Adam Prescott

Dual-booting Arch Linux and Windows 7 with full-disk encryption

You have a computer with a single drive with Windows 7 on it. You want to dual-boot Linux, specifically Arch Linux. You want full-disk encryption. How do you do it?

You won’t quite get full-disk encryption following this, but you can get close. Boot partitions will remain unencrypted.

It’s assumed that this is your initial setup:

/dev/sda1 Windows boot/recovery partition
/dev/sda2 Windows partition
    *     [sufficient free space on /dev/sda for a Linux install]

By the end, you will have this:

/dev/sda1 Windows boot/recovery partition (unencrypted)
/dev/sda2 Windows partition (fully encrypted with TrueCrypt)
/dev/sda3 Linux /boot partition (unencrypted)
/dev/sda4 Linux LVM volume (fully encrypted with dm-crypt/LUKS)

The LVM volume on /dev/sda4 will contain all your other regular Linux partitions: /, /home, and swap, or whatever your preferred configuration is.

It should be noted that I’ve only followed this approach with legacy Grub (0.97) and not Grub2 (1.97).


TrueCrypt will encrypt a system partition in-place, even allowing you to pause the process, reboot, and continue where you left off. Encrypting a Linux system can be a little more involved, but with Google and some persistence, it’s not too difficult to do with dm-crypt/LUKS.

The issue with trying to do both at once is the bootloader.

When you encrypt Windows using TrueCrypt, TrueCrypt installs its own bootloader (along with a partition table) into the master boot record in the first 512 bytes of the drive. With Linux and encryption, dual-boot aside, the /boot partition is unencrypted and Grub is configured to know that the other partition is encrypted with dm-crypt/LUKS, which, in this setup, contains within it a partition managed by LVM.

The TrueCrypt bootloader is set to load up a specific partition, and so if the TrueCrypt partition is in the master boot record, the Linux boot partition isn’t accessible, meaning, of course, that the Linux system isn’t bootable. Since Grub is easily configured, then it seems the best thing is to find a way to hang TrueCrypt off the end of Grub. Which is what this post is about.

Other approaches

There are various guides out there on how to set up Linux and Windows with partition encryption, some of which talk about using TrueCrypt’s bootloader chaining feature where you press <ESC>. I didn’t have any luck with that approach and I think this way is more robust. It also doesn’t require editing the Windows bootloader configuration, which in Windows 7 is more than just editing a text file. There appears to be a more refined Grub2-specific project, grub2tc, to convert the TrueCrypt bootloader into something that understands grub2, but since Arch used legacy Grub when I first tried to get this setup, that wasn’t of much use.

Let’s go

The executive summary:

  1. Use the free space to install Linux on an encrypted partition along-side Windows.
  2. Encrypt Windows with TrueCrypt.
  3. Copy the master boot record containing the TrueCrypt bootloader.
  4. Reinstall Grub to the master boot record.
  5. Add a Grub bootloader menu entry pointing to the TrueCrypt bootloader which was copied.

The first step is to do a backup of any files so that you can recover if it all goes wrong. If you are so inclined, ghost the entire drive.

Install Linux, encrypted

Next, install Linux with encryption, using LVM on LUKS. How to do this is beyond scope, but the Arch Linux installer should allow you to avoid too much manual work at the command line. The Arch Linux wiki also covers it.

At this stage, you should have:

/dev/sda MBR with Grub
/dev/sda1 Windows 7 boot/recovery partition (unencrypted)
/dev/sda2 Windows 7 partition (unencrypted)
/dev/sda3 Linux /boot partition (unencrypted)
/dev/sda4 Linux LVM partition (encrypted with dm-crypt LUKS)

Boot into both Windows and Linux at least once to make sure you’re happy both systems are bootable.

Encrypt Windows with TrueCrypt

Boot into Windows and encrypt the system partition with TrueCrypt. This will install the TrueCrypt bootloader to the master boot record of the drive, overwriting Grub.

Since TrueCrypt knows nothing about dual-booting, your Linux install should no longer be reachable. Starting the machine should give you the TrueCrypt bootloader, which should take you to Windows.

