How to set up Windows 7 with Bitlocker and Linux multiboot PC

This how-to describes how to set up multiboot PC where both Windows 7 and Linux distro(s) are side by side on the same disk and where Windows is encrypted with Bitlocker. Optionally you can encrypt Linux also with LUKS (Linux Unified Key Setup).

Generally keep in mind that DO NOT TOUCH MBR created by Windows. Bitlocker will complain about it. So the goal is to use Windows boot-manager where you can choose to boot Linux distros not Linux GRUB boot-loader like you may have been used to.

MAKE BACKUP first unless you have big balls to modify your existing PC with lots of important data.

DISCLAIMER: This page may contain incorrect or outdated information. Again – backup your data!

Preparations

  1. In this how to is assumed that you have WIN7 installed and encrypted with Bitlocker and it occupies entire disk. I suggest to start with blank install, so if something breaks, you don’t loose anything. Otherwise make full disk block level backup.
  2. Make a note of disk usage in GB
  3. Get local administrator rights
  4. Turn off Bitlocker and decrypt the disk (Control panel, Bitlocker…..)
  5. Modify boot order in bios to use USB as first choise

Make some free space for one or more Linux installations

  1. Boot from some USB stick which has Linux installer. Instead of starting installation, go to rescue-mode or live mode, whatever provides you the shell/command prompt with superuser rights.
  2. Make backup of MBR (Master Boot Record) , change <harddisk> with device what is your computers first hard disk. In example below first disk is /dev/sda.
    # dd if=/dev/sda of=<path to some file on USB stick> bs=512 count=1 ; fdisk -l
  3. Make a note of Windows partitions on the first disk. Make sure you size unit in sectors. In example below first disk is /dev/sda. In this point
    # fdisk -l -u=sectors /dev/sda
  4. Use ntfsresize to resize Windows filesystem f.e. if you want it to have max 50GB disk, resize it to something a bit smaller f.e. 45G. ntfsresize command-line tool is available from “ntfs-3g” package on my current debian. May be something different in your distro.
    # ntfsresize -s 45G /dev/<windowspartition>
  5. Run fdisk and resize partition. Make a note of Windows partition number and start sector; Delete windows partition; Create new partition with same number and start sector but instead of specifying exact END sector, use +50G.
  6. Use ntfsresize agan to resize filesystem to EXACT partition size.
    # ntfsresize -x /dev/<windowspartition>
  7. Make another backup of MBR and partition layout.
    # dd if=/dev/<harddisk> of=<path to some other file on USB stick> bs=512 count=1 ; fdisk -l -u=sectors
  8. Reboot into windows, to make sure its still bootable, you may schedule windows disk check for the next reboot also.

Install linux (as many as you need)

  1. Boot from USB
  2. Install linux somewhere on the freed up space and keep in mind that DO NOT INSTALL GRUB BOOTLOADER INTO MBR! instead use first Linux partition f.e. /dev/sda3 or something similar. Its a good idea to create separate partition for /boot mountpoint and install GRUB bootloader into same partition. Instructions how to set up linux on encrypted volume are in the end of this page. If you jump there, you still have to complete step 3 in this chapter.
  3. Copy first 512 bytes of data from the partition where you installed the GRUB into file. You can use following command where you have to put GRUB location. That file is needed when configuring windows boot-manager, so put it into USB stick.
  4. # dd if=/dev/<grub location device> of=<path to yet another file on USB stick> bs=512 count=1

 

Configure windows bootloader

  1. Start Windows
  2. Copy file where you stored first 512 bytes of the Linux partition with grub into C: disk root folder. In this example filename is ubuntu.bin
  3. Run command prompt as Administrator
  4. Run following where UBUNTU is the name for Linux distro showed in Windows bootmanager.
  5. C:\bcdedit.exe /create /d "UBUNTU" /application BOOTSECTOR
  6. You should get msg like below. Make a not of that ID: {08b437ca-6a57-11e4-b97a-2cd05a804e68} and USE it in next commands (7-10).
    The entry {08b437ca-6a57-11e4-b97a-2cd05a804e68} was successfully created
  7. C:\bcdedit.exe /set {08b437ca-6a57-11e4-b97a-2cd05a804e68} device partition=C:
  8. C:\bcdedit.exe /set {08b437ca-6a57-11e4-b97a-2cd05a804e68} PATH  \ubuntu.bin
  9. C:\bcdedit.exe /displayorder {08b437ca-6a57-11e4-b97a-2cd05a804e68} /addlast
  10. C:\bcdedit.exe /timeout 10
  11. Reboot and check do you get GRUB after selecting UBUNTU in Windows boot-manager.
  12. After you have done, encrypt windows disk again. Run bitlocker and have USB stick ready for encryption key (when it offers to print, print to file).

