Jump to content











Photo
- - - - -

how to install into the partition boot record?


  • Please log in to reply
41 replies to this topic

#1 mr_

mr_

    Frequent Member

  • Members
  • 355 posts
  •  
    Germany

Posted 25 July 2008 - 05:11 PM

With USBoot beta I have installed a full Windows XP on my USB harddisk on a 40 GB primary NTFS partition. Additionally I encrypted this system disk with TrueCrypt. So far it works great!

On the next partition with 10 GB, FAT32 is FreeDOS kernel.sys.

Now I want to dual boot my USB harddisk (and later triple boot extra with linux partition).

Because I am already booting with BIOS to USB I can not install an conventional bootmanager like grub4dos on floppy. I could do it, but grub4dos on floppy is pointless because it can not chainload USB.

PloP Bootmanager is also not the right tool in this situation because it chainloads USB partition 0,0 and not 0,1.

Afaik grub legacy can be installed into partition boot record. Can grub4dos also?

The TrueCrypt bootloader can chainload any bootable partition or harddisk after itself. So it could work like BIOS -> TrueCrypt bootloader -> grub4dos in partition boot record -> virtually swap partitions -> chainload kernel.sys.

I don't see another possibility for dual booting an USB harddisk if the first primary partition is fully encrypted with TrueCrypt.

Long story, but my experience is telling me that you would ask for this anyway. :cheers: The only real question is "how to install grub4dos into a partition boot record"?

#2 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 26 July 2008 - 10:08 AM

Reading the newish Guide would help :cheers::
http://www.boot-land...?showtopic=5187

http://diddy.boot-la...os/Grub4dos.htm

Refer to method 6:
http://diddy.boot-la...all.htm#method6

or 7:
http://diddy.boot-la...all.htm#method7

jaclaz

#3 mr_

mr_

    Frequent Member

  • Members
  • 355 posts
  •  
    Germany

Posted 26 July 2008 - 02:56 PM

It worked to install grub4dos into the bootsector. I verified it with HX Disk Hex Editor.

However, when pressing ESC to start other bootable devices the TrueCrypt bootloader (partition 0) will not chainload the partition behind (partition 1).

Perhaps because it's not active? But afaik there can be only 1 partition active at the same time. And if I active partition 1 and/or hide partition 0 this can't be undo for a USB bootable disk easy.

Anyone can share some knowledge about the TrueCrypt bootloader and how the chainload feature is supposed to work?

#4 ktp

ktp

    Silver Member

  • Advanced user
  • 758 posts

Posted 26 July 2008 - 04:19 PM

You may look at this topic :
http://ubuntuforums....ad.php?t=689579

But I think your need can be satisfied with this master boot loader (no extra partition needed) :
http://sourceforge.net/projects/mbldr/

You can multiboot any partition (up to 4) at boot time.
By default the selected partition will be active.
So (hd0,0) is your truecrypted Windows partition.
(hd0,1) etc.. could be other. On these partitions, you can use grub4dos additionally with you want (from config.sys, from ntldr etc...), so it wil chainload other partitions if needed.

#5 mr_

mr_

    Frequent Member

  • Members
  • 355 posts
  •  
    Germany

Posted 26 July 2008 - 05:21 PM

But I think you need can be satisfied with this master boot loader (no extra partition needed) :
http://sourceforge.net/projects/mbldr/

'mbldr is a boot loader which fits into first sector of an HDD (MBR).'
Can't work for me because I am a bit 'out of space'. In the first sector is already the TrueCrypt bootloader. Without TrueCrypt bootloader I couldn't start my encrypted Windows partition.

With TrueCrypt system partition disk encryption the whole system partition is encrypted except the MBR (where the TrueCrypt bootloader is resident). After the encrypted system partition there can be further partitions, either TrueCrypt device encrypted or unencrypted.

My little 'trick' for internal harddisks for multibooting and TrueCrypt encrypted disks was to install the bootmanager grub4dos either on floppy, CD-ROM or even better on pendrive. The USB pendrive boots, you can choose to boot any 'normal' operating system or to boot the emulated TrueCrypt rescue CD (which can boot the encrypted Windows).

