From Grub4Dos Wiki

I am interested in

• multibooting different operating systems
• USB booting, XP on USB
• fully encrypted harddisks, using TrueCrypt

Here will be some general informations about booting.

Are you interested in booting from USB or eSATA an encrypted XP with full multiboot support? Then you are right here.

You can even boot from USB if your BIOS has no native support for USB booting or if your BIOS is buggy, see below.

Contents 1 complex things possible 2 if you want to copy this... 3 The configuration of one of my computers in short 4 notes when booting external harddisk 5 my grub4dos configuration 6 TrueCrypt 6.1 portability 6.2 two-factor authentication 6.2.1 I highly recommend to: 6.2.2 What I originally wanted to achieve: 6.2.3 What I am using: 6.2.4 What I think to know: 6.2.5 My idea: 6.2.6 the implementation #1: 6.2.6.1 storing and deleting MBR 6.2.6.2 USB booting and grub4dos menu.lst 6.2.7 the implementation #2: 6.3 links 7 SATA 8 USB 8.1 "compatible XP USB test"

complex things possible

If your computer supports booting from USB you can

real computer -> BIOS -> USB -> grub4dos -> emulate CD-ROM -> booting TrueCrypt-rescue.iso -> entering password -> booting either internal or external Windows on harddisk

also

VMware or real computer -> BIOS -> boot from CD or Floppy -> PloP (see below) -> USB -> grub4dos -> emulate CD-ROM -> booting TrueCrypt-rescue.iso (just need to choose the correct one, see below) -> entering password -> booting either internal or external Windows

is possible.

if you want to copy this...

I suggest to learn step by step and first:

• a virtualizer (optionally with raw disk feature) for risk free testing
• grub4dos with multibooting and image emulation
• USB booting with no encryption and some easy operating system such as DOS
• USB booting XP without encryption
• PloP Bootmanager
• TrueCrypt and Full Disk Encryption on internal system harddisk
• USB booting XP and encrypt it

Then you can put everything together.

The configuration of one of my computers in short

• internal harddisk
  • just one big partition
  • on the internal harddisk Windows XP is installed
  • inside the MBR is the TrueCrypt bootloader
  • when booting with BIOS from hd0 I can enter my password and Widnows XP will boot
• external harddisk
  • it's connected by either USB or eSATA
  • two partitions
  • frist partition is NTFS and fully encrypted with TrueCrypt and Windows XP
  • second partition is FAT32, not encrypted and FreeDOS
  • inside the MBR is grub4dos
  • mostly I am booting this hd
  • my current method talking about here is: real computer -> BIOS -> SCSI (eSATA controller card) -> eSATA harddisk -> grub4dos

notes when booting external harddisk

When booting from USB or SCSI (eSATA controller card) the booted harddisk will become hd0 in grub terms. (However, it will not become IDE0,0.) Original IDE0,0 will become hd1 and so on.

my grub4dos configuration

# this simply boots the internal harddisk's MBR
# enter password, boot Windows
title Windows XP - boot from internal IDE
map (hd0) (hd1)
map (hd1) (hd0)
map --hook
chainloader (hd0)+1

# this will tell grub4dos to emulate a virtual CD image and boot it
# the virtual CD image can ask for password and boot Windows
title tcreal.iso
map --mem /GRUB/tcreal.iso (hd32)
map --hook
map (hd0) (hd1)
map (hd1) (hd0)
map --hook
chainloader (hd32)

# it's also possible to write the MBR into a file and chainload it
# enter password, boot windows
# you can either use dd or on windows even more easy diskprobe from Support Tools for XP
title tcreal.mbr
chainloader /GRUB/tcreal.mbr
map (hd1) (hd0)
map (hd0) (hd1)
map --hook

# chainloading the original TrueCrypt MBR after encrypting (before installing grub4dos) is also working
title XP on External - tcusb.mbr
chainloader /GRUB/tcusb.mbr

# the most easy method to boot the TrueCrypt encrypted external harddisk with Windows XP is booting the original rescue CD for that harddisk
title XP on External - tcusb.iso
map --mem /GRUB/tcusb.iso (hd32)
map --hook
chainloader (hd32)

# PloP can boot USB, even if the BIOS can't
# the normal way is to boot PloP with BIOS but it can be also booted from grub4dos, for more see below
# note the PLoP Bootmanager provides now it's own .bin file which can be chainbooted directly without need for emulation
title PloP Bootmanager
map --mem /GRUB/Plop/plop.iso (hd32)
map --hook
chainloader (hd32)

TrueCrypt

A rescue image made with TrueCrypt for one harddisk works only for this harddisk. If you decrypt and encrypt again you need a new rescue image. This means with the rescue image for the internal harddisk you can not boot or recover the external harddisk because of different volume header and masterkey. This isn't news, it's all said in TrueCrypt documentation. It's important to understand this when using it. Also understand the volume header.

portability

If a TrueCrypt encrypted USB harddisk boots in combination with or without PLoP on your machine you can be happy. But this is a wobbly business, if you want to use that USB HDD on other computers it may happen that you run into "BIOS reserved to much memory" error at the TrueCrypt pre-boot screen.

