Fri, 20 Feb 2009 21:00:00 PST
In Part 4 of this series, I installed Ubuntu Linux with a couple of encrypted partitions (one for /home, another for the swap area). My goal was to have the encrypted /home partition show up as encrypted Drive E: when I booted Windows XP.
This was pretty easy to set up. And it would have worked on the first try — except for the extremely annoying and poorly publicized change in version 8.10 of Ubuntu that broke everything. But I fixed it, and I even persuaded Windows to prompt for the passphrase before user login. Hee hee hee! I am a happy mad scientist!
Um. Well, anyway...
To handle encryption/decryption, I installed FreeOTFE version 4.50. Installation was trivially easy.
Running FreeOTFE from the Start menu brought up a straightforward GUI. From the menu, I selected File –> Linux volume –> Mount partition... I picked Partition #3 from the display, and got a box for entering the passphrase and several other options which I left at their default settings.
This worked — FreeOTFE reported that it had mounted volume \Device\Harddisk0\Partition3 as Drive E:, with the same encryption settings I'd used when I set it up in the Ubuntu installer. Drive E: also showed up in Windows Explorer, but it was still unreadable since I hadn't yet installed a driver to read the Linux ext3 format.
This driver was the Ext2 Installable File System version 1.11a. There were a few options for me to select during installation:
This did not work on the first try. As I eventually learned, the problem was with an ext2/ext3 parameter called inode size. Until recently, all versions of Linux defaulted to 128-bit inodes, and the Ext2 Installable File System was designed to work with formats of this type. But some new Linux releases have switched over to 256-bit inodes. (Apparently this has something to do with compatibility with the forthcoming ext4 format.)
The fix was annoying but not really very difficult. I booted up Ubuntu, logged in as root, and copied the entire /home directory (the only thing on the encrypted partition) to a safe spot on a different partition. This command performs a copy of the source with all subdirectories and retains the file mode, ownership, and timestamps:
cp -p -r [source] [destination]
Then I unmounted /home, reformatted the partition with 128-bit inodes, and remounted:
umount /home
mkfs.ext3 -I 128 /dev/mapper/sda3_crypt
mount /home
I copied the backed-up files and directories to the reformatted /home, and I was done.
And when I rebooted into Windows XP and mounted the encrypted partition with FreeOTFE, the E: drive magically appeared in Windows Explorer with all the contents of the Ubuntu /home directory. No further fiddling with the Ext2 Installable File System was needed — it just recognized the device automatically. Hooray!
One thing about that reformatting that was quite difficult: finding out how to do it. I mean, it was simple enough to read the man page for mkfs and see all the options. But I wanted to replicate exactly the same formatting options used during Ubuntu installation (except with 128-bit inodes). So, what exactly was the formatting command used by the installer?
Argh. If this is actually documented anywhere, I never found it. I ended up being the Sherlock Holmes of the installer's source code, and I finally found the answer spread across several files. If I understand the code correctly, for most situations the command for an ext3 format is just:
mkfs.ext3 [devicename]
Well, heck! If I'd known it was that simple, I could have saved hours. Oh well.
Ubuntu, by default, prompts me for the passphrase for the encrypted partition during startup, before login. I wanted Windows XP to do this too. The following technique works in Windows XP Professional (but not, apparently, in Windows XP Home). In fact it ought to work for any script that you want to run before login.
The first step was to write a batch file (which I named encdrive.cmd) containing this FreeOTFE command to mount my encrypted Partition #3:
"C:\Program Files\FreeOTFE\FreeOTFE.exe" /mount /volume "\Device\Harddisk0\Partition3" /linux
I put my encdrive.cmd file in this directory:
C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup
because that's where the Group Policy Editor likes it to be.
What (you may be wondering) does a startup script have to do with group policies? I have no idea. Ask Bill Gates. Regardless, the tool I needed was the Group Policy Editor: Start –> Run –> gpedit.msc
I navigated to Computer configuration –> Windows settings –> Scripts (Startup/Shutdown) –> Startup –> Add and entered my encdrive.cmd script name, and no script parameters.
That's all that was necessary to make my script run at startup, but there were two other settings that were useful for debugging purposes, both found under Computer configuration –> Administrative templates –> System –> Scripts:
The result of all this obscure tweaking: when Windows XP starts up and reaches the login screen, a window pops up for FreeOTFE. All I need to do here is enter the passphrase, and the encrypted partition becomes available as drive E: for all users.
I'll call that a success.
For more information on doing this sort of stuff with the Group Policy Editor, these two articles are very informative:
Copyright © 2009 William S. Statler (except for quotes and
contributions from other authors). This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
which grants limited rights of non-commercial distribution and reuse. Please read
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
for details. All other rights reserved.