You are not logged in.

#1 2016-10-03 07:22:51

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

DualBoot Dilemma

Since I'll be the owner of a new-used laptop before long, I've been looking into a dualboot setup with win7 with a shared data partition, something that is of course trivial for a non-portable desktop machine, but becomes problematic when you introduce encryption into the mix in case the machine is stolen, left on a train, etc., etc.

I've been pondering how best to deal with this using bunsen, and the encryption seems to be a roadblock, at least getting the operating systems to talk to each other without installing things from outside the debian ecosystem does.  TrueCrypt has some issues that have been identified, otherwise that's the obvious solution  for Windows, and I can even mount the shared partition using cryptsetup.

The obvious "fix" is to move on to VeraCrypt instead, where the security issuse are addressed, but that leaves me needing the version of cryptsetup from stretch to access the shared volume, and it's not in backports.  I suppose I could take a swing at backporting it myself locally, but that'll leave my system with a completely untried backport being absolutely critical to it even booting (encrypted lvm), I'm not sure if I'm brave enough to run that way.

I suppose I could switch my sources to Stretch/Sid and deal with what that breaks to get myself a solution that has had at least some testing, but I rather like the reliability of stable.

The other option I've considered is backporting dislocker from stretch, and turning on bitlocker in Windows, for the system and shared partitions, dlocker wouldn't be critical to booting the way cryptsetup is, would probably be lots easier to backport too, since it's only a little thing, but will cost in that I'd have to upgrade from 7 pro to (minimum) ultimate, or downgrade to 8 or 10.  The cost there annoys me more than "Trusting Microsoft" for my windows encryption, if I had concerns re backdoors for 3 letter agencies, I'd quit using Windows, after all they could put two dozen backdoors in to leak everything when the system is running, you either have to trust them, or treat any computer running windows the same way you would if that 3 letter agency had had it in their posession.

Anyhow, at present I can't decide which way to jump, wasn't for a few things that I use pretty much all the time which simply won't run satisfactorily under Linux, or WINE, I'd set up without Windows, of course there's VirtualBox, but that means running 2 operating systems concurrently most of the time, to have those programs up and running... not good for battery life, even though win95c would do to run them under, they're really old, but no native replacements for linux.

Last edited by Bearded_Blunder (2016-10-03 09:07:09)


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#2 2016-10-03 08:56:05

earlybird
ほやほや
Registered: 2015-12-16
Posts: 717
Website

Re: DualBoot Dilemma

Something very simple: Encrypt the data partition using LUKS.

On Linux, use cryptsetup to access the encrypted block device as usual. Under Windows, configure a headless Linux VM with a minimal Linux distro (Ubuntu server, puppy, antix,...) and pass the disk/partition through from Windows to the VM (you need to find out how to by yourself--pretty sure there's a way). Inside that VM, automount that disk using cryptsetup and export it using  a SAMBA or NFS server. Automount that network share under Windows and you're done. Connect the Windows VM via NAT or bridging with the Windows host.

There's also a LUKS engine for Windows https://github.com/t-d-k/LibreCrypt (beta/testing only).

Frankly, what would probably be the best would be using vmesxi or xen to have Linux and Windows run at the same time in parellel, concentrate data storage on the Linux system which handles the encryption and access that storage using NFS or SAMBA. But this is more complex.

Virtualbox is IMO crap.

Offline

#3 2016-10-03 09:52:18

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: DualBoot Dilemma

I had looked at LibreCrypt, didn't fancy running with driver signing off, because I'd be running 64bit. Hadn't thought of using a vm to do a network share, though it would work I guess, giving a vm raw disk access from windows is something I've done before, somewhat of a chore to get working but not insurmountable. Auto-starting a VmPlayer machine with windows I've done before too (the raw disk access feature being more reliable and faster than with VBox, though I seem to remember having to edit the machine file in notepad to enable it, not accessible through the UI). Best pass-thru disk access I've actually used was with Microsoft VirtualPC, but that doesn't play very nice with Linux.

ESXi is great for running parallel machines, but not much use for using them unless you've a second machine to access them from, unless you know something I don't about that. Not sure about xen, never got very far with it.

If I could get something that mounts automatically and soon enough in Windows, was thinking of redirecting the Documents, Downloads, and some other folders to the data drive, so I wouldn't need the system partition mounted or decrypted.  Not sure how well those sorts of "roaming profile/redirected folder" games would work when the "server" didn't come up till after logon though.

Extra work on the setup up-front will doubtless pay off in improved useability later.  You've given me food for thought though.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#4 2016-10-04 15:38:33

MsMattie
Member
Registered: 2015-09-29
Posts: 89

Re: DualBoot Dilemma

The absolute simplest solution - a self-encrypting-drive (SED). I won't even buy an SSD now unless it is capable of this. All of the SSD reviews concentrate on the small differences in speed, as if one would even notice this in real-world use. To me, the SED feature is an absolute requirement.