But if I boot already from an USB harddisk I can't do this 'trick' and install the bootmanger on any external device because USB can not be chainloaded (Ok, with PloP Bootmanager but like I said it's not feasible here).

The only possibility here seams to chainload with the TrueCrypt bootloader a bootmanger (grub4dos) on a partition behind.

Well, maybe this is currently completely impossible without development. Because 1) XP was not made to be run from USB 2) USBoot is a only (a nice) 'hack' 3) TrueCrypt's developers seam not to be aware of XP USB booting 4) it's already very much luck that encrypting an USBoot activated XP on USB can be encrypted with TrueCrypt. But I like to be proven wrong. Currently no one was confirming to have XP encrypted on USB + multiboot.

You may look at this topic :
http://ubuntuforums....ad.php?t=689579

Currently it doesn't help. But I will read some times again.

Well, maybe I should investigate to install grub legacy into the PBR and try if TrueCrypt can chainload this. Once grub legacy is started I could chainload grub4dos. :cheers:

#6 ktp

ktp

    Silver Member

  • Advanced user
  • 758 posts

Posted 27 July 2008 - 04:20 AM

OK now I understand that the TrueCrypt bootloader requires the MBR space for itself.
Chainloading from TrueCrypt (by pressing ESC) to boot other un-encrypted partition should be its function,
so I wonder why it does not work for you.

Currently it doesn't help. But I will read some times again.

Did you read the topic entirely? There is a sentence :
"Now that I've tested a bit, I'm noticing that the TC bootloader can chainload partitions."


I have an multiboot-capable USB hard disk prepared with USBboot, so when I have time I will experiment with TrueCrypt.
Previously TrueCrypt encryption using file container is sufficient for me.

#7 mr_

mr_

    Frequent Member

  • Members
  • 355 posts
  •  
    Germany

Posted 27 July 2008 - 08:44 AM

Previously TrueCrypt encryption using file container is sufficient for me.

Imho this is to insecure. It's ok if you travel with an USB disk from A to B and want to protect the disk against lost. If this is the thread you want to protect it's ok.

But if your thread is your laptop can got stolen file based encryption or a non encrypted system disk is not acceptable. Windows creates to many metadata containing sensitive informations. Even if you have something encrypted it could be extract, for example from swapfile. Because of this I really really really prefer to encrypt whole disk.

Did you read the topic entirely?

Yes and later I had an idea.

Chainloading from TrueCrypt (by pressing ESC) to boot other un-encrypted partition should be its function,
so I wonder why it does not work for you.

Didn't try to install grub legacy yet into the PBR. But installing grub4dos like in the manual into PBR didn't work with chainloading.

I have an multiboot-capable USB hard disk prepared with USBboot, so when I have time I will experiment with TrueCrypt.

:cheers:

However, like in the links explained in this thread there is a pretty elegant solution to install grub(4dos) into MBR with the capability to start the TrueCrypt bootloader anyway. I tested in VMware just to use dd (from a linux live CD) to store the whole TrueCrypt MBR into a file on floppy. Then started DOS from floppy, started grub4dos and chainloaded this file. It was working.

For my real USB disk I will have the second partition as FAT32, grub4dos will be in MBR and load grldr from the FAT32 partition, the TrueCrypt bootloader as a file will be also their.

I think this is nearly the same like 'booting from TrueCrypt rescue disk directly" or "booting the emulated TrueCrypt rescue disk". It should work, I will tell you if it worked later if I am done.

#8 ktp

ktp

    Silver Member

  • Advanced user
  • 758 posts

Posted 27 July 2008 - 09:07 AM

But if your thread is your laptop can got stolen file based encryption or a non encrypted system disk is not acceptable. Windows creates to many metadata containing sensitive informations. Even if you have something encrypted it could be extract, for example from swapfile. Because of this I really really really prefer to encrypt whole disk.


