AN06: Windows and Linux dual booting with encryption
The full disc encrypted dual booting of Windows and Linux is pretty easy in the UEFI system. But there are several things the user has to take care of.
In this application note, we assume there is a Windows already installed and using BitLocker.
The followings are very important:
- Turn off the fast boot in Windows.
- Suspend the BitLocker protection.
The Fast boot prevents the Windows shutdown completely. It keeps the internal condition of the Windows in the file system and skips some initialization to speed up. This may be affected accidentally, during the co-installed Linux works. Thus, it has to be turned off.
The BitLocker is not only encrypting the system but also watching the boot mechanism was interfered with by some third party. Thus, if a user installs Linux along with Windows, the BitLocker detects the change of the boot mechanism ( by GRUB ) and asks the user to type the recovery key. To prevent this harmful situation, the user should suspend the BitLocker during the installation of Linux.
Regarding the detail of the BitLocker, see the BitLocker recovery guide by Microsoft.
Following is the procedure.
- Turn off the Fast boot of Windows.
- Suspend the BitLocker of Windows.
- Install Linux as Full Disk Encryption with Kaiten-Yaki
- Resume BitLocker encryption to Windows.
Regarding the Full Disk Install by Kaiten-yaki, the user needs to care about the custom partition encryption. See AN04: How to make LUKS volume to the favorite partition.
In this section, we will see an example installation of Linux along with existing Windows. Note that the user should read the INSTALL.md well, before executing the following procedure.
We assume the system has an NVMe storage device. The overview of the Windows partition is shown below :
| Partition | Description | Size | Comment |
|---|---|---|---|
| /dev/nvme0n1p1 | EFI system partition | 100MiB | |
| /dev/nvme0n1p2 | MS reserved partition | 16MiB | |
| /dev/nvme0n1p3 | Windows partition | 59GiB | BitLocker |
| /dev/nvme0n1p4 | 550MiB | Windows recovery? |
Assuming we have enough unused area after the above partitions.
First of all, as explained, we should do the following:
- Turn off the Windows fast boot
- Suspend the BitLocker
And then, shut down the Windows.
Now, we can start the Linux by LiveCD and create a new partition after the above partitions by GParted. The new partition will be named as /dev/nvme0n1p5. Any file system should be OK for this new partition.
Next, download Kiaten-yaki and edit the config.sh. The most important parameters are following four:
export DEV="/dev/nvme0n1p"
export CRYPTPARTITION=5
export ERASEALL=0
export OVERWRITEINSTALL=0Where DEV and CRYPTPARTITION must follow the name of the new partition created by GParted. This partition will be formatted as LUKS volume. The ERASEALL and OVERWRITEINSTALL must be 0.
After saving config.sh and quitting editor, run the following command to set the parameters as environment variables :
source config.shThe last step before installation is to format the LUKS partition. Run the following command :
cryptsetup luksFormat --iter-time "${ITERTIME}" --type=luks1 "${DEV}${CRYPTPARTITION}"This command will format the /dev/nvme0n1p5 as LUKS volume. This command will also prompt the user to type the passphrase.
Now, ready to install. Run the following command (Ubuntu)
source ubuntu-kaiten-yaki.shOr run the following command (Void Linux)
source void-kaiten-yaki.shAll other things are the same as the usual installation by Kaiten-yaki.
After rebooting the system, if everything is OK, start Windows and turn the BitLocker on.
Now, Windows and Linux are protected by the BitLocker and the LUKS, respectively.