Changelog

2005-11-25	First version

WARNING! This page is meant for professionals only. You must understand everything in this page well if you want to success instead of destroying your OS'es.

Using DriveCrypt Plus Pack with Linux / GRUB HOWTO

Introduction

No bullshitting today. You have multiboot system and you need to encrypt your bootable Windows partition. One utility to do this is DriveCrypt Plus Pack and other would be SafeGuard Easy. All these utilities installs customized Master Boot Record (MBR) and if you install GRUB afterwards to MBR, you cannot boot to Windows anymore (hope you made some kind of rescue floppy / USB flash / etc.) since GRUB cannot understand encrypted Windows partition. Somehow you need to solve this problem? Please read ahead.

Basics about booting your OS

First you need to understand basics about Master Boot Record (MBR, aka. boot sector) and partition table. MBR, like you probably know, is the very first 512 bytes (the first sector in the first track) on your harddrive. Traditionally code in MBR have just located your OS partition (first active partition) and passed execution to the first sector of it which would loaded your OS. However usually your first partition begins from the first sector of the SECOND track on your bootable drive which leaves some space between your MBR and beginning of the first partition. Usually your drive is splitted to 63 sectors (logically, physically only drive manufacturer knows) thus 62 sectors * 1 track = 62 * 512 = 31744 bytes are free for usage! Don't know if it's illegal to start first partition from second sector of the first track but it seems that it is not done usually.

Modern bootloaders can use that free space because 512 bytes really are not enough to more complicated boot loaders. GRUB in example writes it's stage 1 to MBR which writes stage 1.5 to free space after MBR which loads stage 2 from you root partition. DCPP also seems to write data also to free space. Probably that data is needed code and keys for decryption so if you install GRUB without thinking first...

Since GRUB and DCPP wirtes their stuff to the same place using them simultaneously is impossible. GRUB has feature called chainloader - ability to read file contaning new MBR and execute it. However this won't help since DCPP's MBR tries to read that 'free' space which has been overwritten by GRUB stage 1.5.

How to solve the problem

Luckily GRUB can be installed without stage 1.5 with some extra work. Thus 'free' space we discussed beforce would been left intact and GRUB then can chainload DCPP MBR and boot it. This probably have some disadvantages since location of stage 2 have to be hardcoded in stage 1 code and if you rearrange your GRUB files you may lose ability to boot. So prepare your bootable GRUB CD. Please see documenation of GRUB about how to do it.

First you need image of your DCPP MBR and taking backup from first tracks of your HDD is also good idea (replace /dev/hda with appropriate drive):

giant:/boot# dd if=/dev/hda of=/boot/dcpp.mbr count=1 bs=512
giant:/boot# dd if=/dev/hda of=/boot/dcpp.backup count=8 bs=32256

Then install GRUB:

giant:~# grub
grub> install (hd0,1)/boot/grub/stage1 (hd0) (hd0,1)/boot/grub/stage2 0x8000 p

That's it! You need of course to replace (hdX,Y) with partitions matching your setup. Do not worry about 0x8000, it is not reference to you filesystem, it's reference to memory address and it should be fixed to 0x8000. Now you should have GRUB stage 1 in your MBR which loads stage 2 from your partition and that free space is intact. Time to configure GRUB. Edit /boot/grub/menu.lst like this:

title           Windows 2000 Professional
rootnoverify    (hd0,0)
makeactive
chainloader (hd0,1)/boot/dcpp.mbr
boot

title           Debian GNU/Linux
root            (hd0,1)
kernel          /boot/vmlinuz root=/dev/hda2 ro
boot

That wasn't so hard but ask from vendor of encryption software and they laugh their lungs out and say that it is IMPOSSIBLE to use Linux with theis products. Oh well...

Something I have not tried

I used Windows Resce Console to re-write Windows MBR to my harddrive before I installed DCPP. This is because it is possible that DCPP reads original MBR, stores it elsewhere and chains it with original MBR. At least SafeGuard Easy does this. It would mean that if you had GRUB installed beforce installing DCPP you would get another GRUB screen after booting to Windows from your first GRUB. If this is the case you may have luck with similiar approach than with SafeGuard Easy, see my article.

Alternative for stage 1.5-less approach could be installing GRUB to the boot sector of your Linux partition and use some other 512-byte bootloader to boot GRUB. Then you would get rid of problems not having stage 1.5. Haven't tried this though.

Feedback is always welcome, please send mail to jari.eskelinen@iki.fi.