Windows Vista To Make Dual-Boot A Challenge?

mustafap writes "UK tech site The Register is reporting on security guru Bruce Schneier's observation that the disk encryption system to be shipped with Vista, BitLocker, will make dual booting other OSs difficult - you will no longer be able to share data between the two." From the article: "This encryption technology also has the effect of frustrating the exchange of data needed in a dual boot system. 'You could look at BitLocker as anti-Linux because it frustrates dual boot,' Schneier told El Reg. Schneier said Vista will bring forward security improvements, but cautioned that technical advances are less important than improvements in how technology is presented to users."

Wait...

[Scutter]

Which is it, data sharing between two OSs or dual booting? Because I can dual boot just fine with current products and still not be able to share data. Not until NTFS for linux makes some more progress, anyway.

Non issue.

[klingens]

If Schneier, TheRegister and all those other attention w... had looked here before opening their mouths:
http://www.microsoft.com/technet/windowsvista/secu rity/bittech.mspx [microsoft.com]

4.1 Installation

As part of Windows Vista, BitLocker is installed automatically during OS install with Enterprise and Ultimate editions5. (Note that it is not automatically turned on.)

Re:Whatever...try fat32 partition

[SlashdotOgre]

Does it really matter? If you're going to format a drive as FAT32, it's already in your best interest to use Linux's version of fdisk rather than Windows XP's. Window's current fdisk limits FAT32 partitions to 32GB; this is entirely a software limitation, FAT32 allows for volumes up to 2TB. So unless Vista does something that prevents mounting a non-Windows formatted FAT32 drive, we should be fine.

Has everyone gone mad?

[Psychotext]

I appreciate that it's popular to bash MS (I'm just as guilty) but isn't this getting to be a step too far? They're introducing file system functionality for added security and being ripped apart for it by the same people that scream at them for their lack of security focus? I've had a bit of a read into it, and at least on the surface it seems like a good idea.

Bitlocker isn't going to be compulsory, and as such it isn't going to affect dual booting in any way shape or form. It's certainly not the sort of thing your average home user would be setting up anyway (IMHO). Seems like Mr Schneier is a good old fashioned troll.

Some more info on Bitlocker here : http://www.microsoft.com/technet/windowsvista/libr ary/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx [microsoft.com]

Re:Experience with Bitlocker

[TheRealSlimShady]

I think you're confused. Bitlocker isn't a replacement for the file system, it's a hard disk encryption tool. The file system remains intact, so your claim that users couldn't find stuff anymore seems a little odd to say the least.

Also, Bitlocker is only available on Vista, so are you saying you're running your production users on the Vista beta?

The final straw came when one employee lost several hours work when Bitlcoker suddenly had an error reading from our intranet file server and corrupted his project.

Bitlocker doesn't affect files read from network locations, it's merely a hard disk encryption technology. I think you're confused about what Bitlocker is.

We're getting good at FUD too!

[dhj]

Ok... I've been a linux fan for 10 years or so now. Haven't run anything but linux in about 7 years. But c'mon guys this is FUD.

First of all, vista won't have this activated by default. Here's how you can turn it on in Vista Beta:

http://www.microsoft.com/technet/windowsvista/libr ary/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx [microsoft.com]

And yes it will make any data encrypted in this manner unavailable to another operating system. It does this by using TPM (Trusted Platform Module) in the BIOS and can base the key on the kernel and optionally: just the bios, a user supplied key, or a USB drive supplied key.

This allows for the option of encrypting/decrypting data from the very start of the boot process. And guess what? It's being implemented in linux too!

http://lwn.net/Articles/144681/ [lwn.net]

BitLocker from windows is just a kernel based drive encryption software that takes advantage of TPMs just like the linux system. If you're concerned about cross platform compatibility then use user space encryption rather than kernel space encryptiong. If you're that concerned about secure keys then don't dual boot! If you love dual booting and don't care about encryption at all, noone is going to beat you up and make you use encryptiong.

You may remove the tinfoil hat.