Copy the TrueCrypt bootloader

Boot into the same Arch Linux installer you used to first install Linux. You don’t want a version mismatch between the bootloader in the master boot record and the stuff which has been installed to /boot.

You now need to make a copy of the TrueCrypt bootloader installed in the master boot record. This bootloader will be added as an entry in Grub so that you can boot back into Windows. We can keep the backup in /dev/sda3 (/boot) by mounting the partition. At the command line:

mkdir /mnt/boot
mount /dev/sda3 /mnt/boot
dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512
umount /mnt/boot

You may want to keep a copy on an external drive, for safe-keeping. If anything goes wrong with the bootloaders, you can restore the TrueCrypt bootloader to /dev/sda and you will at least be able to get back to Windows.

Reinstall Grub

With the backup of the TrueCrypt bootloader made, you can now reinstall Grub to the master boot record (the proper steps for this helpfully made available on the German version of the Arch Wiki, but nowhere else, it seems).

mkdir /mnt/arch
cryptsetup luksOpen /dev/sda4 arch
mount /dev/mapper/arch /mnt/arch
mount /dev/sda3 /mnt/arch/boot
mount -o bind /proc /mnt/arch/proc
mount -o bind /dev /mnt/arch/dev
mount -o bind /sys /mnt/arch/sys
chroot /mnt/arch /bin/bash
grep -v rootfs /proc/mounts > /etc/mtab
grub-install /dev/sda

When you first run mount /dev/mapper/arch /mnt/arch you may get "unknown filesystem type 'LVM2_member'". In order to mount an encrypted LVM partition, you need lvm2.

pacman -S lvm2
modprobe dm-mod
lsmod | grep dm_crypt # to check it's been loaded
vgchange -ay cryptvg  # or whatever your LVM VG name is
lvs                   # lists your LVM volumes

So, having run grub-install /dev/sda, this is the configuration on the drive so far:

/dev/sda MBR with Grub
/dev/sda1 Windows 7 boot/recovery partition (unencrypted)
/dev/sda2 Windows 7 partition (encrypted with TrueCrypt)
/dev/sda3 Linux /boot partition (unencrypted)
/dev/sda4 Linux LVM partition (encrypted with dm-crypt LUKS)

At this point, you should be able to boot into Linux and only Linux, since Grub isn’t aware of the Windows partition and so Windows isn’t accessible. A reboot into Linux should confirm the system starts normally.

Point Grub at TrueCrypt

Now you need to make Grub aware of the TrueCrypt bootloader which is kept in /boot. Edit /boot/grub/menu.lst and append:

# (2) Windows
title Windows
rootnoverify (hd0,0)
chainloader (hd0,2)/truecrypt.mbr

To understand what this is doing you can check the Grub documentation for rootnoverify and chainloader, but in short it chains Grub and TrueCrypt via the copy of the bootloader kept in the /boot/truecrypt.mbr file.

After that change, the relevant part of /boot/grub/menu.lst should look something like:

# (0) Arch Linux
title  Arch Linux
root   (hd0,2)
kernel /vmlinuz-linux root=/dev/mapper/cryptvg-root cryptdevice=/dev/sda4:cryptvg ro
initrd /initramfs-linux.img

# (1) Arch Linux
title  Arch Linux Fallback
root   (hd0,2)
kernel /vmlinuz-linux root=/dev/mapper/cryptvg-root cryptdevice=/dev/sda4:cryptvg ro
initrd /initramfs-linux-fallback.img

# (2) Windows
title Windows
rootnoverify (hd0,0)
chainloader (hd0,2)/truecrypt.mbr

Test it out

At this point, you should be ready to go. The bootloader will initially be Grub, which will have the option of either booting Arch after prompting for the LUKS password, or of firing up Windows by loading the TrueCrypt bootloader kept in /boot/truecrypt.mbr.

The hard part from here is understanding the security and backup implications of having an encrypted drive, since there are various details related to making copies of encryption headers, and changing passwords. The same goes for the TrueCrypt volume.