My laptop has HDD password setup in BIOS, so even if you take the hard disk out and place it in another laptop or another USB enclosure, the HDD will not be recognized by any OS without renitializing the password (or providing the right password), this is why I do not have the need to encrypt all system partition. But of course added to this feature, a TrueCrypt encryption for the whole system disk will be a real plus.

I have to experiment also with disk imaging backup too when TrueCrypt is activated.

For TrueCrypt boot then ESC, why does it not work for you? On the second partition you could set to boot ntldr/ntdetect.com/boot.ini, then in boot.ini you put grub4dos (grdlr) it should work without any problem. And when grub4dos is loaded no problem booting other partitions or disk image (menu.lst).

#9 mr_

mr_

    Frequent Member

  • Members
  • 355 posts
  •  
    Germany

Posted 27 July 2008 - 10:19 AM

My laptop has HDD password setup in BIOS, so even if you take the hard disk out and place it in another laptop or another USB enclosure, the HDD will not be recognized by any OS without renitializing the password (or providing the right password), this is why I do not have the need to encrypt all system partition.

This HDD password protection is only a password but no hardware encryption at all.

It's trivial to remove this protection. Only good for lower needs in security.

I have to experiment also with disk imaging backup too when TrueCrypt is activated.

I have some knowledge here. Disk imaging an encrypted disk will blow up the image file to the partition size since no files can be read in plain text and also compression is not very successful.

Therefore I recommend to boot external Windows (better real Windows, or at least BartPE), mount the disk, make the backup unencrypted and store it on an encrypted container. Restoring it isn't so trivial then also. Disk encryption has also big disadvantages.

For TrueCrypt boot then ESC, why does it not work for you?

No idea, it says no bootable partition found. Tested it with making it NT bootlaoder bootable and grub4dos bootable but not grub legacy yet. However, I try it soon like I described before.

On the second partition you could set to boot ntldr/ntdetect.com/boot.ini, then in boot.ini you put grub4dos (grdlr) it should work without any problem.

I checked it out but somehow it didn't work.

And when grub4dos is loaded no problem booting other partitions or disk image (menu.lst).

Yes.

#10 ktp

ktp

    Silver Member

  • Advanced user
  • 758 posts

Posted 27 July 2008 - 01:54 PM

It's trivial to remove this protection.

Really ?

Otherwise since both grub4dos and TrueCrypt are open source, maybe it could be possible (let's dream a little) that grub4dos could one day include the TrueCrypt loader inside its own loader.

Question : TrueCrypt runs also under Linux, so the encryption of system OS applies also to Linux OS too, or is it limited to Windows OS ?

#11 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 27 July 2008 - 02:35 PM

It's trivial to remove this protection. Only good for lower needs in security.


Really? :cheers:

Last time I tried I had to buy a specialized hardware+software, to directly access the HD firmware directly, the common software solutions for ATA password disabling not working.

As I see it, it is perfectly possible :cheers:, but definitely not trivial :cheers:.

Did you ever unlock a properly locked drive? :cheers:

jaclaz

#12 mr_

mr_

    Frequent Member

  • Members
  • 355 posts
  •  
    Germany

Posted 27 July 2008 - 03:38 PM

Really ?

Yes. The amount of needed time/money is simply to low.

A correctly encrypted disk can not be decrypted without the key. No computers are fast enough yet. The "most cheap" solution is only torture. Technically encryption is secure, ata/sata password not.

Otherwise since both grub4dos and TrueCrypt are open source, maybe it could be possible (let's dream a little) that grub4dos could one day include the TrueCrypt loader inside its own loader.

I don't think so. Every TrueCrypt bootloader and every TrueCrypt rescue disk is unique because it contains the volume header.

The only thing them could do would be to provide a wizzard. Well, for internal harddisks it's pretty easy. Just emulate the TrueCrypt rescue cd if you want to boot the encrypted disk. For USB harddisks you need to store the bootloader with dd in a file and later chainload it with grub4dos.

Question : TrueCrypt runs also under Linux, so the encryption of system OS applies also to Linux OS too, or is it limited to Windows OS ?

