How to chain GRUB2 for Ubuntu 10.04 from Truecrypt & its bootloader (multi boot alongside Windows XP partition)?

I want Truecrypt to ask for password for Windows XP as usual but with the standard [ESC] option, on selecting that, i.e via Escape key, I want it to find the grub for the (unencrypted) Ubuntu install.

I've installed Windows XP on the 120Gb hard drive of a Toshiba NB100 netbook then partitioned to make room for Ubuntu 10.04 and installed that after the Windows XP install.

When I encrypt Windows XP, Truecrypt will overwrite the grub entry in the master boot record (MBR), I believe (?) and I won't be able to choose between XP and Ubuntu anymore. So I need to restore it back.

I've searched fairly extensively for answers on Ubuntu forums and elsewhere but have not yet found a complete answer that covers all eventualities, scenarios and error messages, or otherwise they talk of legacy GRUB and not GRUB2. Ubuntu 10.04 uses GRUB2.

My setup:

Partitions:

  1. Windows XP, NTFS (to be encrypted with Truecrypt), 40Gb
  2. /boot (Ext4, 1Gb)
  3. Ubuntu swap, 4Gb
  4. Ubuntu / (root) - main filesystem (20gb)
  5. NTFS share, 55Gb

I know that the Truecrypt boot loader replaces the GRUB when boot up because I've already tried it on another laptop.

I want boot loader screen to look something like the usual:

Truecrypt

Enter password:

(or [ESC] to skip)

password is for WindowsXP and on pressing [ESC] for it to find the Ubuntu grub to boot from

Thanks in advance for your help.

The key area of the problem is how to instruct Truecrypt when escape key is pressed, and how the Grub/Ubuntu can be made visible to the truecrypt bootloader to find it, when the esc key is pressed. Also knowing as chaining.


This is pretty easy. Partition your disk, install Windows and Ubuntu. Use TrueCrypt on the Windows partition, which will encrypt Windows but leave Ubuntu unencrypted.

You'll then find you can probably only boot into Windows, and then through the TrueCrypt bootloader. Sounds like you're there already.

Say your disk is sda, with Windows on sda1 and Linux on sda2 (this is hypothetical, yours looks like it won't be sda2). TrueCrypt will install onto the MBR on sda and overwrite GRUB.

Use the Ubuntu distro CD to boot up a live CD, then chroot into your pre-installed system. Like so:

sudo su -
mkdir -p /mnt/ubuntu
mount /dev/sda2 /mnt/ubuntu
mount --bind /proc /mnt/ubuntu/proc
mount --bind /dev /mnt/ubuntu/dev
chroot /mnt/ubuntu

Then install the GRUB bootloader, but to sda2, rather than sda.

grub-install /dev/sda2 --force

Then, when you reboot, you'll still get the TrueCrypt loader asking you for a password to boot from sda -> sda1 into Windows. But when you press ESCAPE you'll get the option to bypass and boot straight into Linux, but from sda2 rather than the MBR.

But wait

Before you do this, one caveat: if you get your grub-install wrong, and overwrite the sda MBR, or if you do a kernel upgrade which triggers GRUB to overwrite the MBR, you'll find you need to reinstall the TrueCrypt bootloader in order to get back into Windows. This is a massive hassle if you're not prepared.

I'd suggest that before you fiddle with GRUB, you back up the TrueCrypt bootloader stuff from within Linux. That way, when you break TrueCrypt and can only get into Linux, you can easily write it back.

Back up your TrueCrypt boot loader:

dd if=/dev/sda of=~/truecrypt.mbr count=1 bs=512
dd if=/dev/sda of=~/truecrypt.backup count=8 bs=32256 # Just in case

Restore your TrueCrypt boot loader (I call this restore-truecrypt.sh):

sudo dd if=~/truecrypt.mbr of=/dev/sda count=1 bs=512
sudo dd if=~/truecrypt.backup of=/dev/sda count=8 bs=32256
sudo grub-install /dev/sda2 --force

I have both of these sets of commands in little shell scripts, which I keep handy. When I accidentially zap my bootloader (it happens) I don't want to be Googling around for the commands or reading man.

Oh, and a word on compatibility. When I write "GRUB", I meant GRUB 1 or 2. Personally, I do it with GRUB 2 on 10.04 and Windows 7... but it worked fine with older versions of GRUB, Windows and Linux.


The answer I am going to accept for this question is my own. And that answer is to accept that I can't* do this and I will accept one of the alternatives:

  1. Use a virtualisation/VM ware application running in Windows XP (the encrypted system drive partition) host Ubuntu, such as VirtualBox, VMWare or Parallels. So I would have to boot into Windows then run this application and boot into Ubuntu from within this. Some commentators list one of the disadvantages of this approach as being that you have to boot twice (first XP, then Ubuntu) to get to Ubuntu. However, I would say it actually has an advantage over ordinary BIOS-launched dual boots in that you actually have both OSs running at the same time. Great if you want to, for example, test applications or web pages quickly on multiple platforms.

  2. Use a secondary hard drive or SD card (for example 8gb, 16Gb) for Ubuntu and select from BIOS (one-time) boot to boot Ubuntu from that.

*Can't = really means I've spent enough time (about 6 hours over 3 days, going away cleared my mind, searching forums coming back refreshed) on this and am not prepared to spend any more. So I can't be accused of being lazy and relying upon others. Can't = also means: can't at the moment. I may revisit this again.

