Dual boot with Windows/SafeBoot

From ArchWiki
< Dual boot with Windows
Revision as of 19:53, 19 April 2011 by Jwhendy (Talk | contribs) (The Method Proposed)

Jump to: navigation, search

This is a discussion about how to create a dual boot setup with Windows when whole disk SafeBoot (now called McAfee Endpoint Encryption) encryption is employed. This may be the case particularly if one is issued a company laptop that comes pre-installed with Windows and is encrypted. While one can wipe the drive and install a) Linux alone or b) Linux and an unencrypted version of Windows, some sacrifices and risks may exist. For example, company patches and updates may no longer work properly, IT policies may be violated, data is no longer protected, and, if Linux alone is installed, the capability to share files, access company specific intranet applets, and other limitations may be experienced.

This article will explain one method for creating a dual boot setup while leaving the company-installed encryption and operating system intact and fully functional.

Note: This author only has experience with Windows 7 and an account created in the Administrator group. It is unknown whether this works with other versions of Windows or with reduced user privileges.

Why is a solution needed?

The situation of a fully encrypted system is a difficult one because even the MBR is encrypted and SafeBoot uses its encrypted bootloader to load the real partition table and load Windows. Thus, if one attempts to simply partition the disk with [c]fdisk, writing the partition table will render one's system unbootable. Likewise, even if there is a free partition, a) one isn't able to update the partition table with the correct type (which is necessary), b) one can't install the bootloader (e.g. grub) to the MBR, and c) even if one installs the bootloader to the partition instead of the MBR, there is no way to make the system aware that such a bootloader exists via the partition table. It is quite a difficult situation to work with.

Some are content with using live distributions or running Linux from a flash drive; the primary author of this article found such methods frustrating and limiting. There is also quite a lot of discussion about how to get around this situation, [1] [2] [3] and thus an article seemed relevant after a firsthand experience and success.

Alternatives Considered

The primary author of this article has experience with only one successful method, but considered several, including:

  • Trying to create a "live clone" (full system backup while Windows was running) in order to possess a decrypted copy of the OS, wiping the drive, and then reinstalling the OS to a partition encrypted with an opensource encryption system. This may prevent company patches from operating successfully and may violate policies if a company mandates a particular encryption method.
  • Trying to use dd to simply block-copy everything from one disk onto an external drive, wipe the internal drive and re-partition, and then dd the external drive back to the internal, and dd a backup of the SafeBoot MBR back to the internal drive. This seems a bit risky, and also requires that one have another hard drive at least as big as the original encrypted partition.
  • While not really a solution in the dual-boot category, simply running Linux inside of a virtualization program is a perfectly reasonable solution. It is by far the simplest. The primary author simply doesn't like the idea and wanted a fully dual-boot setup, however he does have VirtualBox setup in Windows to avoid excessive reboots if Windows usage is needed heavily for any particular task.

The Method Proposed

In brief, the successful setup used by this author is as follows:

  • Use Windows 7 build in partition editor to partition the drive
    • Partition 1: Windows
    • Partition 2: Linux /boot
    • Partition 3: Linux /
    • Partition 4: TrueCrypt device for shared files
  • Use Partition Wizard HomeEdition to tweak some things
  • Use EasyBCD to add an entry for Arch Linux at boot time
  • Install Arch using System_Encryption_with_LUKS
  • Configure grub
  • Reboot and hold breath
  • Install TrueCrypt on both OSs and create a TrueCrypt volume

Step by Step Walkthrough

Defragment the Windows Partition

If the issued computer is encrypted with SafeBoot, it will likely contain one primary partition where Windows is installed. We need to shrink this partition in order to make space for Linux. To shrink this partition as much as possible, defragmenting is helpful. Windows 7 comes with a built in defragmenting utility, available through the control panel. Open this program and degrag on the primary drive (probably called C:\). Do this several times, if desired.

It may be helpful to use an additional program as well. Wikipedia has a list of various options HERE. The author of this article used Auslogics Disk Defrag, which worked well and had the ability to view what specific files were unmovable.


[1] http://ubuntuforums.org/showthread.php?t=1039401

[2] http://blog.nixpanic.net/2008/06/starting-safeboot-with-grub.html

[3] http://mbrfde.blogspot.com/2008/11/dual-boot-ubuntu-with-safeboot-fde_19.html