- "Direct" system encryption is Windows only.
- Volumes encrypted with system encryption can be mounted with "mount volume without pre-boot authentication". * currently only under Windows, but it's announced that this mounting without pre-boot authentication will be also possible in later linux versions.
- If you have dual boot Windows and Linux and you decide to encrypt the whole system harddisk and not only the system partition then Linux will be no longer bootable sinice it has no support in kernel. (theoretically possible to develop)
- Under linux you can only use file container based encryption and format&encrypt whole disk.

Assumption by me: There will be never for linux a system disk encryption because there are simply to many linux distros. However, if you want so you don't need for linux a "direct" system encryption. You can also theoretically encrypt you whole disk including linux with the ordinary device encryption by TrueCrypt.

Unencrypted Linux boots like: grub -> intirrd -> everything else.
If you want to encrypt Linux completely with TrueCrypt you would need to hook after intrd, load the encryption driver and then load everything else. But because there is luks there is currently no such guide how to do so for linux. I suspect if you want to learn it yourself you need some knowledge in 'linux from scratch'.

Last time I tried I had to buy a specialized hardware+software, to directly access the HD firmware directly, the common software solutions for ATA password disabling not working.


As I see it, it is perfectly possible :cheers:, but definitely not trivial :cheers:

How many money / time did you need? ... You see, it's not to much. Depends on what you call trivial, I think the amount of work to crack it is minimal compared to real encryption.

Did you ever unlock a properly locked drive? :cheers:

No, but I know people how do it for money.

Even on ebay. 20 EUR for just removing password or 45 EUR for data recovery.

#13 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 27 July 2008 - 03:54 PM

Yep, I meant it is not so "Ordinary, commonplace":
http://www.thefreedi...ary.com/trivial

Now, would you trust your supposedly valued data to anyone on ebay that takes 20 or 45 bucks for data recovery when "normal" rates for professional work go in the 500 to 3,000 US$ range? :cheers:

These Data Recovery Professionals must be really greedy people. :cheers:

Have you got any link to these "cheap" services? :cheers:

jaclaz

#14 mr_

mr_

    Frequent Member

  • Members
  • 355 posts
  •  
    Germany

Posted 27 July 2008 - 05:29 PM

Now, would you trust your supposedly valued data to anyone on ebay that takes 20 or 45 bucks for data recovery when "normal" rates for professional work go in the 500 to 3,000 US$ range? :cheers:

Personally not.

These Data Recovery Professionals must be really greedy people. :cheers:

Yes.

Have you got any link to these "cheap" services? :cheers:

No.

Well, it's like for mobile phone unlocking. I know people in my near who do unlocking mobile phones (net lock), cracking paid tv, computer software repair and also sata password remove. All just coasts a few bucks. It doesn't seam you need intelligence quotient much higher then average.

It's just about searching, searching, searching, surfing underground/hacking sites and talking with the community. Time exposure: 3 months long every day informing about 1 hour a day + buying some extra hardware. Imho no real hard effort.

Therefore: if you want to really keep your data secure - encrypt it. This sata password protection is imho just a toy.

#15 ktp

ktp

    Silver Member

  • Advanced user
  • 758 posts

Posted 28 July 2008 - 08:36 AM

For your information,

I tried with True Crypt 6.0a to encrypt my XP partition which is bootable from an external USB hard disk.
The XP OS is prepared with USBboot.org.

Unfortunately the TrueCrypt loader pre-test failed: at boot time, when I enter an invalid password, ok it answers
"incorrect password". When I enter the right password, then nothing happens, just a blinking cursor.
I rebooted, and choose ESC at boot time to select the first partition (USB hard disk). It boots OK then
the popup comes information of the pre-test failure.

I think I cannot use TrueCrypt OS partition encryption for now.

From True Crypt 6.0a version history :
Bug fixes:



When Windows XP was installed on a FAT16 or FAT32 partition (as opposed to an NTFS partition) and the user attempted to encrypt the system partition (or system drive), the system encryption pretest failed. This will no longer occur.

