Updated 2008-05-12 : added a step to turn the TPM on before enabling BitLocker. By the way, someone made me notice this post is now referenced by the official BitLocker FAQ on Microsoft's website.
Many people have wondered if it would be possible to dual boot a TPM-bitlockered instance of Windows Vista with Linux, or another OS. The answer is yes and the following procedure will hopefully help you setup your machine correctly.
Some (simplified) background on Bitlocker:
Bitlocker Drive Encryption allows encryption of Windows Vista’s partition and provides a secure startup process when in use with a TPM (a crypto chip on the motherboard). Basically the BIOS, the TPM, the MBR and the boot sector will collaborate to help verify that there was no modification to the boot sequence since Bitlocker was activated. This is done by using a function of the TPM to compute and store a hash of the code before executing it, at each of the initial steps of the boot sequence. Different hashes will be computed and stored in specific registers of the TPM. Then Windows Vista will ask the TPM to unseal its volume encryption key and the TPM will only provide this key if its registers are correctly set. Therefore if you replace Windows Vista’s MBR by a MBR that is not TPM aware, it won’t hash the boot sector before executing it and a register in the TPM won’t be populated. Same with the boot sector. Therefore Bitlocker will simply refuse to be enabled.
The underlying idea here is to have Bitlocker enabled with the original Windows Vista boot files. Another possibility would be to use a TPM-aware version of GRUB. However this would imply using files in the boot sequence that were not tested by Microsoft, which I would not recommend. Moreover, using original Windows Vista files offers you the benefits of code that went through the Security Development Lifecycle, which I personally find very valuable.
Note: I assume that you have a Bitlocker compatible machine (including TPM 1.2, TCG BIOS). See http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx#BKMK_require
Step 1 – Install Linux
Note: be sure to leave enough unpartitioned space for Windows Vista: about 11 GB of free unpartitioned space and slots for 2 partitions are needed
Step 2 – Install GRUB on the Linux partition (outside of MBR)
See other post “How to use Windows Vista’s Boot Manager to boot Linux”
Step 3 – Get a copy of Linux boot sector
Step 4 – Create partitions for Windows Vista
We need to create 2 primary NTFS formatted partitions on the disk: one active, 1.5GB size minimum and another larger (all the rest for instance with a minimum of 8.5GB). The former will be used to boot the machine (active partition) and will remain unencrypted while the latter will host Windows Vista and will be encrypted when we activate Bitlocker.
You can use diskpart tool to do this (available from Repair options on the Windows Vista DVD). Here is what the instructions may look like :
· select disk 1
· create partition primary size=2048
· create partition primary
Step 5 - Install Windows Vista
Install Windows Vista on the largest NTFS partition.
Step 6 - Set up Windows Vista Boot Manager to boot Linux
See other post “How to use Windows Vista’s Boot Manager to boot Linux”.
Step 7 - Enable TPM in BIOS
See instructions in your computer's manual.
Step 8 - Enable BitLocker on Windows Vista
See BitLocker documentation, like http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx#BKMK_S3