Encrypting a multi-boot USB drive
Solution 1
First, for using bootable CDs you don't need multiboot, so this is a part that I don't understand.
Second, why not put all the sensitive data in one encrypted truecrypt partition that you can open from whichever OS that you boot from.
Third, if this is company data you are protecting, you could maybe justify buying hardware encryption such as Apricorn Aegis Secure Key, or Imation Defender F200 Biometric Flash Drive.
Solution 2
If you want to use software encryption, you will not be able to boot most Linux ISOs if ISO files are encrypted. The only ISOs which could boot in this case are those which load everything into initramfs (one example is RIPLinux; unfortunately, seems that its development is stopped), or those that you modified to add encryption support to their initramfs.
The problem is that the bootloader used by TrueCrypt (or any other software encryption program) can set up a BIOS INT 13h handler to provide the next bootloader with access to the encrypted data, but this INT 13h handler cannot be used after the Linux kernel has started. However, most Linux ISOs need to have access to the ISO contents after starting Linux, and everything needed to get such access must be present in the initramfs image (which is loaded by the bootloader using BIOS INT 13h calls before starting the Linux kernel). Of course, you won't find TrueCrypt support in initramfs of any usual Linux ISOs.
In fact, even making the initramfs code from a Linux ISO find the ISO contents when booting from USB requires some hacks. If you read the description of ISO boot process used by Easy2Boot, you will notice that it modifies the partition table of the USB drive to add a partition which corresponds to the sector range used by the ISO image file (which is required to be contiguous — i.e., not fragmented); the initramfs code then should mount this partition to get access to the ISO contents. Obviously, this will not work if the ISO image is encrypted, unless the initramfs code is modified to support the used encryption.
So you have these options:
Avoid including any sensitive data into ISO images. Create two partitions on the USB drive — one for sensitive data (encrypted by TrueCrypt or whatever you choose), another for booting (unencrypted).
Figure out how to install a usable bootloader inside a TrueCrypt partition, then either use only initramfs-based ISOs, or modify initramfs images to add TrueCrypt support. If you choose this way, I would suggest to try using SYSLINUX first, because, unlike GRUB, it does not attempt to install into MBR (and you need to avoid using MBR and the embedding area before the first partition, because the TrueCrypt bootloader will be installed there).
-
Buy an USB drive with hardware encryption which can be unlocked without any software — e.g., one of drives suggested in the other answer. However, check carefully before you buy, or you may run into some problems — e.g., for the Apricorn Aegis Secure Key one of reviews on Amazon says:
It seems to dislike even the slightest power interruptions. If I connect it before starting an OS, during the boot of Windows or Linux when it detects USB devices, it will disconnect it due to the brief interruption in USB connectivity. I will have to reach down and enter the PIN again.
Note: This is not a scenario that it is advertised to work in or anything, but I was able to do this on my previous pin-pad-having USB drive without issues... I installed Linux on the drive so that it was bootable, but when I try to boot Linux, it disconnects it during the phase where it detects USB devices. It continues booting if I reach down and re-unlock the drive, but it's a pain.
And the Imation Defender F200 Biometric drive might turn out to be not usable for booting if it also resets in such cases, and turns out to be too slow to unlock during BIOS initialization. The support article confirms its compatibility with Linux if only biometric authentication is enabled, so there is some chance of success, but…
Related videos on Youtube
![Will](https://i.stack.imgur.com/GFRBw.jpg?s=256&g=1)
Will
Updated on September 18, 2022Comments
-
Will almost 2 years
Goal:
Full encryption of a multi-boot USB drive containing boot CDs and confidential informationProblem:
I have been experimenting with XBoot (https://sites.google.com/site/shamurxboot/download) in order to create multi-boot USB flash drive that I can use for work (carrying around various OS and boot cds).For those not acquainted with XBoot, it copies the various ISOs to the flash drive and creates a boot loader as a front end in either Syslinux or Grub4dos. Or can be set to not use any bootloader.
I would like to be able to carry around some bootable cds with company information preloaded onto them as well as having files stored on the drive.
For reasons pertaining to the information stored in some of what I'm carrying I would ideally like the entire drive to be encrypted.
Edit:
The ISO files as well as the partition where data is stored.Possible Solutions I've looked into:
I understand that TrueCrypt (http://www.truecrypt.org/) is capable of using its own bootloader in order to decrypt a drive before it boots. I've used this before and understand in theory how to encrypt a drive in which I'm booting multiple operating systems.Edit: I know that TrueCrypt doesn't support EXT filesystems but the drive would be formatted as FAT32/NTFS with all of the boot cds existing as ISOs
Is there any way that I could install TrueCrypt to the drive and point one bootloader at another (It's not the cleanest approach but in my mind it stands the best chance of working)?
Is there a cleaner/more efficient way of achieving the desired result?
Edit 2:
Ideally I'm looking for a software solution and not a hardware solution.Edit 3:
I managed to encrypt the entire drive using TrueCrypt but the front end bootloader isn't really meant to be used like a grub type menu loader. Does anyone have any experience editing the menu?Edit 4:
I tried using a different program as suggested by one of the responders, Easy2Boot. In functionality terms it works very similarly to XBoot in that it just creates a grub4dos boot menu front end for the ISO files. I ran into the same problem, where once this was set up, I couldn't properly point the truecrypt bootloader at this bootloader. So how would I accomplish this? I know it's possible because even from Easy2Boot, when I boot a live cd like Hirens it goes from the Grub4DOS bootloader to the Hiren's Bootloader. -
Will about 11 yearsI have it set up so that I may boot from the Flashdrive, instead of going to the OS to boot. From there I can boot any OS/Utility boot cd that I have loaded on the Flashdrive from a grub type menu that allows me to select. I keep various account/password documents on the flash drive as well as quite a few network support tools specific to our network all stored in a partition. Hardware encryption certainly is an option but the cost for large drives is exponential. Ideally, I would encrypt my current 64GB USB3 flashdrive.
-
harrymc about 11 yearsYou haven't answered my second point above.
-
Will about 11 yearsApologies, I thought the logic behind my madness spoke for itself. haha I seek to encrypt the entire drive because if the drive is ever lost or stolen, it is useless and secure with all of the data. Since the ISOs would be encrypted as well, it could be assumed that the only person booting them would be myself and the risk of accessing the data is negligible. This setup is easier because once the drive is decrypted and a booted OS is running, the information would also be decrypted and eligible to be used by me for information purposes.
-
harrymc about 11 yearsThis is entirely theoretical: Create a truecrypt bootable volume that will contain the ISOs, then use something like Easy2Boot to boot the correct iso. This is an attempt to encrypt the entire usb rather than individual iso.
-
Will about 11 yearsGave it a try and I put the results back in the question.
-
harrymc about 11 yearsI still think that encrypting the whole disk is the simplest way. Another method would be to partition the usb into two : (1) live boot cd - a minimal linux or bartpe, (2) TrueCrypt partition containing the ISOs. You then boot into the live cd, mount the TrueCrypt partition, then start an ISO. This can be done 2 ways : (1) As a virtual machine by portable VirtualBox or whatever, or (2) a utility such as MobaLiveCD.
-
harrymc about 11 yearsSimplicity is usually the safest way.
-
harrymc about 11 yearsRewriting an existing answer in greater detail is not good netiquette - you should rather improve that answer.
-
Old Pro about 11 years@harrymc, please provide a link to the pre-existing answer for proper attribution