Home / ubuntu / Questions / 1142803
In Process
malku
Asked: 2019-05-14 00:31:24 +0800 CST

Dual Boot Ubuntu (with LUKS, TPM) and Windows 10 (with BitLocker)

  • 772

I'm looking for a way to dual-boot Ubuntu and Windows 10 on a single hard drive with:

LUKS + TPM on Ubuntu, with a pre-boot password

BitLocker + TPM on Windows 10, with a pre-boot PIN/password

Is this possible?

windows dual-boot luks windows-10 tpm

1 Answers

  1. This is an awesome question, and I had actually been considering doing this for a while.

    Ended up finally taking the plunge, and it seems to work fine.

    (I used the latest version of Ubuntu Desktop and Windows 10 v.1903 for this.)

    While I'm unsure about whether BitLocker's system drive encryption would play nice with Linux's dm-crypt/LUKS encryption, VeraCrypt might be the more desirable alternative to BitLocker, since it's open-source. I prefer VeraCrypt over BitLocker myself, but theoretically the process should be the same whichever route you use.

    Keep in mind that UEFI Secure-Boot would have to be disabled for this to work. If you choose to use BitLocker, you might have to enable pre-boot authentication in gpedit.msc to allow you to unlock a BitLocker-encrypted system using a PIN or password. This could mean not using the TPM. (Honestly, this would work fine for me; I'd experiment to see if the TPM could be used, but I'm happy with my current setup.)

    Anyway, after some armchair research to try this myself, I came across a post by baderaj on the linuxquestions.org forums... The only caveat is that the boot partitions would be unencrypted. For most purposes, this should be fine. (Baderaj references TrueCrypt, but since it's long been obsoleted by VeraCrypt, since it's no longer developed, I'm suggesting using VeraCrypt here instead.)

    Basically, their solution is to have the Grub bootloader have boot menu entries pointing to the LUKS-encrypted Linux partition, and the the VeraCrypt bootloader on Windows' partition.

    TL;DR: Step-by-step, this would involve the following:

    1. Install Windows, unencrypted, to a single partition (leaving some space on the drive for a second partition for Linux).
    2. Install Linux as a LUKS-encrypted partition using the disk's remaining free space.
    3. Encrypt the Windows system partition with VeraCrypt (replacing grub's MBR).
    4. Copy the MBR containing the newly-installed VeraCrypt bootloader.
    5. Reinstall grub to the MBR (replacing VeraCrypt's MBR that you copied).
    6. Add a grub bootloader menu entry pointing to TrueCrypt bootloader which was copied previously.
    7. You should, at this point, be able to use grub to boot either to the LUKS-encrypted Linux partition, or the VeraCrypt-encrypted Windows partition.

    Definitely give Baderaj's post a read-through if you're interested in following this method.

    If you do have success with using BitLocker instead of Veracrypt for this, do post your success story. :)

    • 3