Post 9lfPrreqnJMuEdKDqa by kev@fosstodon.org
(DIR) More posts by kev@fosstodon.org
(DIR) Post #9lemVY8EoZ3z5pRIwq by kev@fosstodon.org
2019-08-07T22:32:52Z
0 likes, 1 repeats
Question:I’m thinking about making so,changes to my desktop where SSD1 has Ubuntu and SSD2 has Win10, dual booting.I’d like to encrypt both OS, can that be done and still dual boot? I imagine it’s as simple as creating a small /boot partition on one of of the disks and not encrypting it, but I’ve never done this before, so thought I’d check with you guys.Thanks!
(DIR) Post #9lems3YMffqYupOMqW by lightweight@mastodon.nzoss.nz
2019-08-07T22:35:30Z
0 likes, 0 repeats
@kev with Linux, typically there's an unencrypted boot partition that only holds the kernel and the initrd image... Not sure what you'd get with Windows as I don't do them :)
(DIR) Post #9lemuN5d0QQG5P3S2y by louwestin@fosstodon.org
2019-08-07T22:36:03Z
0 likes, 0 repeats
@kev I know for certain you have to install Windows first since it’ll overwrite the Grub Loader.
(DIR) Post #9len5CYYVdG4bQkWnI by m4iler@infosec.exchange
2019-08-07T22:39:40Z
0 likes, 0 repeats
@kev Dunno about windaz, but Linux lets you install with encrypted LVM. In that case, the /boot partition is unencrypted and lets you decrypt the rest of the drive.As for encrypting on an installed system, see eCryptFS: https://wiki.archlinux.org/index.php/ECryptfs I believe there is a way to encrypt an installed setup with dm-crypt, but I'm on sleepybrain and can't remember.Since the encryption happens post-GRUB, there should be no issues dual-booting.
(DIR) Post #9len7AfWUxK1KMwoam by m4iler@infosec.exchange
2019-08-07T22:40:02Z
0 likes, 0 repeats
@kev decryption*, my bad.
(DIR) Post #9lenKfN1f4rAJNjMSu by m4iler@infosec.exchange
2019-08-07T22:42:28Z
0 likes, 0 repeats
@kev One more thing, I'd update GRUB in case your UUID changes, but this may only be my sleep-brain freaking out.
(DIR) Post #9leoZDwvzfZPZ723LU by yojimbo@hackers.town
2019-08-07T22:41:57Z
0 likes, 0 repeats
@lightweight @kev This is the purpose of the UEFI secure boot, so that you can have an unencrypted boot system (you have to have something unencrypted in order to do anything) and also have assurance that it hasn't been tampered with.This is actually the cornerstone of encryption - you have to reveal your keys in order to decrypt, and you have to have assurance that the thing you're typing your keys into isn't evil.https://askubuntu.com/questions/880240/it-is-possible-to-dual-boot-linux-and-windows-10-with-secure-boot-enabled has some info you might like, I haven't done this myself because I don't think dual boot is a sensible thing to have ever.
(DIR) Post #9leoZEGQpBAMXa9cjg by yojimbo@hackers.town
2019-08-07T22:45:57Z
0 likes, 0 repeats
kev@fosstodon.org So dual boot is a bad thing in many ways ... For a start, many people have significant state in their running session (tabs open, programs in flight) and you have to get rid of all of that in order to boot to another OS.If you have been in one OS for the majority of your time, the other OS isn't getting security updates. So as soon as you switch to use it, it becomes unresponsive catching up with updates (much more intrusive with Windows than with Linux, but bad on both). If you don't apply the updates, you're operating an out-of-date machine probably on the Internet, so you're in trouble ...It's very difficult to share a partition between the two systems, so you have no shared resources on that machine.You're much much better off looking at dedicated machines, or VMs. They have their own issues of course.
(DIR) Post #9leoZEZZg0TjUx6uZc by kev@fosstodon.org
2019-08-07T22:55:54Z
0 likes, 0 repeats
@yojimbo I’m aware of the limitations of dual booting, but it’s a requirement I have for various reasons. I’ve considered a VM also, and may still go down that route, but bare metal installs obviously perform better in most cases.
