Category Archives: sysadmin

linux sysadmin technical

Quad boot with Linux, XP and Encrypted Vista on the Lenovo x61 Tablet

In this post I’m going to briefly discuss the issues I’ve had getting my new X61 notebook booting with 4 OS’s, (Windows Vista, Windows XP, Ubuntu, Backtrack) encrypted.

Preamble: Our new staff laptops are pretty fantastic. Faculty has an initiative subsidizing the cost of deploying tablet notebooks to all schools in Computing and Health Science. I already had one of the few X41s which were wasting away in storage when I arrived: nobody seemed to want to use them becuase they apparently underperformed. I dusted one off and moved from the T42 I was using to the X41, and found the reduced footprint/weight to more than make up for any loss of grunt.

So the new machines have landed, and they’re the very capable Lenovo X61. I’ve had one for a month or so running alongside the X41. I would have made the transition without delay, as the new hardware is better in many respects, and I’m not that biased against Vista that I would avoid upgrading for that reason alone (Vista is mandatory on these new machines to increase staff exposure to the O/S), but theres been a major sticking point, and thats support for my favorite XP encryption solution, Truecrypt with TCGINA.

I’ve had at least one laptop stolen in recent years, and while no important data was lost / exposed via the theft, I now have a heightened awareness of the danger of carrying unencrypted data around. TCGINA does a great job in XP of hooking into the login process and pre-mounting your encrypted storage even before the user profiles are loaded, which means that data can be stored there as well. This effectively means that your desktop folder, my documents, IM data, browser (IE or FF) favorites and history and the like are all stored safely. If the device is lost or stolen, without your password, that sensitive file you left on the desktop isn’t sitting there exposed on an unencrypted diak waiting to be harvested by a forensic undelete utility.

Truecrypt 4 with TCGINA is broken on Vista

Vista takes a different (non GINA) approach to handling the login process , so TCGINA no longer gets it done. This was a real headache: I needed to be using Vista for work but wasn’t comfortable with an unencrypted portable system. (This is before TrueCrypt5 was released – more on this shortly). The X61 has a TPM and thus (any big brother TPM/Vista backdoor conspiracy theories aside) bitlocker should have been an option, but because of the partitioning setup on my notebook, it isn’t. This is because bitlocker works by creating a separate primary partition (size ~1gb or so) on your drive to stick its bootloader and encryption software.

Problem was, I already had the maximum 4x primary partitions. I’m never satisfied, so after installing Vista I went in with a linux livecd and gparted (gnome partition GUI, like travelling first class compared to being jammed in the luggage bay using fdisk) and sliced it up so I could have three additional OS’s booting natively. These were Ubuntu, Backtrack 3 Beta, and WinXP SP2 – (the latter being a real adventure to get co-habitating peacefully with the others, due to an unfortunate tendency to blat whatever bootloader I was using with its own apon install).

Eventually it all worked, with GRUB on the boot partition loading up whichever of my 4 OS/s I wanted. On a side note, whenever I messed with the size of the Vista partition (gparted handles ntfs partition resizing fine) Vista would fail to load until I went in with the vista boot dvd and ran the very simple repair/rescue procedure. Did this each time, and then it was fine.

(I’m aware that alternative bootloaders such as XOSL can supposedly work some magic when it comes to maximum / types of partitions and the O/S’s loaded from them, but I have yet to try it. )

So having reached this stage things were mostly groovy, my 4 OS’s on one machine, but with no encryption whatsoever. At this point, I would have been happy to have it on the Primary O/S only (Vista) as the others were mainly for testing and would be unlikely to have any sensitive data on there, but even that seemed out of reach due to the TCGINA/Vista broken-ness.

So what to do?
Answer: Truecrypt 5 rocks and is not broken on Vista

Midway through pondering how I was going to find a solution, a rescue came along: TrueCrypt 5 was released with a major major feature added: the ability to encrypt entire system & boot partitions.

This was pretty much holy grail stuff to me at that point.

I wasted no time in firing up the new Truecrypt on Vista to see if the promises were true. Summary: some of them are. Its good, but not perfect. It didn’t work “out of the box” (but then bitlocker didn’t work at all): There were hiccups because I had GRUB as my primary bootloader (TC5 refuses to deal with anything but the windows bootloader) and I was unable to encrypt my entire disk, as I initially thought I’d be able to do, because my partition setup included logical partitions (this scenario throws an error after you try to process a whole disk which contains logical partitions).

So to get it working? First, I had to nuke GRUB from the primary partition, and set it up on the secondary so I could still access my linux installs. This was pretty simple: I booted into Ubuntu (which is where my grub config lives) and installed it on the second partition via some simple GRUB commands which I googled and now cant remember (partition 2 happens to be where XP is installed), then booted up with my vista dvd and let it replace the primary bootloader.

It is probably worth noting that I also had the Backtrack distro* installed on one of the logical partitions (along with a swap partition and an independently encrypted truecrypt partition), and GRUB could load Backtrack fine throughout this process, as its location didn’t change. (sda6).

After that it was as simple as running the truecrypt system/boot encryption wizard from Vista again, allowing it to create a recovery CD (backup of the volume headers in case of corruption or a changed, forgotten password) and waiting for a couple of hours while it processed my vista system partition, live.

