UPDATE: due to a wordpress bug, the pictures for this article are all missing from the server. i am quite angry about this but im going to leave the post as-is because the text is still relevant and useful.

While this exercise requires little to no work in the Linux terminal, this is a fairly advanced setup that should not be undertaken by users completely unfamiliar with the process of installing Linux, you could get lost easily and miss a step or enter the wrong option. I will be starting from a blank test system for this tutorial, however it is possible to use an existing Windows installation as long as you leave space for the eventual Ubuntu installation. Ubuntu however must be reinstalled, encrypting an existing Ubuntu system is out of the scope of this article. If you need to resize the Windows partition you can do this from inside Vista (though it may not let you size it the way you want), or you can use an Ubuntu LiveCD. The Alternate install CD also offers to resize partitions but i did not test this.

From here on out we will assume a blank system, but if you already have a Windows system and some free space, skip the Windows installation section. I will be using VMware to make it easier to document the steps and take screenshots, but it should work as expected on a real system as well.

To start with, the order you install these operating systems does not matter, since both the Grub bootloader and the Truecrypt bootloader can boot another operating system on another partition, however you must install Truecrypt last. We will be installing Windows first here and encrypted Ubuntu second, then using Truecrypt to encrypt the Windows partition and setup the TC bootloader.

You will need:

  • A Windows installation, or a Windows installation disk (NOT a recovery disk)
  • The Ubuntu alternate install CD, we will be using 8.04 here. Older versions do not support easy encryption of root
  • The Truecrypt 6.1a installer for Windows, available on the truecrypt website

The Windows installation must leave enough space on the rest of the disk for the Ubuntu installation, so we will be putting it at the start of the disk and using half the space.

The partition layout of this test system when we are done will be as follows:

  • 40GB drive
    • 20gb Truecrypt encrypted Windows partition
    • 100mb boot partition
    • 20gb encrypted Ubuntu partition

If you are installing XP like i will be doing, the process is slightly more involved than Vista, but installing either one is not very complicated. Installing Windows is however, out of the scope of this article, there are plenty of resources to help users install windows. Just make sure to only use part of the disk during installation and you should be fine.

Once you have Windows installed and booting normally, or if you already had it installed and correctly placed on the disk, you can continue by booting the Ubuntu alternate install CD. There will be screenshots for various steps along the way, if you click them they will (should) open in an overlay box on the page. These are not comprehensive screenshots however, there are hundreds of individual screens to go through during this process.

Manual partitioning

Once the installer loads you will see a few basic configuration screens, go through them and answer the questions until you get to the partition setup screen, choose the manual option. We can’t select Guided – use entire disk and setup encrypted LVM, because that would erase windows, so we will be manually setting up the encrypted partition. It would be nice if we could hit an option to use free space to setup encryption, but that option does not exist. It would also be nice if we could manually replicate what the Guided installer does to setup encryption, but that appears to cause a number of problems and appears to force the use of LILO as a bootloader which is unacceptable (and it failed anyway). This could be expanded to include encrypted swap but for now i will keep it simple.

Free space

You should see your Windows partition and some free space as shown in the screenshot here, select it and hit enter.

Boot partition

Create a new 100MB primary partition at the beginning of the free space (it will ask you these things), set its mountpoint as /boot and set the label to “boot” as shown in the screenshot. You don’t need to set the boot flag since when we are done the Truecrypt bootloader will be the one the system loads, and it can load Grub directly. We need a separate boot partition because our Linux bootloader doesn’t support encrypted partitions and therefor the kernel and a small initrd must remain unencrypted. Hit “done setting up partition” and it should return you to the partition list screen.

Encrypted Freespace

Now we create the encrypted root filesystem in the remaining freespace, so select it and hit enter. A screen should appear asking you the size of the new partition. The default is to use the entire free space, but if you intend to setup Truecrypt hidden Windows encryption (i won’t be), leave free space at the end of the drive. I believe the free space for hidden system encryption must be at least as large, perhaps twice as large as the original Windows partition. If you don’t need hidden system encryption for Windows, just hit enter to use the default amount, the rest of the disk.