This is my case, my XP is on a FAT32 partition. So the bug is still alive !
I will convert the XP partition to NTFS and try again.

Edit: even with NTFS partition, the TrueCrypt pretest failed!

#16 mr_

mr_

    Frequent Member

  • Members
  • 355 posts
  •  
    Germany

Posted 28 July 2008 - 01:33 PM

The pretest only failed for me as I used USBoot 1 and TrueCrypt 5.1a.

My combination was NTFS + USBoot 2 beta and TrueCrypt 5.1a. I can confirm it worked. Don't know about 6.0.

#17 ktp

ktp

    Silver Member

  • Advanced user
  • 758 posts

Posted 28 July 2008 - 01:35 PM

@mr_

One idea: since you problem is chainloading to other partition with TrueCrypt boot loader, why don't you simply use ntldr/ntdetect.com/boot.ini then grldr inside boot.ini to boot any OS/partition you want? I assume that TrueCrypt bootoader loads its own decryption engine to decrypt data on the fly, or am I missing something?

For the pretest failed in your case, the bug was fixed with TrueCrypt version 6.0.
http://www.truecrypt...version-history

#18 mr_

mr_

    Frequent Member

  • Members
  • 355 posts
  •  
    Germany

Posted 28 July 2008 - 02:34 PM

One idea: since you problem is chainloading to other partition with TrueCrypt boot loader, why don't you simply use ntldr/ntdetect.com/boot.ini then grldr inside boot.ini to boot any OS/partition you want?

It sounds like it could work. The only disadvantage is that I would need to enter a password to boot a system which is not encrypted.

Therefore I prefer the solution with grub4dos in MBR and chainloading the TrueCrypt bootloader.

I assume that TrueCrypt bootoader loads its own decryption engine to decrypt data on the fly, or am I missing something?

Depends if grub4dos uses either API or BIOS call to read the harddisk after beeing load by ntldr. In case of BIOS call it wouldn't work (it would work if TrueCrypt hooks the BIOS calls what I doubt). Don't know.

For the pretest failed in your case, the bug was fixed with TrueCrypt version 6.0.
http://www.truecrypt...version-history

The pretest with 5.1a failed only on USB harddisk, never on internal harddisk. I think the problem is fixed since USBoot 2 beta.

#19 ktp

ktp

    Silver Member

  • Advanced user
  • 758 posts

Posted 28 July 2008 - 03:04 PM

The pretest with 5.1a failed only on USB harddisk, never on internal harddisk. I think the problem is fixed since USBoot 2 beta.


I assume USBoot 2 beta (as with version 1.x) comes into action only after initial boot by MBR/bootsector/ntldr/ntdetect.com/boot.ini, so I do not understand how USBoot 2 beta could solve pretest failed problem with external USB boot.

Therefore I prefer the solution with grub4dos in MBR and chainloading the TrueCrypt bootloader.


Me too. The problem is that TrueCrypt bootlader requires to be in the MBR (if OS partition is encrypted), isn't it?

#20 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 28 July 2008 - 03:47 PM

Another idea:
1) create the Truecrypt bootloader on an image
2) re-map the image with grub4dos to hd0
3) try chainloading the MBR of the mapped image

:cheers:

jaclaz

P.S.:
@mr_
from what you say, I wouldn't like to live in your neighborhood, it seems like populated by dumbish crackers

:cheers:

jaclaz

#21 mr_

mr_

    Frequent Member

  • Members
  • 355 posts
  •  
    Germany

Posted 28 July 2008 - 04:05 PM

I assume USBoot 2 beta (as with version 1.x) comes into action only after initial boot by MBR/bootsector/ntldr/ntdetect.com/boot.ini, so I do not understand how USBoot 2 beta could solve pretest failed problem with external USB boot.

I also don't know but this is my experience.

Me too. The problem is that TrueCrypt bootlader requires to be in the MBR (if OS partition is encrypted), isn't it?

Normally yes. But to store the whole MBR in a file and chainload it works also (tested only for internal harddisk yet).

