Jump to content

- - - - -

Chainloading to TrueCrypt Boot Loader in Multi-boot Setup

truecrypt multiboot windows7 windows decoy honeypot

  • Please log in to reply
12 replies to this topic

#1 astanasto

  • Members
  • 7 posts
    United States

Posted 20 June 2012 - 09:05 AM

I'm trying to build my laptop to multiboot two installations of Windows 7. That in and of itself is no problem. I currently have two Windows 7 installations using the Windows boot loader/menu and a shared boot partition.

However, my end goal involves the following:
  • The first installation should be set to boot automatically as the default in whatever boot loader I am using and require NO pre-boot authentication.
  • The second install should be on a partition encrypted with TrueCrypt using pre-boot authentiction.
  • booting from removable devices will be disabled in BIOS in the final configuration - solution should not rely on keys or bootloaders on USB drives except those needed during initial install
  • HP Pavillion w/Insyde BIOS
  • single 240GB SSD
  • no optical / floppy
Current drive layout:
  • Stock Windows 7 bootloader in the MBR
  • 100MB Windows 7 primary partition (system/boot)
  • 32GB Windows 7 primary partition with OS installed
  • 192GB Windows 7 primary partition with OS installed
I have no qualms about blowing away and reinstalling / repartitioning things if needed.

If I simply install TrueCrypt while booted into the second operating system and configure it to encrypt only the 192GB partition, it will replace the bootloader on the MBR. According to the warnings in the installer, it will then require pre-boot authentication regardless of whether the target operating system is on an encrypted partition or not.

I believe grub4dos (or perhaps just grub?) can help me get around this but I'm not sure how to proceed.

My plan:
  • Use TrueCrypt to encrypt the second operating system (192GB), letting it replace the bootloader in the MBR with it's own.
  • Boot a live CD and save the TrueCrypt MBR to a file*.
  • install grub4dos to the MBR
  • configure grub4dos to have a menu behaving as described above. not sure how to do this yet.
  • configure first option to boot first Windows 7**
  • configure second option to chainload to the TrueCrypt mbr file which performs PBA and then boots the second Windows 7
  • Is grub4dos the right tool or could/should I use grub/grub2?
  • * Can I put the truecrypt mbr file in on the 100MB Windows partition or do I need to create a new boot partition for grub4dos to find the truecrypt boot loader on?
  • ** Can grub4dos boot Windows 7 or must it chainload to a Windows boot loader?

#2 astanasto

  • Members
  • 7 posts
    United States

Posted 21 June 2012 - 09:40 PM

I'm using grub4dos, to be put on the drive's MBR and repurposing the 100MB "system reserved" partition left behind by Windows to hold the g4d files.

So far:
  • Installed Windows 7 to a 32GB partition
  • Installed Windows 7 a second time to a larger partition
  • Isolated Windows 7 boot files

To isolate the boot files, I did the following:
  • Mark first windows partition active
  • Boot from Windows 7 installer
  • launch command prompt and use bcdboot c:\windows /s c: and bootrec /fixmbr and /rebuildbcd
  • Reboot and test booting directly to the first Windows 7 install.
  • Repeat steps for the second installation
Now I'm going to set up Truecrypt and tell it to encrypt the second Windows 7 install. Then I'll set up g4d. Good plan?

#3 astanasto

  • Members
  • 7 posts
    United States

Posted 22 June 2012 - 03:00 AM

TrueCrypt proceeded w/o issues. I'm now booting straight into the protected Windows 7 install from the TrueCrypt boot loader in the MBR to the active partition (where Windows is installed).

I then used the Grub4DOS toolbox to extract the TrueCrypt MBR and the first 63 sectors of the drive for bootlacing.

Since I'm on 64-bit Windows, I went to Cloud Bootlacer. I uploaded the 63 sector file from my drive and got back a new image (hopefully with the g4d boot loader in the mbr).

I then went to write it using the Grub4DOS Toolbox but it fails. It won't write either the new image or the original one. It fails every time with "Error Writing Target! 80"

I guess I need to boot a Linux live cd and use dd?

dd if=bootlace_grub4dos.bin of=/dev/sda bs=512 count=63

Edited by astanasto, 22 June 2012 - 03:08 AM.

#4 astanasto

  • Members
  • 7 posts
    United States

Posted 22 June 2012 - 04:59 AM

No thanks to you lazy bums (I kid!), I got it working (mostly).

I wrote the Grub4DOS bootloader using dd. Using the default menu, I was able to find & boot the honeypot Win7 installation. To enable the protected install, I added this to the menu.lst:

title Protected Windows 7

hide (hd0,1)

unhide (hd0,2)

rootnoverify (hd0,2)


chainloader (hd0,0)/truecrypt.mbr

This is working (I can now boot both OSes). I have just one small snag / annoyance.

TrueCrypt is using the default options for it's PBA screen. I want to disable displaying text on screen as well as disabling ESC to bypass PBA. Is that possible when booting this way?

#5 amalux


    Platinum Member

  • Tutorial Writer
  • 2813 posts
    United States

Posted 22 June 2012 - 07:08 AM

Hi astanasto and (belated) welcome :)

I'd be happy to help if I had something intelligent to offer but you seem to know more about it than I do. The guy who could best help you is in self imposed exile right now so it's just bad timing I'm afraid. With TrueCrypt, it's usually the other way around where people want all boot partitions covered instead of just one; you can see a workaround here: http://yyzyyz.blogsp...t-multiple.html

I have a setup that accomplishes what you want (sort of) with one crucial difference that makes it very easy. The protected OS is on a separate hard drive so switching is handled in the BIOS boot screen. I did it this way to avoid any 'contamination' of the unprotected drives (I still don't trust encryption). Anyway, most of what you're describing is over my head so I can't offer much help but thought I'd offer a welcome at least (before you figure it out on your own) ;)

#6 astanasto

  • Members
  • 7 posts
    United States

Posted 22 June 2012 - 10:16 AM

Don't feel bad - I was just giving you guys an undeserved hard time.

