Encrypting a multi-boot USB drive

usb encryption multi-boot truecrypt bootloader
11,967

Solution 1

First, for using bootable CDs you don't need multiboot, so this is a part that I don't understand.

Second, why not put all the sensitive data in one encrypted truecrypt partition that you can open from whichever OS that you boot from.

Third, if this is company data you are protecting, you could maybe justify buying hardware encryption such as Apricorn Aegis Secure Key, or Imation Defender F200 Biometric Flash Drive.

image

Solution 2

If you want to use software encryption, you will not be able to boot most Linux ISOs if ISO files are encrypted. The only ISOs which could boot in this case are those which load everything into initramfs (one example is RIPLinux; unfortunately, seems that its development is stopped), or those that you modified to add encryption support to their initramfs.

The problem is that the bootloader used by TrueCrypt (or any other software encryption program) can set up a BIOS INT 13h handler to provide the next bootloader with access to the encrypted data, but this INT 13h handler cannot be used after the Linux kernel has started. However, most Linux ISOs need to have access to the ISO contents after starting Linux, and everything needed to get such access must be present in the initramfs image (which is loaded by the bootloader using BIOS INT 13h calls before starting the Linux kernel). Of course, you won't find TrueCrypt support in initramfs of any usual Linux ISOs.

In fact, even making the initramfs code from a Linux ISO find the ISO contents when booting from USB requires some hacks. If you read the description of ISO boot process used by Easy2Boot, you will notice that it modifies the partition table of the USB drive to add a partition which corresponds to the sector range used by the ISO image file (which is required to be contiguous — i.e., not fragmented); the initramfs code then should mount this partition to get access to the ISO contents. Obviously, this will not work if the ISO image is encrypted, unless the initramfs code is modified to support the used encryption.

So you have these options:

  1. Avoid including any sensitive data into ISO images. Create two partitions on the USB drive — one for sensitive data (encrypted by TrueCrypt or whatever you choose), another for booting (unencrypted).

  2. Figure out how to install a usable bootloader inside a TrueCrypt partition, then either use only initramfs-based ISOs, or modify initramfs images to add TrueCrypt support. If you choose this way, I would suggest to try using SYSLINUX first, because, unlike GRUB, it does not attempt to install into MBR (and you need to avoid using MBR and the embedding area before the first partition, because the TrueCrypt bootloader will be installed there).

  3. Buy an USB drive with hardware encryption which can be unlocked without any software — e.g., one of drives suggested in the other answer. However, check carefully before you buy, or you may run into some problems — e.g., for the Apricorn Aegis Secure Key one of reviews on Amazon says:

    It seems to dislike even the slightest power interruptions. If I connect it before starting an OS, during the boot of Windows or Linux when it detects USB devices, it will disconnect it due to the brief interruption in USB connectivity. I will have to reach down and enter the PIN again.

    Note: This is not a scenario that it is advertised to work in or anything, but I was able to do this on my previous pin-pad-having USB drive without issues... I installed Linux on the drive so that it was bootable, but when I try to boot Linux, it disconnects it during the phase where it detects USB devices. It continues booting if I reach down and re-unlock the drive, but it's a pain.

    And the Imation Defender F200 Biometric drive might turn out to be not usable for booting if it also resets in such cases, and turns out to be too slow to unlock during BIOS initialization. The support article confirms its compatibility with Linux if only biometric authentication is enabled, so there is some chance of success, but…

Share:
11,967

Related videos on Youtube

Will
Author by

Will

Updated on September 18, 2022

Comments

  • Will
    Will almost 2 years

    Goal:
    Full encryption of a multi-boot USB drive containing boot CDs and confidential information

    Problem:
    I have been experimenting with XBoot (https://sites.google.com/site/shamurxboot/download) in order to create multi-boot USB flash drive that I can use for work (carrying around various OS and boot cds).

    For those not acquainted with XBoot, it copies the various ISOs to the flash drive and creates a boot loader as a front end in either Syslinux or Grub4dos. Or can be set to not use any bootloader.

    I would like to be able to carry around some bootable cds with company information preloaded onto them as well as having files stored on the drive.

