Win 7 dual boot with SafeBoot encryption halfway there!

jwhendy · 2011-04-15 02:59:29

EDIT: Sorry for changing the title. It used to be Need those knowledgeable with Windows (esp. 7) for dual boot input, but I had some success and didn't want to start a whole new post. See the last comment for the update!
------

Hi,

Disclaimer: please don't feel compelled to issue warnings regarding doing this on a work computer. I'm aware of the risks, have talked about what I do on my computer (such as wiping it and installing Linux only over my Win issued encrypted system) with a higher-up in IT that I know well, and I have spoken with IT reps about my running Linux. They don't care; they just don't support it or help. I even have an online community for Linux users at work. I'm searching for a work-around that will allow me dual boot while fully maintaining the protection my company seeks by issuing encrypted systems (i.e. replacing a proprietary encryption tool with an open source one).

I'm in a tricky situation. At work I'm issued a computer with SafeBoot, a full-disk encryption tool. On my last computer, I simply installed Arch over everything because dual booting was not possible. I really need Windows, but since I had a desktop as well for CAD usage, I used that for Win and just had Linux on the laptop. My lease just came up and I was issued a new laptop for the next three years. In addition, they upgraded the laptop so I can run CAD from it and they'll be taking my Windows desktop.

So... I'm on a mission to try to find a dual boot solution. I used to run Linux from a flash drive, but sharing data was impossible since I still can't even mount the Win partition and the flash drive isn't big enough to hold anything useful besides the OS itself (8gb). Here's my hope forward:

- Make a bootable clone of Win 7 while it's running with the hope that it's not encrypted
- Test it quite repeatedly to make sure I can boot from it
- Wipe the drive and create a partition for Win and one for Arch
- Use TrueCrypt (or some other cross-platform encryption system) for Win 7
- Restore Win 7 from my bootable clone back onto the encrypted partition on the laptop HD
- Install Arch with LUKS/dm-crypt
- Be extremely happy and celebrate.

Does anyone know if the first steps in particular are feasible? I have used Carbon Copy Cloner on my Mac and it can make a bootable clone while the system is running. It's actually quite awesome because you have an incremental backup solution that youc an also boot from in a pinch in case you need to do something to your HD that can't be done when it's mounted. Much faster than booting from the OS X install disk.

I've been looking for an equivalent on Win and not happy so far. Macrium sounded promising, but when running it, it seems to want to backup to some kind of image file, not simply do a file copy of everything on the drive. Perhaps this will work... I'm just not sure. I also looked at DriveImageXML, but am not sure about that either. I'm using the built-in Win backup tool right now and will see if that works.

Does anyone know of a tool that will do this? CloneZilla or any Linux tool will not work because a literal clone (like dd) made while the computer is off is worthless. I need a decrypted backup.

Lastly, any other general input? Does this seem feasible?

Thanks!

Last edited by jwhendy (2011-04-15 22:02:07)

Inxsible · 2011-04-15 03:04:01

how about running Arch in a virtual environment? I run Arch in virtualbox at work just for kicks and the fact that I would rather spend my free hours playing around with Arch than hanging around at the water cooler.

I have a shared folder between Xp host and Arch guest. mouse integration and full screen mode feels like I am using linux only unless I minimize Arch to go into Windows for actual work. Copy paste between the two OSes works as well.

EDIT : I am currently in the process of installing Slackware in virtualbox on my home pc

Last edited by Inxsible (2011-04-15 03:08:22)

jwhendy · 2011-04-15 03:20:58

@Inxsible: hmmm. I used to do that at one point as well, but for the moment forget why I got annoying to me. But it did get annoying For one, I know Vbox would not handle Arch64 at the time, which was a bummer. Not that it's that big of a deal. Also, I hated that I had to set my allotted memory when I started Vbox... but then I wouldn't know if I was going to use a taxing application in one, or the other, or both. So if I decided that I was going to run Arch exclusively, I'd set it to something like 1.5G out of my available 2G... but then I'd have to do something in Windows and it'd bog because I only left it 500mb of ram.