Here's some references that others might find useful:

  • http://ohioloco.ubuntuforums.org/showthread.php?p=8610542 ("Dual booting with Truecrypt 6.3a chainloading Grub2")
  • https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/484102 ( "Bug #484102 in grub2 (Ubuntu): “Grub2 doesn't chainload truecrypt loader correctly” )
  • http://ubuntuforums.org/showthread.php?t=1229541&page=3 ("Chainloading TrueCrypt with GRUB2")
  • http://post.ryanoshea.com/howto-dual-boot-system-encryption-windows-ubu ("HowTo: Encrypt A Dual-Boot System (Windows & Ubuntu)")
  • http://ubuntuforums.org/showthread.php?t=689579&page=2 ("Combine TrueCrypt bootloader and GRUB?")

All of the above offer some insight but not a definitive complete answer that covers every eventuality or grub version.

I've posted this same question here on superuser, on ubuntuforums and truecrypt forums:

  • http://ubuntuforums.org/showthread.php?p=9755416#post9755416
  • http://forums.truecrypt.org/viewtopic.php?p=86161#86161

My justification in doing this is that readers of these forums won't necessarily read other forums, there will be some overlap but some vital advice may get missed.

Background thoughts and learnings (if interested!)

I'm actually quite pleased to say that I called it a day and came around to the alternatives though I did let it get the better of me and kept on fighting to win and solve my answer. But it's a relief to accept that it can't be done (easily) and that there are alternatives. Now I can get on with more important things! I already dual boot Windows 7 and Ubuntu 10.04 on a desktop without encryption - that is quite a straightforward procedure. And with the alternatives I'm not far off what I wanted in my original answer. Actually I don't use Ubuntu on a notebook as much as Windows at the moment so I won't be missing it so much. I also have a MacBookPro, so am by no means more a Windows fan than any other OS!

Here's a reason why I would like truecrypt encrypted windows dual booting with Ubuntu, from another user's perspective:

http://blog.mfabrik.com/2008/07/15/perfect-dual-boot-crypted-hard-disk-setup-with-truecrypt-and-luks/

"I have a work laptop used in Symbian and web development. I need to be able to boot both Vista and Linux. Due to client privacy, both operating systems must be crypted for the case of lost laptop. Even if I do not use Windows actively, its web browser data may contain stored password for client systems and it would be catastrophic to leak them accidentally."

Grub2 is much more complex than grub, some might argue necessarily so. I had success with pre-10.04 Ubuntu (GRUB not GRUB2) with Windows XP:

http://www.howtoforge.com/forums/showthread.php?p=184776#post184776

I say more complex because there are more settings files are now present, spread over more directories with references between them, some are now machine generated and editing of them is advised against, e.g. boot menu, there is a sort of scripting language to learn and script interpreters to run when a change is made. It's too involved for me at the moment, and it's only for launching an operating system, not a rocket to the moon!


I think I just solved this pretty smoothly. My original situation was as follows: I had an unencrypted netbook (MSI U160) with a Windows 7 partition and a Ubuntu 10.10 partition (Ubuntu's grub2 sitting in the MBR).

  1. In order to get Truecrypt installed, I had to reinstall Windows 7 into its original partition.
  2. Then I installed truecrypt (encrypting the whole windows 7 partition)
  3. Using these instructions I reinstalled Ubuntu from a USB key, placing the grub2 loader onto the Ubuntu partition
  4. After rebooting, I get the TrueCrypt boot loader. I hit [ESC] and I get a list of boatable partitions, including the linux one (it also shows the windows partition, but since that's encrypted, booting that will fail).

I hope this is what you want as well.


I just spent the last 2 days battling this, and couldn't get any of these answers to work for me. What I finally did get working, I have documented on my blog. Here is the summary version (done with Debian wheezy; should work for Ubuntu, too. Other distributions may need slight modifications):

Essentially, you chain-load GRUB2 to load SYSLINUX, which in turn boots the TrueCrypt Rescue ISO image, which allows you to boot into Linux.

  1. Install syslinux:

    sudo aptitude install syslinux
    
  2. Copy files into place:

    sudo cp /usr/lib/syslinux/memdisk /boot/
    sudo cp TrueCrypt\ Rescue\ Disk.iso /boot/truecrypt-rescue-disk.iso
    
  3. Determine the UUID of your boot partition:

    sudo blkid /dev/sda2
    

    Output should look something like this:

    /dev/sda3: UUID="12345678-1234-1234-1234567890"

  4. Configure GRUB2:

    Add the following to /etc/grub.d/40_custom:

    menuentry "TrueCrypt ISO boot" {
        insmod part_msdos
        insmod fat
        insmod ext2
        insmod search_fs_uuid
        search --fs-uuid --no-floppy --set=boot [UUID without quotes]
        linux16 ($boot)/memdisk iso raw
        initrd16 ($boot)/truecrypt-rescue-disk.iso
    }
    
  5. Re-load GRUB2 configuration

    sudo update-grub
    

Note that this will show you the [F8] Repair options every time you boot into Windows, as we're fooling the system booting the TrueCrypt Rescue CD image from the hard drive, rather than the "normal" TrueCrypt boot method. But it seems like a small drawback to me (and might even be considered an added feature!)