    For reasons pertaining to the information stored in some of what I'm carrying I would ideally like the entire drive to be encrypted.
    Edit:
    The ISO files as well as the partition where data is stored.

    Possible Solutions I've looked into:
    I understand that TrueCrypt (http://www.truecrypt.org/) is capable of using its own bootloader in order to decrypt a drive before it boots. I've used this before and understand in theory how to encrypt a drive in which I'm booting multiple operating systems.

    Edit: I know that TrueCrypt doesn't support EXT filesystems but the drive would be formatted as FAT32/NTFS with all of the boot cds existing as ISOs

    Is there any way that I could install TrueCrypt to the drive and point one bootloader at another (It's not the cleanest approach but in my mind it stands the best chance of working)?

    Is there a cleaner/more efficient way of achieving the desired result?

    Edit 2:
    Ideally I'm looking for a software solution and not a hardware solution.

    Edit 3:
    I managed to encrypt the entire drive using TrueCrypt but the front end bootloader isn't really meant to be used like a grub type menu loader. Does anyone have any experience editing the menu?

    Edit 4:
    I tried using a different program as suggested by one of the responders, Easy2Boot. In functionality terms it works very similarly to XBoot in that it just creates a grub4dos boot menu front end for the ISO files. I ran into the same problem, where once this was set up, I couldn't properly point the truecrypt bootloader at this bootloader. So how would I accomplish this? I know it's possible because even from Easy2Boot, when I boot a live cd like Hirens it goes from the Grub4DOS bootloader to the Hiren's Bootloader.

  • Will
    Will about 11 years
    I have it set up so that I may boot from the Flashdrive, instead of going to the OS to boot. From there I can boot any OS/Utility boot cd that I have loaded on the Flashdrive from a grub type menu that allows me to select. I keep various account/password documents on the flash drive as well as quite a few network support tools specific to our network all stored in a partition. Hardware encryption certainly is an option but the cost for large drives is exponential. Ideally, I would encrypt my current 64GB USB3 flashdrive.
  • harrymc
    harrymc about 11 years
    You haven't answered my second point above.
  • Will
    Will about 11 years
    Apologies, I thought the logic behind my madness spoke for itself. haha I seek to encrypt the entire drive because if the drive is ever lost or stolen, it is useless and secure with all of the data. Since the ISOs would be encrypted as well, it could be assumed that the only person booting them would be myself and the risk of accessing the data is negligible. This setup is easier because once the drive is decrypted and a booted OS is running, the information would also be decrypted and eligible to be used by me for information purposes.
  • harrymc
    harrymc about 11 years
    This is entirely theoretical: Create a truecrypt bootable volume that will contain the ISOs, then use something like Easy2Boot to boot the correct iso. This is an attempt to encrypt the entire usb rather than individual iso.
  • Will
    Will about 11 years
    Gave it a try and I put the results back in the question.
  • harrymc
    harrymc about 11 years
    I still think that encrypting the whole disk is the simplest way. Another method would be to partition the usb into two : (1) live boot cd - a minimal linux or bartpe, (2) TrueCrypt partition containing the ISOs. You then boot into the live cd, mount the TrueCrypt partition, then start an ISO. This can be done 2 ways : (1) As a virtual machine by portable VirtualBox or whatever, or (2) a utility such as MobaLiveCD.
  • harrymc
    harrymc about 11 years
    Simplicity is usually the safest way.
  • harrymc
    harrymc about 11 years
    Rewriting an existing answer in greater detail is not good netiquette - you should rather improve that answer.
  • Old Pro
    Old Pro about 11 years
    @harrymc, please provide a link to the pre-existing answer for proper attribution

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to edit menu list on muktiboot usb flash drive
Full disk encryption on dual boot system using TrueCrypt
Multiboot 32GB flash drive (Windows + Linux + Tools)
Remove encryption from USB flash drive
How to Make BIOS/UEFI Flash Drive with Full Disk Encryption
How do I get Grub2 to boot a Truecrypt-encrypted MBR?
installing ubuntu with full disk encryption including encrpyted boot on i-USB Pendrive ii-A regular HDD
Can I use gparted to resize a Truecrypt-encrypted partition?
Decrypt TrueCrypt containers using dm-crypt
Failed to install bootloader