How do I get Grub2 to boot a Truecrypt-encrypted MBR?

grub2 encryption truecrypt luks

11,141

Solution 1

@stefan.at.wpf's solution is the one recommended all over the Internet. It would not work for me. At all. But I found another solution, which did work for me.

Essentially, you chain-load GRUB2 to load SYSLINUX, which in turn boots the TrueCrypt Rescue ISO image, which allows you to boot into Windows.

I have documented the full details here. The summary version, though, would be:

Install syslinux:
```
sudo aptitude install syslinux
```

Copy files into place:

sudo cp /usr/lib/syslinux/memdisk /boot/
sudo cp TrueCrypt\ Rescue\ Disk.iso /boot/truecrypt-rescue-disk.iso

Determine the UUID of your boot partition:
```
sudo blkid /dev/sda2
```
Output should look something like this:

/dev/sda3: UUID="12345678-1234-1234-1234567890"

Configure GRUB2:

Add the following to /etc/grub.d/40_custom:

menuentry "TrueCrypt ISO boot" {
    insmod part_msdos
    insmod fat
    insmod ext2
    insmod search_fs_uuid
    search --fs-uuid --no-floppy --set=boot [UUID without quotes]
    linux16 ($boot)/memdisk iso raw
    initrd16 ($boot)/truecrypt-rescue-disk.iso
}

Re-load GRUB2 configuration
```
sudo update-grub
```

Note that this will show you the [F8] Repair options every time you boot into Windows, as we're fooling the system booting the TrueCrypt Rescue CD image from the hard drive, rather than the "normal" TrueCrypt boot method. But it seems like a small drawback to me (and might even be considered an added feature!)

Solution 2

Solution: Before encrypting windows, install GRUB2 to /boot using

grub-install /dev/sda2 --force

Ignore the warning. Then install Truecrypt, make Windows partition active (e.g. using diskpart on windows 7 setup cd). ESC in TC bootloader now leads to grub - all fine :-) Mounting the encrypted root using luks from a live cd and instal grub2 using chroot should also be possible, I forgot this simple solution.

11,141

Author by

stefan.at.wpf

Updated on September 18, 2022

Comments

stefan.at.wpf over 1 year
Given the following system:
```
/dev/sda1 Windows, encrypted using TrueCrypt
/dev/sda2 /boot
/dev/sda3 /, encrypted (LUKS or how it is called)
```
I now need GRUB2 to boot my truecrypt mbr ): Any hint on this? I found some guides for GRUB2 and TrueCrypt, but they all assume that the linux root partition is not encrypted, which is the case in my situation ):
- ish almost 12 years
  
  What is your current bootloader? How are you booting Linux/Windows now?
- stefan.at.wpf almost 12 years
  
  Linux not at all as time of writing, but see my answer below for more details ;-)
James Draper over 6 years

has this method given you any problems since then? have you tried this with veracrypt?
James Draper over 6 years

This method worked for me! I'm running linux mint cinnamon 18.2 as my first boot disk with my veracrypt-ed Win7 up second.
ZAB over 6 years

You forget to add Restore key data (volume header) on first recovery run after GRUB reinstall procedure. Grub overwrites sector 62 where the volume header is stored. So far grubs core.img is smaller than that and it is safe to overwrite sector 62, it may be changed in future. Although the procedure needs to be repeated after every grub reinstallation i.e. after every major linux update
ZAB over 6 years

The two disk setup is the standard usecase for grub, there is nothing to fix here already. The question was about two linux/windows partitions on the same drive, which is tricky.
Flimzy over 6 years

@ZAB: No, I did not forget anything. The answer I provided worked, as described. Although that was over 4 years ago. There's an excellent chance those instructions are no longer precise. But I assure you, I did not forget.
ZAB over 6 years

It may be not always the case but many other commenters noted this missed step under your blog entry. Also the grub2tc where you found the solution described this step as well. Why not just add it here too in the end with asterisk mark to help others in troubleshooting