Another idea:
1) create the Truecrypt bootloader on an image
2) re-map the image with grub4dos to hd0
3) try chainloading the MBR of the mapped image´

Sounds interesting.

from what you say, I wouldn't like to live in your neighborhood, it seems like populated by dumbish crackers

The good news is: I know what is possible and I know them can't crack TrueCrypt. :cheers:

#22 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 29 July 2008 - 04:56 PM

Just to keep things as together as possible, I am cross-linking to here:
http://www.911cd.net...o...c=21711&hl=

where online details another interesting approach. :cheers:

jaclaz

#23 ktp

ktp

    Silver Member

  • Advanced user
  • 758 posts

Posted 30 July 2008 - 07:21 AM

Thanks to jaclaz for your useful link.

I found another interesting link where the first time I see the possibility to chainload TrueCrypt loader from grub (so it should be also possible to chainload from grub4dos installed from MBR), by saving TrueCrypt MBR and file (MBR code) used for decryption algorithm :
http://ubuntuforums....d.php?p=4758818

Edit (add):

From the article:
dd if=/dev/sda of=/mnt/boot/truecrypt.mbr count=1 bs=512

dd if=/dev/sda of=/mnt/boot/truecrypt.backup count=8 bs=32256



title Windows XP Professional

rootnoverify (hd0,x)

makeactive

chainloader (hd0,*)/truecrypt.mbr

boot

I try to illustrate concretely with usual tools:

1) Install grub4dos in MBR (using grubinst).
(hd0,0) is XP encrypted by TrueCrypt
(hd0,1) is another partition
menu.lst location: (hd0,1)/menu.lst

2) Save TrueCrypt data:
dsfo \\.\physicaldriveX 0 512 truecrypt.mbr
dsfo \\.\physicaldriveX 0 258048 truecrypt.backup
(256048 = 8 * 32256)

(save to partition (hd0,1) file system in root so
(hd0,1)/truecrypt.mbr
(hd0,1)/truecrypt.backup


3) In (hd0,1)/menu.lst
title Windows XP Professional (TrueCrypt)
rootnoverify (hd0,0)
chainloader (hd0,*)/truecrypt.mbr
boot


Is my illustration correct?
Questions:
1) Chainloading another MBR: this is strange for me. Is it possible?
2) What is the usage of (hd0,1)/truecrypt.backup? When is it used?
3) Is "chainloader (hd0,*)/truecrypt.mbr" acceptable by grub4dos? (usage of * character).

Edit:
After experimentation, following are the answers to my own question (I am using grub4dos 2008-03-14 version):
1) I got grub4dos error message: Error 8: Kernel must be loaded before booting.
3) This is accepted by grub4dos.
2) Using
chainloader (hd0,*)/truecrypt.backup
I got:
Successful TrueCrypt loader!

But in my case this does not work since TrueCrypt loader cannot boot my USB HDD (blinking cursor, pretest failed).
But it would be fine for other users like mr_.

#24 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 30 July 2008 - 01:10 PM

New thread by online here:
http://www.boot-land...?showtopic=5315

jaclaz

#25 ktp

ktp

    Silver Member

  • Advanced user
  • 758 posts

Posted 31 July 2008 - 03:54 PM

Due to the TrueCrypt Pre-boot authentication (PBA, also called pre-test) problem (hang, blinking cursor), I tried the commercial
Jetico's BestCrypt Volume Encryption mentioned earlier http://www.jetico.com/bcve.htm.

It works flawlessly, and the PBA phase passes no problem.
Now I have to manage to chainload it from grub4dos.
Using chainloader (hd0,*)/bestcrypt.backup got:
Error 8: Kernel must be loaded before booting.

A bypass would be to execute PBA, then in the booted partition load grub4dos, but this means to enter password
to access a non-encrypted partition (indirect access).
Note: BestCrypt Volume encryption does not seem to use lot of reserved sectors (maybe none). After grub4dos installation on MBR to try, I just revert back the MBR created by BestCrypt, then it works again.

Hopefully someone could share idea about chainloading BestCrypt.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users