Cyril Voisin (aka Voy) on security

Security is not important. Well... as long as your level of security is high enough!

Building a dual boot system with Windows Vista BitLocker protection with TPM support

Building a dual boot system with Windows Vista BitLocker protection with TPM support

  • Comments 11
  • Likes

Updated 2008-05-12 : added a step to turn the TPM on before enabling BitLocker. By the way, someone made me notice this post is now referenced by the official BitLocker FAQ on Microsoft's website.  

 

Many people have wondered if it would be possible to dual boot a TPM-bitlockered instance of Windows Vista with Linux, or another OS. The answer is yes and the following procedure will hopefully help you setup your machine correctly.

 

Some (simplified) background on Bitlocker:

Bitlocker Drive Encryption allows encryption of Windows Vista’s partition and provides a secure startup process when in use with a TPM (a crypto chip on the motherboard).  Basically the BIOS, the TPM, the MBR and the boot sector will collaborate to help verify that there was no modification to the boot sequence since Bitlocker was activated. This is done by using a function of the TPM to compute and store a hash of the code before executing it, at each of the initial steps of the boot sequence. Different hashes will be computed and stored in specific registers of the TPM. Then Windows Vista will ask the TPM to unseal its volume encryption key and the TPM will only provide this key if its registers are correctly set. Therefore if you replace Windows Vista’s MBR by a MBR that is not TPM aware, it won’t hash the boot sector before executing it and a register in the TPM won’t be populated. Same with the boot sector. Therefore Bitlocker will simply refuse to be enabled.

 

The underlying idea here is to have Bitlocker enabled with the original Windows Vista boot files. Another possibility would be to use a TPM-aware version of GRUB. However this would imply using files in the boot sequence that were not tested by Microsoft, which I would not recommend. Moreover, using original Windows Vista files offers you the benefits of code that went through the Security Development Lifecycle, which I personally find very valuable.

 

Note: I assume that you have a Bitlocker compatible machine (including TPM 1.2, TCG BIOS). See http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx#BKMK_require

 

Step 1 – Install Linux

Note:  be sure to leave enough unpartitioned space for Windows Vista: about 11 GB of free unpartitioned space and slots for 2 partitions are needed

 

Step 2 – Install GRUB on the Linux partition (outside of MBR)

See other post “How to use Windows Vista’s Boot Manager to boot Linux”

 

Step 3 – Get a copy of Linux boot sector

See other post “How to use Windows Vista’s Boot Manager to boot Linux”

 

Step 4 – Create partitions for Windows Vista

We need to create 2 primary NTFS formatted partitions on the disk: one active, 1.5GB size minimum and another larger (all the rest for instance with a minimum of 8.5GB). The former will be used to boot the machine (active partition) and will remain unencrypted while the latter will host Windows Vista and will be encrypted when we activate Bitlocker.

You can use diskpart tool to do this (available from Repair options on the Windows Vista DVD). Here is what the instructions may look like :

·         select disk 1

·         create partition primary size=2048

·         active

·         create partition primary

 

Step 5 - Install Windows Vista

Install Windows Vista on the largest NTFS partition.

 

Step 6 - Set up Windows Vista Boot Manager to boot Linux

See other post “How to use Windows Vista’s Boot Manager to boot Linux”.

 

Step 7 - Enable TPM in BIOS 

See instructions in your computer's manual. 

 

Step 8 - Enable BitLocker on Windows Vista

See BitLocker documentation, like http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx#BKMK_S3

Comments
  • Interoperability is key today and I have always said the right tool for the right job. At the same time,

  • Cyril Voisin vient de démarrer son blog avec un article fort intéressant expliquant comment faire un

  • Cyril Voisin vient de démarrer son blog avec un article fort intéressant expliquant comment faire un

  • If You are interested in an answer to question "How to dual boot Linux and Vista on BitLocker protected

  • Com à aquisição pelo mercado corporativo e doméstivo do Windows Vista, sabendo que existem vários usuários

  • Quel rapport entre le Master Boot Record (MBR) d'un disque dur et Bitlocker ? Une des fonctions de Bitlocker

  • Another attendee sent me this question. I have dual-boot, Windows XP and Vista my laptop with 2GB RAM

  • I had no idea you could do this, but it turns out that it's possible to dual-boot both Linux and Windows Vista on the same machine while retaining Windows Vista's ability to encrypt disk data using BitLocker. Cyril Voisin's blog...

  • Mon collègue Cyril Voisin vient de publier un webcast sur la configuration d'un dual boot Linux

  • This week, I received my shiny new work laptop, which I'd been anticipating for some time.  Normally,

  • I have a laptop with C: (Vista) en D: (Data) partitions, both Bitlocker encrypted (so yes, there's a third partition). I've created a 4th partion for Windows 7. Windows 7 installation went well (though it changed my MBR and thus Bitlocker complained a bit).

    Now in Win7, I can only access my Data drive after typing in the Bitlocker key. But apparently, this is only valid as long as you don't reboot or power down. When I follow a wizard to set a Bitlocker password on the Data partition, it seems to warn me that in Vista it won't be accessible anymore.

    How can I get access to my bitlocker protected Data partition from both Vista and Win7?

    Thx,

    Bram de Vries

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment