Encrypting both OS X and Boot Camp

Update – Apparently this is now possible according to Jason Gouger who gave a method in the comments below.

Recently I decided that walking around with my documents and work unencrypted on my Macbook Pro was possibly a bad idea. If it was stolen, the thieves would have access to everything simply by connecting the hard drive to another machine. To alleviate these concerns, I started to look at the disk encryption options available to me.

On the Macbook I obviously run Mac OS X which I recently upgraded to Lion. With Lion comes an upgrade to the built-in encryption offered by the OS. Previously, FileVault, the built-in encryption system, only offered encryption of the user’s home folder. However, with Lion, FileVault2 now encrypts the entire partition.

9 hours later, my OS X partition was fully encrypted. Here’s where I began to run into issues. As well as Mac OS X, I also use Boot Camp to allow me to boot a native Windows 7 install. FileVault is quite tightly tied to HFS+ so although you can encrypt your OS X partition, your Windows NTFS partition remains unencrypted.

My initial reaction was to think I could just use TrueCrypt to encrypt the Windows parition. However, TrueCrypt expects the Windows partition to be the first on the drive which is not the layout in place after setting up Boot Camp. By default, the EFI partition is first followed by the OS X partition and it’s “Recovery” partition and then finally the Windows partition. Windows’ built-in Bitlocker encryption also faces the same issue as TrueCrypt requiring the Windows partition to be the first on the drive.

After looking into this issue online, I found a tutorial which provided a method for getting Windows installed on first partition on the drive, allowing the use of TrueCrypt. The issue with this method is that it requires using the MBR partition table instead of the newer GPT partition table used by OS X. Without the GPT partition table, OS X will refuse to install on the drive and even after you coerce it by manually writing an image, you then cannot enable FileVault as it requires the GPT partition table.

Another option I considered was Symmantec’s PGP Full Disk Encryption which encrypts both the OS X and Windows partitions, but this is a commercial piece of software and does not even support Lion yet.

Finally, I found this post which says that someone managed to get both their OS X and Windows partitions encrypted by modifying TrueCrypt so that it did not attempt to install it’s bootloader. To boot into Windows, they then had to boot the TrueCrypt bootloader from a USB pendrive.

This all sounded like a massive hack and a lot of trouble. Instead, a compromise could be to have a TrueCrypt encrypted partition after the Windows partition on which sensitive data is placed. The downside to this method is that the partition would have to be unlocked from within Windows. This poses some security concerns and in the end, may actually be providing false security.  A keylogger could catch the password whilst unlocking and then the disk encryption is useless.

  • William

    Luke, Great post- I have the same problem. I’m curious, did you come up with a solution to this yet?

    • Luke Fitzgerald

      Unfortunately I’ve not made any more progress on this. I’ve certainly not seen any new methods pop up.

      I think going with the additional encrypted partition after Windows is probably the best option. With regards to how secure it is; if your computer has a keylogger on it, your work is probably already compromised and you should have anti-virus software to detect that sort of thing.

  • Jason Gouger

    After much work I was able to accomplish using both FileVault and TrueCrypt. The biggest issue to work around was the fact TrueCrypt (TC) boot loader exceeds the maximum size that can fit in the first sector, it extends into the GPT rescue partition and corrupts the GPT partition table data. Since it is not possible to install the TC bootloader I used GRUB/GRUB4DOS to load the ISO recovery image of TC to boot the proper windows partition.

    I managed to setup the partitioning to allow Windows to install on the “second” MBR partition.

    My GPT partition layout is :

    1. GPT Rescue
    2. GRUB Boot
    3. Windows
    4. OSX

    I used gpart from the Linux SysRescue CD. I created the layout above, and created a Hybrid MBR with partitions 2 and 3.

    I installed OSX Lion onto the OSX partition.

    Once this was setup I proceeded to install Windows. You can only format the windows partition during the installation, do not do any partitioning as this will corrupt the GPT data.

    With windows installed and working installed the BootCamp drivers and then installed TC. Installing TC will corrupt your GPT/Hybrid MBR setup as it will overwrite the GPT table and GPT rescue partition when it writes the bootloader. Now you will need to use the Linux SysRescue CD and gpart to restore the GPT partition table from the backup and recreate the Hybrid MBR.

    With the partition table rebuilt you will need to setup GRUB/GRUB4DOS to load the TC recovery ISO to boot the Windows partition. This involves installing GRUB and then installing GRUB4DOS as the boot image for GRUB. GRUB4DOS can then be setup to boot the TC recovery ISO.

    Once Windows/TC was all setup, I went back to OSX and enabled FileVault. If you did everything correctly you will notice that the disk partition tool under OSX still reports the disk as a GPT disk, not MBR. If it is reported as MBR FileVault will fail to enable.

    Booting the recovery ISO is a bit messy, but it does accomplish the task of using both FileVault and TC. Perhaps TC will be improved in the future such that it creates a multistage boot loader and using an additional partition instead of just overwriting beyond sector 1 which just happens to work for Windows.

    • Ric

      In your GPT partition layout…what were the sizes? thx

    • Ric

      Anyone try this? Steps are not very clear. Since creating the four primary partitions GPT Rescue, GRUB Boot, Windows, and OSX. OSX reports it cant install because it cant create a recovery partition. Anyone else able to elaborate on is or is this a dead issue? PGP WDE seems to be the only dual boot/encrypt Win7/OSX options out there that actually works.

      thx
      ric

  • Steve

    Thanks for posting this solution. I considered Jason Gouger’s option, but was concerned about the amount of work involved for several boxes and its overall robustness, especially given my limited experience tinkering with MBRs and grub.

    I went instead with PGP Desktop version 10.2 MP2 and can confirm that this works very well for Lion 10.7.2 with Bootcamp and Windows 7 x64. The setup is simple for an existing Bootcamp setup: (0) Backup everything using Time Machine and/or Carbon Copy Cloner for OSX and WinClone 2.3.3 for Windows 7 (after doing a “chkdsk /f /r” plus reboot); (1) Install PGP Desktop on the Windows 7 partition; (2) Install PGP Desktop on the OSX partition, reboot into OSX, and encrypt within OSX.

    This has the chief advantage of whole disk encryption: being able to see (and backup) the entire drive from each OS — it works just like an unencrypted Bootcamp setup. Also, holding down Command-R while booting into the OSX partition still works to boot into the Lion Recovery Partition.

    ASFAIK, this is the *only* existing automated encryption method for dual boot boxes without the necessity of mucking with grub bootloaders. In the future, it would be nice-to-have if File Vault 2 were capable of whole disk encryption, if Truecrypt allowed encryption of arbitrary partitions or WDE, or if WinMagic supported Bootcamp.

    But right now, PGP Desktop appears to be the only workable solution. The nice thing is that it works and works well.

  • Gunnar Már Óttarsson

    http://blog.claesbrandt.dk/?p=80

    Still works with Windows 8 and mac os x 10.8