| 2005-06-05 | First version |
|---|---|
| 2005-07-19 | Added notice about separate boot partition |
| 2005-11-17 | Added some info provided by D-Tick |
| 2005-11-25 | Added some warnings regarding MBR and first track and reference to DCPP with GRUB document. |
WARNING! This page is meant for professionals only. You must understand everything in this page well if you want to success instead of destroying your OS'es.
You may also look to my article about using DriveCrypt Plus Pack with GRUB and install GRUB without stage 1.5 with SafeGuard Easy too. It seems not to be neccessary but it should add extra safety.
Using Safeguard Easy 4.10 with Linux / GRUB HOWTO
Introduction
It happens to be so that sometimes you just must install Windows to your laptop along with alternative OS (like Linux, *BSD etc.). It is also so that encrypting laptops harddrives are good practice. Encrypting alternative OS'es partitions is no problem (at least when considering compatibility with Windows) but encrypting Windows partitions may be. There is pretty decent encryption capabilities coming with Windows XP but in any case it's not enough in every case. AFAIK you cannot encrypt whole HDD which makes it troublesome to store sensitive information, which must be accessible BEFORE login, before entering decryption key. So third party programs must be used.
One of these programs is Utimaco's Safeguard Easy (later SGE). Should be very secure program (certificated for EAL3 etc.) and encrypts whole partition. However, SGE is designed for Windows and Windows only and introduces some stupid problems when using with alternative OS'es. Lack of techinical documentation and intentional(?) obfuscation of technical vocabulary is also baffling - but we are dealing with Windows, what can you expect? Because lack of information these instructions can be very obsolete but hey, I just couldn't find any related documentation! According to Utimaco multiple OS setup means multiple WINDOWS setup. How stupid is that?
About SGE
Ok, SGE works by installing it's own software to MBR (called PBA - Pre-Boot Authentication) which asks password and then executes new program, program which have been backupped from MBR before installing SGE MBR. Ie. if you had only Windows installed, SGE boots itself and then executes MS original MBR which executes Windows... If you had GRUB installed SGE executes GRUB which executes anything you want - so actually you can use other OS than Windows with SGE (of course only Windows partitions can be encrypted). However if you had GRUB installed, you must enter SGE password before GRUB is loaded. That is very, very annoying since you really use that password for nothing when loading your alternative OS'es. You must switch order of these codes to be executed from SGE MBR -> GRUB to GRUB -> SGE MBR -> MS MBR to get rid of this problem.
Now comes The Stupid Part: You cannot change program to be executed after SGE MBR (or at least it's not documented)!!! Your stuck with GRUB, LILO, BootMagic etc. or maybe even some MBR virus. So you end up to executing GRUB, then SGE MBR then GRUB again. It's possible to boot any OS with setup like this but it's annoying. I found two solutions:
Erase your HDD and setup everything in correct order (exact instructions are few paragraphs below):
- Partition HDD for you OS'es.
- Install Windows.
- Install SGE and encrypt partition you wish to.
- Take image from SGE MBR.
- Install Linux.
- Install GRUB.
- Configure GRUB to use SGE MBR image.
WARNING! D-Tick kindly provided me information that if you install SGE with Pre-Boot Authentication and do not encrypt your partitions MBR will be different than when you do encrypting. This can cause very sever problem if you encrypt partitions later and your old MBR image won't go and you can even lose your encrypted data! So please do all your encryptions before playing with GRUB!
However, if you are unlucky and you really don't want to reinstall everything, there may be solution. I tried it, I found it working flawlessly but still it is VERY VERY VERY VERY EXPERIMENTAL!!!! I have no knowledge about internals of SGE nor internals of NTFS. But if you want to try your luck, backup everything and try it. I take no responsibility.
- Prepare emerengy Linux boot CD or something like that.
- Create SGE emerengy disks & backups in case of disaster.
- Take image from SGE MBR.
- Install MS MBR.
- Take image of MS MBR.
- Install GRUB.
- Configure GRUB to use SGE MBR image.
- Hexedit your Windows partition and find offset of your original MBR (one you had before installing SGE).
- Take backup of it.
- Overwrite it with MS MBR.
- Reboot and cross your fingers.
It seems that original MBR is not in any file but instead it is stored to some special area in HDD. So you must overwrite that special area (and be damn sure not to overwrite anything else). Luckily SGE seems not to calculate any checksums from original MBR.
Prepare emerengy Linux boot CD or something like that
Use Timo's rescue CD, some kind of USB Flash Memory Linux distro or something like that with which you can boot your system to Linux and access your HDD after your computer won't boot by itself.
Create SGE emerengy disks & backups in case of disaster.
I mean it. Create SGE emerengy disks and kernel backups in case of emerengy. If you mess your partitions up you may be able to salvage something with those. If everything succeedes, these are not needed, but I really really recommend backups.
I found with other encryption software that they may write important data beyond first 512 bytes (yes, MBR is first 512 bytes on disc and that should be it BUT first partition usually starts from track 1 leaving some space between first partition and MBR and that can be used to store data or executable code). Don't know if this is the case with SGE also but you probably could take also backup from few first tracks (something like 'dd if=/dev/hda of=backup bs=32256 count=10' which backups first 10 tracks - track being 63 sectors * 512 bytes usually).
Take image from SGE MBR.
Boot to Linux and use following command: dd if=/dev/hda of=sge.mbr bs=1 count=512
Store sge.mbr to safe place.
