
- Find what device /boot is represented as. Is the Fedora /boot partition in /dev/sda1, /dev/sda2, /dev/sdb1, etc.?
- If /boot is in the first partition (e.g. /dev/sda1,) then C would be 1. If /boot is in the second partition (e.g. /dev/sda2,) then C would be 2.

- An example of 11_windows would be:



#!/bin/sh -e
echo “Adding my Windows partition to my Grub 2 bootloader”
cat << EOF
menuentry "Windows" --unrestricted {
set root=(hd0,1)
parttool (hd0,1) boot+
chainloader (hd0,2)/dc.mbr
}
EOF


From the example:
- From (hd0,1), the Windows partition is in sda1 (Meaning Windows is in the first partition of the first drive.)
- From (hd0,2), the Fedora /boot partition is in sda2 (Meaning /boot is in the second partition of the first drive.)

EDIT: After writing the actual content of 11_windows, save the file. Then make 11_windows executable:


chmod u+x /etc/grub.d/11_windows

15. Finally, regenerate grub:

grub2-mkconfig -o /boot/grub2/grub.cfg

You should now be able to dual-boot an encrypted Windows system and encrypted Fedora.

Sincerely,

Cylinder57