Stuff like that. I may end up doing this if I can't get dual boot to work. It is rather convenient not to have to reboot everytime I want to do something in one place or the other, especially when it's pretty quick like someone asking for a PowerPoint edit. Right now, with my two computer setup, I just use my desktop to do the work and send it back. If I move to my proposed setup... I'll have to reboot, edit the file, send it back, and then reboot again.

Choices, choices...

Have you run into any issues in your usage? Slowness, usability, interaction (printers, shared files, etc.)?

Thanks for the suggestion!

Inxsible · 2011-04-15 04:38:38

I currently have Arch and Win7 as dual boot at home.

Under Arch I have a win7 64 bit guest, Slackware 64 guest and a slitaz guest. I run either win7 or Slack since I have given each 2 GB out of my 4 GB of total RAM. so Arch host gets 2 GB and either guest gets 2 GB, so I cannot run win7 and slack together. Slitaz only has 512 MB...so I can run that anytime.

Kirurgs · 2011-04-15 06:26:45

Hi!

At work I'm running Arch where 95% of workstations are Windows. All windows machines use firewall (can't share anything), antivirus (quite slower disk access), stupid autoinstall tool (it wants to reboot computer when it want's to and that happens quite frequently), disk encryption (started at windows boot, I have suspection that is effective on whole windows volume, not full disk (physical) encryption), so obvious choice for those who know smth about OS is Linux, which is faster, non-limited and so on
I do use encryption for my home partition and projects partition, both LUKS (dm-crypt), the rest, which doesn't contain any sensitive information like root or installed programs is not encrypted.
I run WindowsXP in VirtualBox, no visible problems at all, so this is the most efficient way to run both together, unless you may need some HW GL acceleration or so.
Windows is needed only for specific Office documents and Microsoft Communicator for speech and screen sharing (chat can be enabled in Pidgin), so mostly I use Linux tools, couple of tools in Wine. From what I see from my colleagues, my setup is way better because of non-limiting / no-interuption etc. etc. etc. work, I really see how they get frustrated when computer reboots overnight and all partly done work or opened applications get closed or how computer reboots in the middle of meetings or how waking up from hibernate will take full 3-4 mins instead of my 30 secs...

P.S. This got a bit wider than I wanted at first But You get the idea how I use Win + Lin + encryption.

regards
Kirurgs

Last edited by Kirurgs (2011-04-15 06:30:42)

jwhendy · 2011-04-15 12:06:08

@Inxsible: thanks -- so basically you reverse the setup? Arch host/Win7 guest (vs. your work setup which has a Win host)?

@Kirugs: Yes! You feel my pain. My Windows computer was all bloated and slow from work stuff. It takes *forever* to just go from the log-in screen to the desktop... and it's freaking brand new! I can't figure it out. I literally unboxed it yesterday -- i7, 4G Ram, Quadro FX 1800M with 1G dedicated/1.7G shared! It's a pretty darn nice computer. Imagine my surprise when it took a long time at first boot and even longer to log-in. What in the world?

And yes, I get reboot messages fairly often, which you can only postpone so long before it forces you to reboot. No fun.

In any case... it sounds like you use the inverse of what Inxsible uses at work? In other words you have a completely Arch system with a WinXP guest?

I'm not sure if that will work for me...
- For starters, I have no idea where I'd get a Win7 install disk to install from in Linux
- Also, I use CAD on Windows and would like to have a proper setup for it; I'm sketchy about Win in virtual box having such "properness" but maybe it'd be fine

Thanks for the suggestions.