Install MS MBR
You need MS MBR for loading Windows without any boot menu or something like that. If you have any Windows (same version than in your SGE computer) grab images from them or if not, use Windows Recovery Console to rewrite MS MBR (hint: fixmbr). It will nag you about unstandard MBR but let it nag. Warning! After this your computer won't boot if you have encrypted your Windows partition!
Take image of MS MBR
Boot to Linux with boot CD and take image with command:
dd if=/dev/hda of=ms.mbr bs=1 count=512Store to safe place.
Install GRUB
Install and configure GRUB. See GRUB's documentation about this. Now you should be able to boot your alternative OS'es, but not Windos.
Configure GRUB to use SGE MBR image
Copy sge.mbr to /boot and use following GRUB configuration directives (change partitions etc. according to your setup):
title Safeguard Easy - PBA root (hd0,5) chainloader /boot/sge.mbr
If you have separate boot partition, just use 'chainloader /sge.mbr' and correct root directive.
Now you should be able to to boot SGE PBA also which boots your originally installed MBR. If it's GRUB then you could boot Windows with suitable commands after once executing SGE PBA :-)
Hexedit your Windows partition and find offset of your original MBR (one you had before installing SGE).
Now comes most dangerous part. Boot to Linux and open /dev/hda1 to hex editor. Find your original MBR from it. If you used GRUB, just search string "GRUB". Open your original MBR (hope you got image from it or you can get image from it!) to another hex editor and find exact starting offset for original MBR from /dev/hda1. In my setup offset was 0x32BC00 (3324928) but your may differ.
Take backup of it
Take backup for just in case from your relevant part of /dev/hda1 (it may be wise to leave some space after and before it for mistakes). Command could be something like this:
dd if=/dev/hda1 of=backup.img bs=1 count=512 skip=3324928If your system won't boot after next step, write that backup back to the same place.
Overwrite it with MS MBR
Now you are done something very dangerous. Triple-check every character and every number in your commands and triple set offsetss etc. If you mistype offset, you can destroy much and if you don't even have backups you may face disaster. Also, PLEASE UNDERSTAND WHAT YOU ARE DOING since I do not guarantee that I have no typos or mistakes in this document. Rembmer that I take no responsibility nad if something breaks... well, tough. Time to get serious:
dd if=ms.mbr of=/dev/hda1 bs=1 count=512 seek=3324928 conv=notruncDo not forget conv=notruc or your zap rest of your partition.
Reboot and cross your fingers
Reboot. If everything went smoothly, you get GRUB after reboot. You should be able to boot your alternative OS and you should be able to boot SGE PBA which should be able to boot Windows. You can try to boot Windows directly from GRUB and it should not work since everything are encrypted in your Windos partition.
Problems
If you are not able to boot then I am sorry. Try to salvage your system with restoring original MBR to /dev/hda1, try to hexedit everything and check that if you had wrong offsetts or something. After everything has failed, use your bakcups... I really cannot help (but I would like to hear your success / disaster stories). I can try to help if you drop me an email, but probably it's useless.
SGE nags about MBR
SGE nags about changed MBR by default. Use Administration utility and change MBR Protection setting to ignore.
Changing encryption settings
After you change encryption settings (don't know if changing password is enough) you may need to redo imaging of SGE MBR and installing GRUB. I don't know exactly procedure of SGE PBA but I'm sure you will find out when something breaks. Remember to take SGE kernel bakcups also like it advises.
Alternative methods
There are some references in documentation about IBM and Compaq specifiq MBR tweaks which would allow or untampered MBR. Don't know if them could be utilized with GRUB also. However, it seems that if your computer is not IBM or Compaq, you cannot select them.
Misc
Below I have quoted D-Tick who provided me much information. I havent got time to place those instructions between my instructions but you may find some help from those examples.
[+] Delete the MBR
+ with an Win 98 bootdisk:
- boot the disk
- A:\>fdisk /mbr (!!MBR will be deleted !!)
[+] Reinstall grub (maybe after desroying it with the Nt-bootmanager):
boot knoppix wit "knoppix 2" (only text, do we need X for cp and mount :) ?)
$grub *wait*
in the grubshell type in:
grub>root (hd0,2)
# i have a own partition for /boot it is /dev/hda3 grub needs it as
# hd0,2
# to tell grub where /boot lives /dev/hda1 == (hd0,0) ||
# /dev/hda3==(hd0,2)
and:
grub>setup (hd0)
now grub is installed :)
[+] Situation: Linux + Grub is installed, Windows has to be reinstalled
- Write down your partitions, so you have a clue whats /boot / or your
windows partition
- Reinstall Windows, SGE and crypt your partitions
- boot knoppix and copy your _new_ sge.img to /boot (now you need your
list you made above)
#- delete /mbr (do we need that??) // no we don't grubs overwrites
it hisself
- reinstall Grub
- Check if your sge.mbr is still in the menu.lst maybe you have to
reconfigure
- chose your sge.mbr in grub, login safeguard, boot your new windows
[+] Changing SGE Preferences
- I changed my System-User password in SGE, rebootet and everything was
fine, the new passphrase worked without copying/changing anything
from/to mbr or grub
- Even the "ingoring mbr changes"-function change worked
my opinion is, that only if you change the key or encrypt anything new,
SGE changes his settings directly in the MBR
Credits
'D-Tick' for pointing out that you need different configuration if you have separate boot partition. He also provided me some additional information, thank you very much!