Windows: How to Multiboot with Bitlocker, TPM, and a Non-Windows OS
IT Pros and developers often have to dualboot their machiens for dev/test, troubleshooting, teaching or other reasons. In Windows "8" Consumer Preview, you can instead use Client Hyper-V, turn your machine into a Hyper-V host, and then use VMs. Or, you can continue to setup your machine for multi-boot. This article is based upon and extends this blog post Building a dual boot system with Windows Vista BitLocker protection with TPM support. The Windows 7 Dual Boot Revisited with Bitlocker blog post has additioonal information and slightly different configuation Do you have additional information, for Windows "8" Beta perhaps? Feel free to join in and edit this article, see Getting Started for help.
Bitlocker Drive Encryption allows encryption of Windows partitions and provides a secure startup process when in use with a TPM (a crypto chip on the motherboard). Windows "8" Beta provides Used Disk Space Only option with allows for a much quicker encryption experience by only encrypting used blocks on the targeted volume.
Note: a Bitlocker compatible machine is required. See http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx#BKMK_require
Method 1: Start with Linux
Step 1. Install Linux
Note: be sure to leave enough unpartitioned space for Windows
Step 2. Install Grub on the Linux partition (outside of MBR)
Download GRUB
See other post “How to use Windows Boot Manager to boot Linux”
Step 3. Get a copy of Linux boot sector
See other post “How to use Windows Boot Manager to boot Linux”
Step 4. Create partitions for Windows
Create 2 primary NTFS-formatted partitions on the disk: one active, 1.5GB size minimum and another larger (all the rest for instance with a minimum of 8.5GB). The actice partition will be used to boot the machine and will remain unencrypted while the latter will host Windows and will be encrypted when we activate Bitlocker.
You can use diskpart to do this:
- select disk 1
- create partition primary size=2048
- active
- create partition primary
Step 5. Install Windows Vista
Install Windows on the largest NTFS partition.
Step 6. Set up Windows Boot Manager to boot Linux
See other post “How to use Windows Boot Manager to boot Linux”.
Step 7. Enable TPM in BIOS
Because these instructions differ according to manufacturer and BIOS version, see instructions in your computer's manual or support website.
Step 8. Enable BitLocker on Windows
See BitLocker documentation, like http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx#BKMK_S3
Method 2: Start with Windows
Step 1. Win 7
See here: Install Win7
Step 2. Install R2 into a .vhd on a second drive
Install R2 into a .vhd on a second drive (multibay on a laptop) or partition using the WIM2VHD script. See http://blogs.technet.com/keithcombs/archive/2009/06/17/automating-boot-from-vhd-os-installation.aspx for some information on that. The script when done dismounts the VHD.
Step 3. Attach the VHD and assign it a driver letter.
This can be done using the GUI Disk Manager or via the command line with diskpart.
From an elevated cmd consol:
Bcdboot <driveletter>:\windows for the location of the R2 mounted image. Bcdboot is part of the AIK installed in the WDT image.
Step 4. Test dual boot
Step 5. Turn on Bitlocker and encrypt C:
Make sure to have a USB stick handy for storage of the recovery key.
Step 6. Test dual boot after encryption is complete
Step 7. Boot R2 and install Bitlocker
Step 8. Access the files on the encrypted drive from R2
Use the USB stick and the recovery password.
NOTE: If you are planning on running the Hyper-V role, most likely you’ll need to fix the BCD store. Use the “bcdedit /set hypervisorlaunchtype auto” command from an elevated cmd prompt.
Method 3: EasyBCD
EasyBCD 2.1.2 is a third party tool that allows you do dual-boot between Windows 7, Windows Vista, older versions of Windows such as XP & 2003, Linux, Ubuntu, BSD, and Mac OS X.
NOTE: you will not be able to access the volume encrypted with Bitlocker after this procedure. For most dual- or multi-boot scenarios, such as dev/test, this is fine.
Step 1. Partition
Partition your hard disk in advance or shrink the OS volume after Windows installation like this
Make sure the empty partition is big enough for whatever you want to do with the other OS…
Step 2 Install the other OS
Install the other OS to partition 3to partition 3, but make sure that its boot files are also on partition 3! Most Linux OS distros will attempt to make changes to the MBR or install their own bootloader in partition 1, and use that to pass the boot process off to Windows. This will break BitLocker because it invalidates the boot-time chain of trust. To be safe, just make sure that everything the other OS wants to do is pointed at partition #3.
Step 3 boot into Windows and install EasyBCD
Download
Choose “Add New Entry” and click on the Linux tab, then add the appropriate entry for whatever you are installing.
The final result should look something like this:
Reboot to make sure it works, you should see a black and white menu that lets you choose which OS to boot during startup.
Boot into Windows and enable BitLocker as you normally would.