...
Linux in the backwoods of the Rocky Mountains...

Offline

#5 2016-10-05 01:54:35

stevep
MX Linux Developer
Registered: 2016-08-08
Posts: 373

Re: DualBoot Dilemma

I'm interested in backporting Veracypt 1.18a.  Does it have a hard build-dependency against that library in Stretch, or is the Jessie library buggy or something?  Veracrypt 1.17 didn't have any trouble with building on Jessie:

https://build.opensuse.org/package/show … /veracrypt

It might even have built on that Wheezy virtual machine, but I was too lazy to throw the wxgtk-3.0 from wheezy-backports into the pot.

Offline

#6 2016-10-09 23:20:35

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: DualBoot Dilemma

stevep wrote:

I'm interested in backporting Veracypt 1.18a.  Does it have a hard build-dependency against that library in Stretch, or is the Jessie library buggy or something?  Veracrypt 1.17 didn't have any trouble with building on Jessie:

Doubt there's any problem at all packaging VeraCrypt 1.18 (the a update not being applicable to Linux) it installs just fine, if you're prepared to install unpackaged software.. every time someone posts an ITP with Debian, the stuffed shirts refuse to accept it, even in non-free, apparently the licensing is an issue.

It's not the only software I wish was in the repos for simplicity's sake, SeaMonkey also springs to mind.

However, I've proved (in a VM) that cryptsetup from Stretch can be backported, which gives me VeraCrypt support in BL, so I'll probably go for that for Windows, saves me switching Windows versions.  Though if I did switch, dislocker and bitlocker would also work, dislocker also backported sucessfully in a VM, but the mounting process for VC volumes is easier.

Now in the long process of installing Win7 clean, and grabbing all the updates etc, once that's configured, BL will go on, I may end up posting in help and support when it does depending how much trouble it gives me, I'm expecting some, the touchscreen was doing crazy stuff in the live session.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#7 2016-10-10 06:32:40

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: DualBoot Dilemma

Bearded_Blunder wrote:

every time someone posts an ITP with Debian, the stuffed shirts refuse to accept it, even in non-free, apparently the licensing is an issue.

If I may clarify this point...

The relevant link here is https://bugs.debian.org/cgi-bin/bugrepo … bug=814352

A package was submitted to Debian and can be downloaded from here:
http://packages.sunweavers.net/debian/p … veracrypt/

The package was rejected for this specific reason:

>> According to [1] "(...)TrueCrypt seems to be reserving the right to sue
>> any licensee for copyright infringement, no matter whether they comply
>> with the conditions of the license or not. Based on this, our counsel
>> advised that above and beyond being non-free, software under this
>> license is not safe to use. (...)"
>>
>> So as Veracrypt is basically licensed with the TrueCrypt license, I think
>> it is better for Debian to not distribute such software, even in non-free.

I agree with Debian's decision in respect of this matter smile

  1. https://lists.freedesktop.org/archives/ … 00276.html


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#8 2016-11-04 19:00:09

KrunchTime
Member
Registered: 2015-09-29
Posts: 857

Re: DualBoot Dilemma

MsMattie wrote:

The absolute simplest solution - a self-encrypting-drive (SED). I won't even buy an SSD now unless it is capable of this. All of the SSD reviews concentrate on the small differences in speed, as if one would even notice this in real-world use. To me, the SED feature is an absolute requirement.

But you don't need to encrypt the whole hard drive.  You just need an encrypted partition/file to store the files you want to keep safe.  In a corporate environment, having the whole hard drive encrypted is necessary because not everyone can be trusted to keep sensitive stuff in a separate encrypted partition/file.

Offline

#9 2016-11-04 21:44:40

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: DualBoot Dilemma

I went with VeraCrypt for Windows and the shared data partition, and backporting cryptsetup from Stretch to access the shared data from the LUKS/LVM encrypted bunsen install.

I was going to write the process up, end-to-end, however the version of cryptsetup in Stretch got bumped, and it's no longer the simple backport it was, so anyone trying to duplicate what I did would come unstuck.. as such I deemed it better not to detail the process.

Particularly as I'm not adept enough to actually backport what's in Stretch NOW ops

I may yet, for convenience install VeraCrypt in bunsen, though I really prefer avoiding unpackaged software direct from upsteam where possible.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#10 2016-11-04 23:00:30

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: DualBoot Dilemma

Bearded_Blunder wrote:

I may yet, for convenience install VeraCrypt in bunsen, though I really prefer avoiding unpackaged software direct from upsteam where possible.

Forum member @stevep has a custom repository for that:

http://forums.debian.net/viewtopic.php?f=16&t=130067

smile


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

Board footer

Powered by FluxBB