John

Inxsible · 2011-04-15 14:15:05

Correct. I wish I would be working in a place where they would be so kind to allow me to install the OS of my choice

jwhendy · 2011-04-15 15:03:39

One other idea... I found out that Win7 allows me to resize my partitions. What if I did the following:
- resize Win7
- make two new partitions
- install Arch to one of them, say about 15G
- leave the rest as a shared truecrypt partition

That way, I leave my company's stuff alone, get to have a dedicated Arch system running, and can share data between them.

My only question is how to boot Linux from Win7 when I have no access to the MBR. In other words, I need to get Win7 to show me boot options, and direct it to Arch's bootloader... but the bootloader can't be on the MBR.

I've always used Grub to control Linux and Win, not the other way around.

Thanks for suggestions!

jwhendy · 2011-04-15 22:21:17

Wow! I can't believe this is working. The rough gist of it is that I think I've found a method that won't require virtualization or fiddling with SafeBoot or having to jump through hoops to either clone while running (to have a decrypted clone), or try to do something like THIS (this is terrifying, since it involves making a clone with dd while it's encrypted and then restoring the SafeBoot encrypted mbr somewhere else later). The gist is like so:

- Use Win7 built in partition editor to shrink it down as far as possible. For me, this was down to about 130G (out of ~230G)
- Use same tool to creat two additional partitions: one for Arch and one for TrueCrypt
- Used Partition Wizard Home Edition to change the type to 0x83 (very necessary)
- Reboot, install Arch to /dev/sda2
- Install grub to /dev/sda2, not to the MBR!
- Reboot into Windows and used EasyBCD to add an archLinux entry to the Win7 boot options
- Rebooted and tried it out!
- I'm logged into Arch right now!

This is actually quite incredible. I think this is about the best I could have asked for. I get to avoid any issues with replacing SafeBoot with something else (even though I'm not sure my IT group really cares [1]), I get a dedicated Linux install, which runs much better and cleaner than virtualizing, and I can share all my stuff via the TrueCrypt partition [2].

I'll keep everyone posted and will probably end up adding this to the wiki. I think this is a win-win situation. [3]

---
Footnotes:
[1] For example, users are permitted to use their personal Macs at work... but they're not encrypted. People just bring them in and use them. They're obviously not protected, so why would IT care if my computer is encrypted with TrueCrypt vs. SafeBoot when they let people run around with no encryption? Not to mention, as said above, I've talked about my doings with an IT higher-up and he's never said anything of caution about not having encryption -- just suggested I routinely run ClamAV. I did get some strong words of caution on SuperUser. I guess everyone can be happy this way.

[2] I have yet to set this up, but think it will be far easier than what I just went through!

[3] The only thing I'm bummed about is that Win7 couldn't be resized any smaller because of unmovable safeboot related files during defrag. It's only using 30G of space right now, but wouldn't shrink below 129G. It doesn't really matter -- I have 30G for Linux and about 80G for my storage. My storage isn't more than 11G for all my work documents right now, so I don't really anticipate blowing through another 70G anytime soon.

jwhendy · 2011-04-19 00:03:48

@all: I'm quite happy with the setup and started a wiki article about my success HERE. Hopefully others will find this helpful. Thanks for all the input. I'm leaving VirtualBox with Arch on the Win side anyway so that if I have to use Windows a lot for something I'm not rebooting all the time... but I hope to spend most of my time in Arch in its own dedicated partition! Yay!

Kirurgs · 2011-04-22 09:49:26

Hi!

I prefer virtualization because that is what perfectly works w/o reboots, I set WinXP on different desktop to full screen and use it like I would do that w/o virtualization. I start WinXP when I need it to, no need to leave it up running all the time.
Also I have tried running VirtualBox w/ physical windows installation on the same HDD, there was an article how to achieve that. What is needed for this to be safe is create new HW configuration in Win before trying to run it in VB. That worked for me quite nice and again that is seamless access to win from Lin, now however I don't have physical Win partition, so can't help with example.