This "BIOS reserved to much memory" error can also happen when using the standard way (using it simply on a internal harddisk like designed for). Therefore TrueCrypt is not nice addition for portability.

two-factor authentication

TrueCrypt as in version 6.1a does not support two-factor authentication at pre-boot authentication.

• two factor authentication: means to authenticate yourself with more then one factor, for example with password and keyfile or password and token
• pre-boot authentication: it's the bootloader which appears when using system encryption, you need to enter your password before the operating system boots

I highly recommend to:

• create the TrueCrypt rescue CD
• have a backup of everything
• exercise and learn in test enviroment

original / historical thread, two-factor authentication with TrueCrypt 6.1a right a pre-boot authentication

What I originally wanted to achieve:

• [1] a fully encrypted harddisk with no traces to TrueCrypt, I could claim it's only random data
• [2] two-factor authentication at pre-boot, a keyfile on USB and password entry

What I am using:

I have a bootable USB keys (& also USB harddisk) with grub4dos installed on it. grub4dos can use simple iso images, emulate them and boot them. It's also working very well for the TrueCrypt rescue disk.

What I think to know:

If the header is damaged or lost and it is no backup is available the whole content of the volume is lost.

My idea:

I shred sector 0 on my harddisk with random data, then the bootsector (TrueCrypt bootlander and system volume header) is lost. In the future I boot from USB, use the emulated TrueCrypt rescue image, enter the password and boot. Without USB key = no boot, without password = no boot. Is this what I wanted to achieve or did I miss something?

the implementation #1:

As in version 6.1a I didn't get it to fill up the whole MBR with random data, if I wanted to boot from virtual rescue CD the TrueCrypt bootloader told me "no bootable partition found". Therefore a working partition table is needed and we can forget [1].

The drawback of implementation #1 is that you can not claim [1] but it's tested and working and not verified yet.

storing and deleting MBR

Basic knowledge about linux and partitions is needed. Login as root and type fdisk -l to see all detected harrdisks and partitions, do not simply use /dev/sda and find out what you need to use.

To store the full MBR into a file use dd if=/dev/sda of=mbr_complete.bin bs=512 count=1 (good to restore it later if needed)

To store the MBR without the partition table use dd if=/dev/sda of=mbr_no_partition_table bs=446 count=1

To delete all but the MBR use dd if=/dev/zero of=/dev/sda bs=446 count=1 and repeat it as often you are paranoid.

USB booting and grub4dos menu.lst

Assuming that your BIOS is booting USB and using it as harddisk...

title tc.iso
map --mem /GRUB/bootimgs/tc.iso (hd32)
map  --hook
map (hd0) (hd1)
map (hd1) (hd0)
map --hook
chainloader (hd32)

the implementation #2:

It's about chainloading the whole MBR and overwriting the whole MBR on harddisk.

The chainloader /tcmbr.bin will not work if the full MBR (including partition table) is filled up with null (or random), it will lead in a no bootable partition found error.

links

• XP (encrypted) + Ubuntu (unencrypted) - Dual Boot Made Easy

SATA

XP has no native support for booting from SATA. This is not BIOS or bootmanager's fault. Bootstrapping with BIOS functions is working but the direct harddisk access driver isn't available and this results in a bluescreen.

To overcome this you need either a floppy disk with the SATA drivers or you need to slipstream the drivers into your installation CD. A nice trick is also to boot another operating system, start an emulator, plug in the real harddisk as raw disk, boot Windows from virtual environment, install the SATA drivers and reboot on bare metal.

Or you can boot from USB or IDE adapter while the SATA controller is connected and install the driver, on next reboot the boot from SATA should work.

USB

Most parts have been moved to USB booting

"compatible XP USB test"

A reasonable easy and most robust test at the same time to boot XP on USB is the following:

• get a save environment for testing
• use an USB-HDD, not USB-pendrive
• zero out the first 10.000 sectors for example with HxD
• safely unplug the USB-HDD and connect it again
• go into Windows Drive Management and create one primary partition, FAT32, 30.000 MB and activate it
• do the pretest and try to find a real machine with a good BIOS which is capable of USB booting, only after success continue
• use USBoot and do phase-i, phase-ii and phase-iii like normal
• test to boot the full XP with the good BIOS
• only after this was successfully working you can claim "the compatible XP USB test worked for you"