Voila – it works. My Vista partition is now secure, and my other OS’s boot fine, albeit unencrypted. The next step is to reorganize everything so I can get rid of the logical partitions and hence do a proper whole-disk encryption to cover both my Windows and Linux installs. I’m sure theres a post in that.

* Backtrack is a Slackware based livecd distro loaded with a plethora of security tools. Since my primary laptop is usually of the subnotebook/ultraportable breed and hence doesn’t usually include a CD/DVD drive, I’ve previously installed backtrack to a USB key and booted off that, but its easier to have it integrated as a boot option, epecially with nice large hard drives making the 3GB or so loss of usable space hardly noticable.

UPDATE: I have since received a few queries about this article via email and clarified it a bit, so I’ll post the emails and responses below.

John: Hello,
i read your article Quad boot with Linux, XP and Encrypted Vista on the Lenovo
x61 Tablet, but there is not much details. My problem is that i have 2 primary
partitions, 1. is winxp, second is linux. I have grub loader. So my problem is
after i will encrypt my windows primary partition + use pre boot lock stuff from TC, how my grub loader will work? Because if i understand well TC boot lock will delete MBR a put own code overthere.
Thanks for your reply.

Hi John

I have not encrypted WinXP with Truecrypt yet, only Vista, however I suppose it is more or less the same.

To answer your question: When you encrypt your windows partition it will install the TC bootloader on the MBR, and yes it will overwrite GRUB.

What you need to do is install GRUB on your linux partition before running truecrypt in windows. You will need to boot into linux and run some “grub” commands (suggest you google them) to install it to another partition/drive. (It is ok to have the grub bootloader installed on two drives at once). Once you have encrypted your windows system partition, the Truecrypt bootloader will detect any other bootable drives on the system and give you the option of booting from them instead of your encrypted windows when you start up. (They will not be encrypted or otherwise protected by truecrypt, but they will be bootable)

John: Ok till that part its clean, u mean just install grub not into MBR but on the linux partition where the linux is. Dont understand what u mean by grub will be installed on two drives at once, u mean MBR + linux partition?

Yes, you install the grub bootloader onto your linux partition. After that grub will be *temporarily* installed two places at once, but only until you run fixboot+fixmbr, after that the Windows bootloader will be restored to the primary drive/partition.

If I recall correctly, truecrypt will not do full system encryption while you have GRUB on the primary MBR, so once you have installed GRUB on your linux parition/drive, you need to replace it on the primary with the default WinXP bootloader (easiest way is to go in with the WinXP boot cd, go to the recovery console and use the “fixboot” and “fixmbr” commands). Once you have done this, boot back into windows (should go straight on with no sign of grub) and TC should encrypt your windows system partition fine.

John: Here is a place where i completly got lost. What do u mean by primary MBR? Ok anyway why do i have to put grub to primary? Didnt u say that its enought to install grub on linux partition, and simply overwrite MBR by truecrypt? Why do i have to do fixmbr and stuf…

fixmbr and fixboot are the microsoft command line tools for restoring the default windows bootloader. You need to do this because truecrypt will not encrypt a windows partition which has grub installed as its primary bootloader. Truecrypt then replaces the windows bootloader with its own bootloader which will then launch windows (encrypted) and also any other bootable drives/partions (ie your linux one with GRUB installed) that it finds.

So a basic sequence of things you would do:

  1. Boot into your linux install and install the grub bootloader onto the linux drive/partition
  2. Boot into windows recovery console (winxp cd) and restore the default bootloader (fixboot/fixmbr)
  3. Take cd out and boot up normally – grub should be gone and you will get into windows.
  4. Run truecrypt and encrypt windows partition
  5. Next time you boot up, TC bootloader is there and you can boot straight into windows or grub/linux.

Hope this answers your question!

John: Thanks a lot, –=John=–

Hope this helps anyone else as well  =) – Glen

mobile devices rant sysadmin technical

A hall of mirrors: configuring Windows Mobile Networking and the gremlins therein

The time is apon me for a bit of a rant about Windows Mobile, specifically with regards to its approach to networking profiles. I’ve been spoiling for a write up on the topic for a while: ever since the PocketPC days, networking on PDAs with windows O/S has been, at least for this techie, a giant pain in the ass.

It should be noted that most of this gripe is based on experiences with Pocket PC 2003 and its predecessors. WM5 and WM6 are recent additions to the fold for me, and a number of the mentioned issues seem to be, if not solved, at least partially smoothed over.

So far, so far the strongest argument I’ve yet encountered for blowing Windows Mobile away in favor of some flavor of embedded linux is the WM implementation of networking. A real shame because aside from that, WM more or less seems to get it right – decent information management, desktop / remote email sync (when you can get past the networking hurdles), and with third party tools, enough access to the internals to keep a techie happy. Except the networking interface.

Windows mobile networking has generally confused me. As a network admin, I’ve dealt with plenty of odd setups, but Windows Mobile truly does take the cake. After a few hours of mind games you’ll likely be begging for a simple ‘do what your told’ setup as opposed to the ‘second guess you because we know better’ philosophy that WM6 seems to adopt.