(DIR) Post #9leoor3UshaBC4YTbc by piggo@piggo.space
2019-08-07T22:59:08.032160Z
0 likes, 0 repeats
@kev I have unencrypted grub and /boot, and on another ssd windooz. It works just fine.. I really care about someone not reading my data, not so much about adversaries hacking me, so I'm ok with the downsides of this setup.. always have windows on a separate disk tho, it has a thing for destroying grub and such. I have grub on the Linux disk
(DIR) Post #9leovzlksjc6FKf3xI by yojimbo@hackers.town
2019-08-07T22:59:54Z
0 likes, 0 repeats
@kev I have difficulty getting desktop VMs to be performant.I have a machine at home whose main purpose is playing Elite:Dangerous, so it was Win10. I have tried setting it up to do real work as well, but nothing has ever been satisfactory. WSL is awful, VMs are inconvenient, native apps only get you so far ... Cygwin/X is a help, but not enough.I think WSL might be better these days, but I want to expose audio and network to it, and these have never worked. Possibly WSL has better network these days because they claim to have Kali working, but I'd be surprised.
(DIR) Post #9leozy8yroMQMbQ5JI by sheogorath@microblog.shivering-isles.com
2019-08-07T23:00:02Z
0 likes, 0 repeats
@kev Yes, both encrypted is no problem.The bootloader for Linux is loaded from an unencrypted partion and decryption is handled afterwards by the kernel. (So no worries about the bootloader here).When you boot Windows your bootloader simply loads the Windows bootloader which is also not encrypted and decryption is handled by the Windows OS during boot.So there is no problem from a boot perspective but maybe the tooling around encryption will be a bit annoying during install.
(DIR) Post #9lf60xN4vJWLTg4QpU by jordan31@fosstodon.org
2019-08-08T02:11:23Z
0 likes, 0 repeats
@kev Keep us updated on the encrypted Windows install. As I have yet to encrypt my windows HDD or even know how since it offers no options on a home user edition. But as others said, /boot is unencypted on linux ssd, everything else is encrypted. I'm sure you can set it up like this (with grub on linux ssd) to decrypt the windows ssd.The only way to get real performance out of a vm would prob be with hardware passthrough.
(DIR) Post #9lfJvJEu6VXkvBRr1s by syme@masto.nixnet.xyz
2019-08-08T04:47:10Z
0 likes, 0 repeats
@kev I run Debian on my SSD and and w10 on my HDD. Both with full drive encryption.I have not touched any partition at all. Debian offers to encrypt with LUKS while you install, and you should do it at install because doing it later is hard. And bitlocker for w10 can be turned on whenever.Its really easy, no actual thinking was required, exactly as I want it.
(DIR) Post #9lfNPuInAavkQ3Y50C by pcrock@fosstodon.org
2019-08-08T05:26:47Z
0 likes, 0 repeats
@jordan31I dual-boot Windows and Manjaro. Windows is Home edition, so the way I got that partition encrypted is with Veracrypt instead of Bitlocker.The Manjaro installer allowed me to also encrypt the /boot partition as well. I have to enter my password at a very primitive-looking password prompt before GRUB loads. Not 100% certain how it works.When I boot to Windows, I just use my laptop's built-in boot menu (F12) to jump straight to the Veracrypt bootloader, bypassing GRUB.@kev
(DIR) Post #9lfPkkL5bgWjVdgiJs by kev@fosstodon.org
2019-08-08T05:52:35Z
0 likes, 0 repeats
@syme ah nice, that’s reassuring, thanks!
(DIR) Post #9lfPrreqnJMuEdKDqa by kev@fosstodon.org
2019-08-08T05:53:53Z
0 likes, 0 repeats
@jordan31 I’ll keep you guys updated.
(DIR) Post #9lftQQK7JQCmGUSUIi by uwehermann@fosstodon.org
2019-08-08T11:25:12Z
0 likes, 0 repeats
@louwestin @kev Yeah, but you can simply reinstall grub again afterwards, it's a bit inconvenient but not too big of a problem.
(DIR) Post #9lgPxkCvbNEk1X1oie by murtezayesil@fosstodon.org
2019-08-08T17:29:36Z
0 likes, 0 repeats
@kevI believe that the challenge you are facing is not getting systems to be encrypted but getting GRUB to recognize encrypted Windows install in order to get it on GRUB menu.If it is so, I would recommend you to use UEFI's boot manager (probably triggered with F12 or another F-key) and keep GRUB only for Linux. This will also overcome "Windows is messing up GRUB" issue.I have Pop!_OS on SSD which is encrypted with LUKS during install. Windows on HDD unaware of Pop!_OS install.