P.S. My machine specs are C2D 2.5GHz, 8G, 256Mb HD3650, 160Gb SATA and it's about 2-4 times faster in usual workloads than colleagues machine i5, 4G, 512Mb or so (we estimate his machine should be about 40% faster than mine). We tested hibernate, SVN compression/decompression, copy speeds, reboots, etc.

regards
Kirurgs

Last edited by Kirurgs (2011-04-22 09:52:33)

jwhendy · 2011-04-22 16:03:56

@Kirurgs: so, are you running Arch host + WinXP guest? This is all about dual booting when Windows is all you're given and it's encrypted.

The running from a physical partition sounds interesting, but again, I don't know how to unlock the Win partition without actually booting into Windows since it's using Safeboot and I don't know of any Linux method to access Safeboot encrypted drives.

Hence, I've shied away from the Virtual OS setup unless I have to. I'm more comfortable, efficient, and used to Linux. If I could run Linux host and only fire up Win when needed... I'd be in heaven. But my only option is to do it the other way around and thus I hate the idea of living in the Windows environment when I'm actually wanting to use Arch most of the time. Since I can dual boot now and use Linux the majority of the time -- I'd rather just get the most out of my hardware and run straight Linux. When I need to present or use PowerPoint (being sure whatever I send someone will be compatible), I'll boot up Windows and stay there for the rest of the day.

Re. the test... you tested your C2D Linux setup vs. his i5 Win setup? Or what?

I'm now on a new i7 laptop from work and it is unbelievable. The first time I untarred a large file, it blew my mind.

Last edited by jwhendy (2011-04-22 19:12:24)

Kirurgs · 2011-04-22 18:29:12

Yes, we tested i5 Win perf against my Lin box. It was quite fun and surprising results as he said, I knew Lin will be faster then Win on the same box, but I was surprised to see that my box is even faster
Actually it's down to antivirus/fw which checks all the stuff you do and takes a lot of RAM for that, plain Win is quite fast, actually Win7 is quite good for work, Lin is faster as I don't need any of that bloat stuff and even firewall is built in kernel.

I just can't really imagine myself rebooting when need to have one or other. I tend to open stuff I need and leave it there until done (I need quite a lot of it ), reboot would be kinda killer for me, absolute disturbance

Anyhow, I see you're fine with your setup now and that's good

Last edited by Kirurgs (2011-04-22 18:30:28)

jwhendy · 2011-04-22 19:14:52

@Kirurgs: yes, we'll have to see how rebooting treats me. I may not need Win as much as you do, but it's most annoying when someone emails me a request to edit something and I know I'll need PowerPoint vs. LibreOffice and thus I have to reboot. That, indeed, makes me not want to reboot when done as I wonder if something else will come up. That's why I think I'll do most of my stuff in Linux, and if I have to reboot, just stay in Windows.

Mainly it's the shortcuts in Openbox I love. I dual boot at home with a Mac and I hate not being able to define a shortcut for anything I want, which is just fantastic in OB (and pretty much all Linux DEs/WMs). I just replaced the provided Synaptics driver with a new version and now have two finger scrolling -- that just made things a whole lot better.

Arch Linux

#1 2011-04-15 02:59:29

Win 7 dual boot with SafeBoot encryption halfway there!

#2 2011-04-15 03:04:01

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#3 2011-04-15 03:20:58

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#4 2011-04-15 04:38:38

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#5 2011-04-15 06:26:45

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#6 2011-04-15 12:06:08

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#7 2011-04-15 14:15:05

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#8 2011-04-15 15:03:39

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#9 2011-04-15 22:21:17

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#10 2011-04-19 00:03:48

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#11 2011-04-22 09:49:26

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#12 2011-04-22 16:03:56

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#13 2011-04-22 18:29:12

Re: Win 7 dual boot with SafeBoot encryption halfway there!

#14 2011-04-22 19:14:52

Re: Win 7 dual boot with SafeBoot encryption halfway there!

Board footer