--David

Re:Whatever...try fat32 partition

[mrchaotica]

What happens is that none of those USB flash drives that have become so popular will work anymore -- not to mention iPods, which (I think) can't play music if they're formatted with something other than FAT32 or HFS+.

What you mean it could still be possible

[SmallFurryCreature]

to mount a non-encrypted disk in Vista in an older format that Linux can read and write too?

Shocking.

Will it be possible to mount non-encrypted disks in Vista? Well, unless MS is finally prepared to kick backwards compatibilty then yes.

Even if unencrypted HD's ain't supported (unlikely) they would still need to support regular filesystems like FAT for all those flash disks from your camera and USB keys and such.

I am as anti-ms as you can get (if I am ever diagnosed with an incurable disease Gates gets a bullet in the head the next day thanks to my Halo training. Eh non-MS FPS training) but this is just to much. Linux disk encryption makes it just as hard for linux to dualboot windows. In fact every linux distro should just use FAT to make sure windows can be dualbooted and read the linux data.

Geez.

Bitlocker does NOT prevent dual booting

[jsm300]

This article appears to be completely uninformed. Bitlocker works on a volume basis, not on an entire harddrive (unless the harddrive only has one volume). In fact, in order to get Bitlocker to work for Vista you MUST have two volumes, one being the OS volume that is encrypted with Bitlocker, and the other is the system volume which cannot be encrypted with bitlocker. Nothing prevents you from having multiple volumes and only enabling Bitlocker for some of the Windows Vista volumes. You can have other volumes/partitions with Linux or any other OS you want. The only issue is that you will not be able to read the Bitlocker protected partitions from Linux. Isn't that kind of obvious? You can still have a unencrypted FAT32 partition for sharing data between Linux and Windows, or an unencrypted NTFS partition for one way sharing between Windows and Linux (write support for NTFS on Linux is still not reliable). As far as recovery, you will not be able to do that with Linux, you will have to do that with Windows. I guess I'm not seeing a real issue here.

Re:Whatever...try fat32 partition

[Penguinoflight]

Windows 2000 hoses the partition table and so does Windows XP. It would be pathetic to complain that vista beta is only doing this because its not complete yet. Honestly there's no reason to release a beta unless you get the partition table handling right.

Re:Whatever...try fat32 partition

[ergo98]

Any body that is dual booting will also know that making a partition formatted fat32 will allow copying of files between os's.

Bitlocker is a whole-volume, hardware based encryption system (as opposed to file-specific techologies, such as Encrypted File System, which have overhead that requires a specific filesystem like NTFS. There is no filesystem specific overhead because it's transparent to the filesystem, and to the applications for that matter) -- there is no reason I am aware of for it to be tied to any specific filesystem, and it should encrypt FAT32 just as capably as NTFS.

Not only is this functionality optional, and requiring special hardware support, but it is a bonafide feature. The data of the world would be much safer if every laptop swiped, hard drive sold on ebay, and incident of unwanted physical access of machines couldn't give absolute access to every file on the machine.

I just don't get it, Part III

[Gorshkov]

I'm sorry, but this seems to be a bit of a non-story

Mickeysoft can't stop anybody from boting anything. THe boot process is handled by the bios and the boot sectors on the disk, which can't be encrypted unless the bios cooperates.

If the bios cooperates, it still has to be able to read said boot sectors, and if it can read windows boot info, it can read linux boot info, or anything ELSE you want to put in there.

So "difficult to dual-boot" is as far as I can tell, CRAP.

As for sharing data between the two systems ... I give it less than a month after release untill somebody has been able to figure out how to pull the data from there.

Re:Whatever...try fat32 partition

[kv9]

Under either version, I can mount my Windows drive, but no matter what arguments I give mount, it's still read only. So far, I haven't been able to find the magic incantation to allow write access to my FAT32 partition from Linux.

i don't know if this is a troll or an actual problem, but how about you try -t vfat -o rw [die.net]?