Optional – Installing linux with encrypted disk

Generally what have to be done is to create separate unencrypted /boot partition where to store kernel, initrd etc. and encrypted partition for physical volume where all other stuff is stored (including swap!). These partitions are refered to as<bootpartition> and <otherpartition> later.

Boot from USB, start LIVE session and start terminal. Don’t start installation. Encryption setup in live installation may be buggy so I suggest to set it up first using command-line tools.

  1.  Start fdisk and create two partitions, one for /boot (1GB is enough) and second for other stuff.
  2.  Create ext4 filesystem for /boot.
    # mkfs.ext4 /dev/<bootpartition>
  3.  Set up encryption on other disk. Note that it will require confirmation “YES” in capital letters:
    # cryptsetup luksFormat /dev/<otherpartition>
  4. Open encrypted partition, change ubuntu to something else if needed but then replace it in commands below.
    # cryptsetup luksOpen /dev/<otherpartition> ubuntu
  5. Create physical volume, volume group and at least two volumes for /root and swap. Note that vgcreate will also create physical volume if it does not exist.
    # vgcreate vgubuntu /dev/mapper/ubuntu
  6. Create volume for /
    #  lvcreate -n lvubunturoot -L 10G vgubuntu
  7. Create volume for swap
    #  lvcreate -n lvubuntuswap -L 1g vgubuntu
  8. Create filesystem on root volume
    # mkfs.ext4 /dev/mapper/vgubuntu-lvubunturoot
  9. Create swap
    # mkswap /dev/mapper/vgubuntu-lvubuntuswap
  10.  Leave terminal open and start graphical installer. Install linux into prepared partitions – Use unencrypted partition for /boot mountpoint and volumes according to their purpose: /dev/mapper/vgubuntu-lvubunturoot for / mountpoint and /dev/mapper/vgubuntu-lvubuntuswap for swap. Don’t format partitions/volumes. That’s already done and you have less issues with installer. DO NOT reboot after installation.
  11. Run following to get UUID of the encrypted partition, copy  it to clipboard.
    # blkid /dev/<otherpartition>
  12. Mount new installation into /mnt and chroot into it using commands below where you should replace <bootpartition> with correct devicename.
    # mount /dev/mapper/vgubuntu-lvubunturoot /mnt
  13. # mount /dev/<bootpartition> /mnt/boot
  14. # mount --bind /dev /mnt/dev
  15. # chroot /mnt
  16. # mount -t sysfs sys /sys
  17. # mount -t devpts devpts /dev/pts
  18. # mount -t proc proc /proc
  19. Create file/etc/crypttab in chrooted environment with following contents. Add UUID and replace ubuntu if you named your encrypted volume differently.
    ubuntu UUID=<paste UUID here> none luks,retry=1,lvm=vgubuntu
  20.  Create file/etc/initramfs-tools/conf.d/cryptroot in chrooted environment with following contents. Add UUID and replace ubuntu if you named your encrypted volume differently.
    CRYPTROOT=target=ubuntu,source=/dev/disk/by-uuid/<paste UUID here>
  21. Update initrd with following command in chrooted environment
    # update-initramfs -k all -c
  22. Edit file/etc/default/grub in chrooted environment and modify line GRUB_CMDLINE_LINUX=”” to following. Add UUID and replace ubuntu/vgubuntu if you used different names
    GRUB_CMDLINE_LINUX="cryptopts=target=ubuntu,source=/dev/disk/by-uuid/<paste UUID here>,lvm=vgubuntu"
  23. Update grub with following command in chrooted environment
    # update-grub
  24. Done. Now if you encrypted this Linux installation in the same PC where you have Windows with the Bitlocker, copy boot sector to file as described in chapter “Install linux (as many as you need)”, paragraph 3 and continue with configuring Windows bootloader. Otherwise its time to reboot and check are encrypted root filesystem and swap in use.

 

If you found this useful, say thanks, click on some banners or donate, I can always use some beer money.

Leave a Reply

Your email address will not be published. Required fields are marked *