I'm really just making this up as I go along but I'm glad it sounds like I know what I'm talking about.

At this point, everything is working great, if I could just figure out how to get TrueCrypt to respect the configuration settings I made. They worked before I extracted the MBR and set up g4d to chainload to it.

I'm afraid to go back into the client and remake them for fear of where it stores them and what might become corrupted or over-written.

#7 dog


    Frequent Member

  • Expert
  • 236 posts

Posted 22 June 2012 - 11:30 AM

I've not tried it, but you might find you can hexedit the text in the truecrypt mbr file, and perhaps use grub4dos to keymap Esc to something else.
Bit of a bodge, but...

#8 astanasto

  • Members
  • 7 posts
    United States

Posted 22 June 2012 - 07:08 PM

If that configuration were stored in TrueCrypt's MBR woudn't it have been retained when I extracted the MBR (first sector) and put it in the file (truecrypt.mbr) that I'm chainloading?

#9 dog


    Frequent Member

  • Expert
  • 236 posts

Posted 25 June 2012 - 01:13 PM

lazy bum

I just tested setting custom text and it is in the MBR, offset 406 to 429.
I tested a single xp partition, with different custom text in the MBR and the chainloaded file, and I'm seeing the text from the MBR.
Tried chainloader --force and --load-length=32256, with the same result.
After putting the xp 440 bytes back in the MBR I get the same as you, if I also wipe the rest of track 0 I get "Loader damaged! Use Rescue Disk: Repair Options > Restore TrueCrypt Boot Loader" so the default text and options must be stored in track 0, and the chainloading the file still uses the code in track 0.

#10 cdob


    Gold Member

  • Expert
  • 1459 posts

Posted 25 June 2012 - 07:13 PM

I just tested setting custom text and it is in the MBR, offset 406 to 429.
I tested a single xp partition, with different custom text in the MBR and the chainloaded file, and I'm seeing the text from the MBR.

Therefore Truecrypt reads configuration data from true MBR.

I wonder about:
a small hard disk image containing truecrypt MBR, file bootmgr and folder \boot\
Following windows files are stored as flat files at hard disk still.
Map the small hard disk image to hd0. Boot hard disk image mbr.
Which MBR data does read truecrypt?

#11 astanasto

  • Members
  • 7 posts
    United States

Posted 27 June 2012 - 11:49 PM

Thanks for shedding some light on this.

If I understand correctly ...

TrueCrypt always looks to sector 0 for it's configuration, even if it's been started from a file (truecrypt.mbr) rather than sector 0.

Since I've replaced sector 0 with Grub4DOS, I destroyed the configuration.

TrueCrypt must then fall back to some hard-coded defaults when it can't find it's configuration in sector 0.

Therefore my options are quite limited indeed.

#12 zborecque

  • Members
  • 1 posts

Posted 23 July 2013 - 09:48 AM

astanasto, thank u very much; your thread was helpful big big time!!


For weeks now I have been trying to make my configuration to work, and today it did thanks to this thread :)


Basically I have a Dell Inspiron 1525 with a SATA HDD installed (Win 7). This is my working laptop, and I wanted to run my private OS from time to time from another HDD. I replaced the CD-ROM with a IDE caddy and installed a second HDD over there with my very own Windows 7 encrypted with TrueCrypt with pre-boot auth. The additional HDD is a 500GB WD SATA drive with default partitions created for Windows 7 (during the installation Win7 created a 100MB primary partition, and set the rest of space as a big Windows partition).


The problem was that the BIOS wouldn't see the second HDD and won't let me choose from which to boot. The default boot HDD is the one in the SATA bay and that's it. Temporarily I installed the encrypted HDD in the SATA bay, and the original one in the CD caddy. So after turning on the PC was asking for a TrueCrypt password, or to hit ESC (hitting ESC would boot from the caddy HDD).


But I wanted to let the original HDD remain in its original place, and just insert the caddy in case I want to use my own system. For this I was looking for something that could be installed on a USB stick and would let me boot from the caddy AND would be compatible with the encrypted drive.




So I installed a regular GRUB using WinGrub, extracted my TrueCrypt MBR using HDHacker, and saved the *.dat file (with my MBR record) to a USB pendrive (as tc.dat). My MENU.LST looks like this:

timeout 3

title PrivateSys at (hd2,0)
rootnoverify (hd2,0)
chainloader (hd0,0)/tc.dat

- in my case there was no need using hide and unhide options, as well as the makeactive option.

And it works FINE!


If the encrypted HDD is inserted, but the USB IS NOT - the PC boots the original system (and it is possible to mount my encrypted HDD inside this system), but when you PLUG IN the USB, it boots the encrypted one. :)




#13 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15389 posts
  • Location:The Outside of the Asylum (gate is closed)

Posted 23 July 2013 - 12:16 PM

So I installed a regular GRUB using WinGrub,   

I guess that would be "regular grub4dos" and not GRUB (and not GRUB2), and there is NO such thing as "regular grub4dos", though the commands you used in the menu.lst are very basic (and should work with *all* versions of grub4dos) the versions that are on the grub4dos/Wingrub site:


are EXTREMELY outdated.

For the record the last "good"/"safe" version of the previous 0.4.4 series is the 2009-10-16:



Today it is recommended to get LATEST 0.4.5c version marked as "Featured" here:





Also tagged with one or more of these keywords: truecrypt, multiboot, windows7, windows, decoy, honeypot

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users