I have messed around with these devices for longer than I should admit. Many a time I’ve had everything working – for a while. Then it stops, develops amnesia, stumbles about disoriented. Losing wireless has the device utterly, and inexplicably confused, and too often for happenstance a hard reset will get things going again – with the exact same config.

Indeed, there seems to be a new definition of logic when it comes to how networking should function, and often a setting will seem to have no effect, or the result will be inconsistent. It will work for a while then stop. One application will work fine, but another will not. Changing a seemingly unrelated networking parameter has ramifications: things start working in an unexpected fashion or not at all.

The approach seems to be akin to a puzzle game with a random element as opposed to a tool designed to achieve an outcome. Sometimes it will work, sometimes will not. The same inputs to the black box will not always render the same output.

Now I’ve had a bit of a dubiously qualified rave, making vague accusations and pointing my finger about the place at indistinct phantoms, here are some actual specifics I have encountered.

Most, if not all of the headaches come from the implementation of multiple networking profiles – “My Work”, and “The Internet”. Now this multiple config setup could have been cool, if they hadn’t crippled them both in subtle and painful ways. Setting them up in seemingly logical configs does not work (ie you expect to connect to a network, access that network through a proxy if specified, access it directly if not).

After many many hours of trial and error I found some answers on the net which pretty much confirmed there wasn’t much to be done except half baked workarounds. I’ll outline the situation briefly; Its been a while since I struggled with them properly, but heres the gist:

  • Options for the different networking areas are buried, entwined, and otherwise concealed within layers of subterfuge – idiosyncratic ways to get to oddly named tabs and mislabeled options, labels and check boxes. I can only assume this is to prevent joe businessman getting into the settings to mess them up, but they do equally well at confusing IT techs who expect some kind of consistency with other configuration standards. I’ve been hoping since the pocket PC days that they would throw all this out and start again, but sadly WM6 seems to have retained most of it.
  • “My Work” traffic is defined by the device as any server accessed without a period-delimited dns entry. Whaa… So ‘ourmailserver’ would be accessed through whatever the ‘My Work” profile uses, but ‘ourmailserver.internaldomain’ won’t be. You don’t get an option to change this. Also, its not specified or appear to be documented anywhere obvious on the device.
  • To get to the internet via a connection associated with the ‘My Work’ profile, you must have a proxy server entered. You do not get a choice. No proxy, no internet, regardless of whether you happen to have direct access or not.
  • You can specify a list of addresses NOT to use the proxy/internet profile for. (Exceptions). This seemed to be a workaround to get access to the net via VPN from the wireless network on campus (see below).
  • Activesyncing the device with a PC seems to arbitrarily replace the proxy settings on the device with the proxy settings of IE from the PC being synched. It took me a while to figure out this is why my old bosses settings would work for a while on his GPRS plan (which uses a proxy server on the ISP’s network), then die (after he docked his pda and the settings were replaced).
  • VPN-ing only seemed to be allowed through an ‘internet’ connection. (this might have changed in WM6 – except… well see the next point). In WM5 The device assumes you will never be connecting to a VPN from the ‘My Work’ network. Wrong in our case, as we connect to a VPN internally when using wireless – 99% of how the PDA works. To get this working, the wildcard exceptions workaround needed to be used.
  • VPN in WM6 – what VPN? It doesnt work. Sets up fine, then never offers to connect, and attempts to connect manually fail silently. Less than ideal. Fortuantely re-jigging the new devices to use our internal proxy seems to work for most functionality.
  • Pocket IE is hardwired to obey the O/S proxy settings. Often I was unable to access web pages because of some internal device proxy confusion based in the proxy settings (third party tools would show clean pings and connections possible to the proxy server and / or the destination server). It is notable that I could often get pocket mozilla (minimo) and pocket opera to load pages when pocket IE would not.
  • Pocket MSN seems very sensitive to proxy settings. I have only ever had it working when the device has a direct connection to the net, wither via activesyncing to a PC which has a direct connection, or using GPRS.

Complaining like this smacks of heresay, because its hard to be specific about just where and in what manner things are broken. The place is like a wall of mirrors – and the diatribe sounds like someone ranting on without qualification. It sounds like the ravings of a lunatic, of a n00b, of a crazy man.

In truth, a lot of the complaints I have had seem vapous unless you’ve experienced them yourself. I know – I know these problems exist because I’ve sat for hours struggling with the damn things, and I’ve managed to set up plenty of networking devices before, and they work, so I have to lay it back on the device in question rather than any outstanding incompetence on my part.

I think the problem is this: if you add to the various configuration craziness mentioned before the fact that wireless can be flaky, you have a test environment with shifting terrain which makes it difficult to baseline and describe properly, let alone start mapping out solutions. Regardless, Windows Mobile devices are set to become part of the widespread IT landscape at my workplace very soon, and it will be at least partly up to yours truly to ensure it happens as smoothly as possible, so a-testing I must go.

UPDATE: I have posted a few solutions to some of these issues in the post Windows Mobile 5/6 Networking Profiles, Proxy and VPN setup.