Update – Apparently this is now possible according to Jason Gouger who gave a method in the comments below.
Recently I decided that walking around with my documents and work unencrypted on my Macbook Pro was possibly a bad idea. If it was stolen, the thieves would have access to everything simply by connecting the hard drive to another machine. To alleviate these concerns, I started to look at the disk encryption options available to me.
On the Macbook I obviously run Mac OS X which I recently upgraded to Lion. With Lion comes an upgrade to the built-in encryption offered by the OS. Previously, FileVault, the built-in encryption system, only offered encryption of the user’s home folder. However, with Lion, FileVault2 now encrypts the entire partition.
9 hours later, my OS X partition was fully encrypted. Here’s where I began to run into issues. As well as Mac OS X, I also use Boot Camp to allow me to boot a native Windows 7 install. FileVault is quite tightly tied to HFS+ so although you can encrypt your OS X partition, your Windows NTFS partition remains unencrypted.
My initial reaction was to think I could just use TrueCrypt to encrypt the Windows parition. However, TrueCrypt expects the Windows partition to be the first on the drive which is not the layout in place after setting up Boot Camp. By default, the EFI partition is first followed by the OS X partition and it’s “Recovery” partition and then finally the Windows partition. Windows’ built-in Bitlocker encryption also faces the same issue as TrueCrypt requiring the Windows partition to be the first on the drive.
After looking into this issue online, I found a tutorial which provided a method for getting Windows installed on first partition on the drive, allowing the use of TrueCrypt. The issue with this method is that it requires using the MBR partition table instead of the newer GPT partition table used by OS X. Without the GPT partition table, OS X will refuse to install on the drive and even after you coerce it by manually writing an image, you then cannot enable FileVault as it requires the GPT partition table.
Another option I considered was Symmantec’s PGP Full Disk Encryption which encrypts both the OS X and Windows partitions, but this is a commercial piece of software and does not even support Lion yet.
Finally, I found this post which says that someone managed to get both their OS X and Windows partitions encrypted by modifying TrueCrypt so that it did not attempt to install it’s bootloader. To boot into Windows, they then had to boot the TrueCrypt bootloader from a USB pendrive.
This all sounded like a massive hack and a lot of trouble. Instead, a compromise could be to have a TrueCrypt encrypted partition after the Windows partition on which sensitive data is placed. The downside to this method is that the partition would have to be unlocked from within Windows. This poses some security concerns and in the end, may actually be providing false security. A keylogger could catch the password whilst unlocking and then the disk encryption is useless.