Encrypted partition

The screen that shows the partition options will appear, highlight the “use as” line and hit enter. You will see a list of options, choose “physical volume for encryption”. Leave the encryption options as they are, if you change something make sure they match the screenshot, and hit “done setting up the partition”.

Configuring encryption

Now you will be back at the partitioning screen, but there is now an option at the top called “Configure encrypted volumes”. Hit enter on that. It will ask you to confirm the partition changes and write them to disk, say yes. It will then ask for the pre-boot authentication password you wish to use.

Encrypted partition

You will then get a new screen that looks just like the partitioner from before, however there is now an Encrypted Volume section with a preconfigured ext3 volume inside it. Select that new ext3 partition and hit enter. Change the volume options so that the mountpoint is now root and the label is “root” as well, then save changes. You should see a layout similar to what is shown here in the screenshot, but basically you have one encrypted volume listed at the top, with an EXT3 volume for root under it. The rest of the partitions should be NTFS, ext3 for /boot and an encrypted partition.

Finish and write the changes to the disk. It may complain about swap, ignore it. What we just did is different than when you select the guided encryption option, however to avoid numerous problems i encountered in making it all work correctly, i opted to simply omit the LVM part of things and do a simple encrypted root. It would be nice if Ubuntu simply offered the ability to “use free space for encryption”, as that would have made the last few paragraphs irrelevant and saved us all a lot of time. If you need hibernation or swap space, you can modify the setup here to include a normal swap partition, however doing so would write the contents of ram to the disk as plaintext, which may be unacceptable to some users.

You then get the screen for the new user name, password etc. Once you enter all those things the system will install the operating system to your new /boot and encrypted root partitions.


Now is the critical part, you do NOT want grub on the MBR so tell it no when it asks, you want it on the boot partition which should be /dev/sda2, or if you only have one hard disk, (hd0,1) should give you the correct location. Grub is tricky with the hd numbering though so be careful what you let it write over.

The system will not start grub right now because we haven’t actually changed the boot configuration, all we have done is install grub to the /boot partition so that it works when we need it later on. Start Windows and install Truecrypt, then start the system encryption process in Windows. If you set aside some free space for a hidden system volume you can also set that up if you like, otherwise just let Truecrypt encrypt windows for you. It will complain if you tell it you are multi-booting, but it is ok, just tell it you know what you are doing. Tell it you are installing it to the boot drive, that you only have one system drive, and that there is no non-windows bootloader in the MBR. If you installed grub to MBR, this setup will not be able to boot Linux until you fix it by installing Grub to the /boot partition with the Ubuntu LiveCD.

It will want to create a rescue CD and verify it, so burn the image it creates and let it verify the CD. Once you are done verifying the rescue CD, Truecrypt will elect to install the bootloader to make sure things work right before actually encrypting the system, so let it do that and reboot. Assuming the test passed it should encrypt the system, then you can restart and test it.

At the Truecrypt bootloader screen, If you type your password it should load Windows and continue the encryption process. If you enter your password and it loads Grub instead of booting Windows it means the /boot partition for Ubuntu is flagged as active/boot right now. You can change this from inside Windows if needed by going into the computer management program inside administrative tools. Open the disk management panel, select the Windows partition, right click and select flag as active. That should correct boot behavior to how you expect it to function.

If you hit escape in the Truecrypt bootloader screen, it should allow you to start grub and then Ubuntu, which will ask you for your password and then continue booting. If it refuses to load grub, something went wrong in the grub installation process and that can be fixed with an Ubuntu LiveCD. If something doesn’t work you can start over or you can elect to fix the specific problem. The rescue CD TrueCrypt forced you to make can decrypt Windows if there is a problem, and the Ubuntu Livecd can be used to diagnose and fix grub problems.

Post a comment if you need help and i may be able to assist. The Ubuntu forums and Truecrypt Forums are also great places to ask questions and get help.