Re:Whatever...try fat32 partition

[Petrushka]

If you know of a Windows ext3 or Raiser driver, then please tell me. Basically, nothing has changed.

Well, instead of moaning about the non-existence of something that you've clearly not checked for, you could always try this site [fuckinggoogleit.com], followed by this one [swin.edu.au], this one [p-nand-q.com], this one [wolfsheep.com], this one [akucom.de], this one [sourceforge.net], and this one [crossmeta.com], plus many others.

Re:Whatever...try thinking right

[ScytheBlade1]

Okay, first off, the article headline is HORRIBLY misleading. BitLocker will NOT ENCRYPT THE ENTIRE DRIVE. It is required that you have a ~100MB partition in order to boot off of, which will then in turn load the needed software into RAM and *then and only then* decrypt the encrypted partition.

Read: This has nothing at all to do with dual booting. Your ability to dual boot will remain completly unchanged, period. This, however, is about your ability to share data between OSs, not your ability to boot two. Learn to write a article headline, please.

FAT32 is dead. Period, get over it, dead. No, I take that back, it still has one use: flash drives, and other forms of removable media. Other than that, IT IS DEAD. Why? Simple: security. From Windows 2000 and on, Microsoft actually put some degree of effort into security. "Some degree?" you ask? End result, due to NTFS, you can actually secure your system. Compared to FAT32 anyways, where a *guest* user can drop a virus as c:\explorer.exe, and then the next time Johnny Admin logs in, it's over. NTFS added actual security measures. ACLs. Execute bit. And, well, quite a bit more. Due to this, I can say the following without doubt that I'm right:

1) BitLocker will ONLY work with NTFS.
2) Vista will do everything they can short of threatening to eat your children to get you to install on NTFS. (Side note: http://www.theinquirer.net/?article=30128 [theinquirer.net] vs. http://www.microsoft.com/technet/windowsvista/libr ary/plan/5025760b-0433-4ba1-a2f4-9338915fdb4b.mspx [microsoft.com] - Beta1 won't install on FAT32, but according to offical MS docs, it will (eventually, most likely))
3) If you're still using FAT32 as your primary OS partition, you're an idiot.
4) Due to #4, if your defense is, "my [windows] OS can't run on NTFS!", my response is still the same. Go upgrade, you're not helping anyone.

FAT32 is nice for removable media. That's about it.

(</troll>)

Re:Not only dual booting

[Foolhardy]

To be clear: a user's private keys are only lost when the user's password is forcibly changed by an admin. The normal procedure of having the user change their own password simply transfers the keys.

Ideally you'd be able to export the Encryption key for your data onto a USB stick of floppy disk.

Your wish is granted. Open certmgr.msc or add the Certificates snap-in to a mmc window. Your personal keys are located in the Personal\Certificates folder, including the one for EFS (note that there won't be an EFS cert until you actually encrypt something). In the right-click->All Tasks menu there is an Export option. Make sure that you select the option to export the private key and you will get a .pfx file that will contain the unencrypted (unless you specify a seperate passphrase for the pfx file) public and private keys that can be saved for later or transferred to other users or computers. To import a cert, right click in the empty space under the existing certs and select import.

Another way to avoid encrypted file loss is to designate a recovery agent.

See also How to back up the recovery agent Encrypting File System (EFS) private key in Windows Server 2003, in Windows 2000, and in Windows XP [microsoft.com]
To add a recovery agent for the local computer [microsoft.com]

Re:Story Title FUD...

[woobieman29]

Some clarification:

2. There is not a problem here. Bitkeeper (EFS with a name created by the marketing department) will not be enabled by default unless your company enables the policy. If your company does enable the policy, you should also create a Data Recovery Agent. This can also be done on a standalone workstation.

