GUIDE: How to dual-boot encrypted instalations of Linux and Windows

Software & Operating Systems Linux
,
1

As always, this guide is just educational, I'm not responsible for anything you do, especially for you messing up your computer, this is how I've done it for myself and it works for me, I'm posting it because finding any guide on this subject is a huge pain.

Hi! I’ve recently become very interested in encryption, mainly-full-disc encryption or at least as-much-as-possible encryption. I’ll be honest with you, getting to this point was HARD! And even now it’s kinda a bodge, so remember that if you decide to follow this guide your pc’s booting up will be hold by tissue paper and string.
System becoming unbootable is not that big of a deal, i mean you can mount your encrypted linux root partition with a live USB and VeraCrypt also has a linux version so basically there shouldn’t be a situation where your system is unbootable and you can’t recover any of your data but regardless, BACK UP YOUR BACKUPS!
Regardless, it’s the best option I found and you will be hard pressed to find any other guide on this, believe me, i’ve tried.
This is a very rough guide, it assumes that you know what you are doing when it comes to installing windows and linux, i could make a more detailed guide if somebody would be interested in reading that.

What you will need:

System that supports EFI boot and GPT partitions.
Windows 7
I did it with english pro x64 but i think any windows will do.
VeraCrypt
It’s free, it’s robust, it’s secure, it works.
Antergos Linux.
Yes, it has to be Antergos, i tried about 20 distros and antergos is your best bet. I know you don’t want to run Arch, I don’t want to run Arch but it turns out that running arch is the easiest option when you do something as ridiculous as dualbooting two encrypted operating systems.
Rufus
To make a bootable USB stick.

Partitioning:
You are doing this so linux partitions are created first and are sda1, sda2 and sda3 respectively, then on the rest of your drive you have your windows installation.

  1. First download Antergos. You can use Minimal installer if your PC is older but i didn’t test it.
    Go to the bottom of:
    https://antergos.com/try-it/
    And click Latest Install Media, then choose your iso and download method.
  2. Make a bootable USB stick with Rufus, you can find a guides for this everywhere.
    If asked use ISO mode, not DD mode.
  3. Boot into Antergos
  4. Open GParted
  5. Create a new GPT partition table.
  6. Create three partitions on the beginning of the drive:
    100mb unformated
    500mb unformated
    Linux_root_size unformated
    and leave as much space as you want to have in Windows at the end of the drive.
  7. Apply changes and exit Antergos.

Installing Windows:
You should know how to do this by now. When asked where to install windows choose custom and make sure to manually create a windows partition on the empty space, not just choose empty space and click next, you have to do this manually because if you click next when empty space is selected windows will not create a efi partition and you will have just recovery and windows, it will still work just no windows efi partition. I don’t really know if this changes much but i think it does.

  1. Encrypt your windows partition with VeraCrypt. Encrypt the partition, not entire drive and choose single boot, even if other options are available. Skip rescue disc verification, there is no point in recovering a fresh install of windows, if everything goes alright you will be able to boot up to windows when you’re done and copy the rescue disc image off your encrypted harddrive for future use.
  2. It’s really important to check if everything works at this point. After veracrypt tested boot up and encrypted your drive turn off your computer, open boot menu, open bios, check if everything looks good, check if your system boots up with VeraCrypt BootLoader.

Installing Antergos.
We have to use Antergos, sorry for that again, but it is the only distro i tried that can create an encrypted volume within the manual partitioning installer and create a bootable system on that encrypted harddrive.
This process might fail one or two times, it’s not your fault, it just sometimes happens that Antergos is unbootable after instalation.

  1. Boot up to your Anteros USB again, and close the installer window. Don’t click on try or install, just X in the corner.
  2. Connect to the internet and wait for the updates. When Cnchi is updated, the installer will reopen.
  3. Choose your settings and packages.
  4. When asked where anteros should be installed choose manual mode.
  5. Now for the most important part.
    a. Make sure that Grub2 is choosen as your bootloader and it’s installing on your boot drive.
    b. This is really important, don’t Edit partitions, you have to delete them and create new ones one by one!
    c. Click on the sda1 100mb partition, Delete it and make in it’s place a fat32 /boot/efi partition.
    d. Click on the sda2 500 mb partition, Delete it and make in it’s place a fat32 /boot partition.
    e. Click on the sda3 Linux_root_size partition, Delete it and make in it’s place a ext4 / partition.
    f. Choose Encryption Options, accept that this drive will be wiped and enable LUKS.
    You can create more than one encrypted partition, like separate /home or swap partitions but you will have to decrypt each of them on boot, you will have to enter your encryption password 2-3 times each time you boot up your PC.
    g. Enter your volume name and encryption passphrase, remember to put it in again to confirm it.
  6. Finish your installation as normal. You can safely select the option to skip password on boot, since you will bot be able to boot this system up without entering the encryption passphrase anyways.
  7. After the installer is done tell it to reboot the system, it should boot into grub and after 5 seconds, or an enter press, ask you for your encryption password, after entering that you should be welcomed by your desktop.
  8. Restart your machine, enter bios menu and check if VeraCrypt BootLoader is still there.
  9. Put it above Antergos grub efi entry. It should be like this:
    1. VeraCrypt BootLoader
    2. Antergos Grub
      3+ Everything else
  10. Save changes and reboot your PC again. It should boot into VeraCrypt BootLoader, enter your windows encryption password to boot into windows or press escape twice to boot into grub.

That’s It! Congratulations! You now have an encrypted dualbooting system with Linux and Windows on one harddrive!

Note: Windows EFI partition, Linux /Boot and /Boot/EFI are still unencrypted, same as your GPT partition table. I don’t know what about your Windows Recovery partition but Windows and Linux Root partitions are fully encrypted.

1 Like