Bitkeeper is not "EFS with a name created by the Marketing Dept" but rather a very different sort of encryption scheme. EFS uses an encryption key stored within the CAPI store in the OS to encrypt individual files and folders. It is not at all good for full disk encryption, and using it for this purpose can/will cause a multitude of problems. Bitkeeper on the other hand is a full-disk encryption scheme similar to Utimaco, Safeboot or the commercial full disk version of PGP that utilizes an encyption key that is either loaded in a hardware TPM (Trusted Plafrom Module - a hardware key repository on the motherboard) or is alternatively loaded at boot time from a USB key.

3. If you can't access your ENCRYPTED data from another OS or boot CD, the encryption worked. Encrypting data involves risks just as leaving your important data unencrypted involves risks. Pick your poison and move on.

Actually, if you cannot access your encrypted data from another OS it simply means that you short-sightedly chose an encyption method that is not cross-platform compliant. There are plenty of encryption solutions (full-disk and file/folder based) that work cross-platform, just don't look for one to be provided with your Microsoft OS.

Re:What the hell are you smoking?

[toddestan]

Sorry, but since when does dual-boot mean "less secure"?

How many viruses are going to be stopped by preventing dual-booting? How many trojans?

Yeah, that's what I thought.

On the other hand, if you can convince a locked down Windows XP box to boot a Knoppix CD, you now own that box.

I think that is what they mean by "more secure".

Re:Not in Vista 64

[tepples]

Feel free to call it BS, but drivers will need to be debugged and tested before they can be accepted by Microsoft for the WHQL stamp.

Vista 64 already has a working opt-out, done with an F8-key startup option, but it must be repeated at each reboot and cannot be made the default. If you forget to press F8 at exactly the right time when booting back to Windows, no Ext2 for you.

DRM is going to backfire big time.

[twitter]

You could look at BitLocker as anti-Windows because it frustrates dual boot

True.

DRM is going to cost them their majority market share. The more they make things suck, the less people will want to use them. WMP 10 is an indicator of where things are going. Check out this satisfied customer's opinion of it [advogato.org]:

Then Digital Restrictions Management (DRM) started harassing me and asking to connect to the internet to check for licenses where none had been needed before. The worst part of this "upgrade" is how it poisoned the whole system and crippled Media Player Classic too.

How much more can they make things suck? Firewalls you can't configure, entire volumes encrypted and media players that don't play. What do they have to offer?

Who's going to buy this shit?

Things have never looked better for free software.

Re:Whatever...try fat32 partition

[ncc74656]

For what values of fine is putting 32GB of data on a FAT32 file system a good idea?

When you've got 32GB of data you want to share between your Windows install and your Linux install. Say, your MP3 collection?

Put this [fs-driver.org] on your Windows install and make your common data-storage area ext2 or ext3 instead. If you start slinging around large (>2GB) files on a regular basis like I do, you won't have to worry about splitting/combining files.

Re:Whatever...try thinking right

[J0nne]

Nobody in their right mind would run his OS on fat32, but if you're planning on dual-booting, you probably already have made an extra FAT32 partition, in which you dump the stuff you want shared.

You can even mount it in your home directory for easy access. (And on Windows you just use X:\ as your 'my documents' folder).

And I don't get your ranting about the security of NTFS vs. FAT32. With NTFS, anybody can boot Knoppix with captive NTFS (or a Windows-based LiveCD, if those exist) and overwrite explorer.exe with anything he likes. You're screwed if somebody has physical access, no matter what the OS or Filesystem is.

Linux partition support under Windows

[DrYak]

the filesystems used in linux are free and open.

Indeed. And in fact you see a lot of implementations for windows of which a lot are based on the open-source code.

• explore2fs [swin.edu.au] application that reads files from an ext2/ext3 partition, with LVM2 support
• ext2ifs [swin.edu.au] old project by the maker of explorefs2, native reading support of ext2/ext3 in windows NT and up
• ext2fsd [sourceforge.net] native reading support of ext2/ext3
• ext2ifs [fs-driver.org] NON-opensource (maybe violating GPL ?) native read/write support for ext2 (and ext3, but the driver could fuck-up the journaling if partition wasn't unmounted clean in linux). Has a nice GUI to assign drive letters to partitions.
• rfstools [p-nand-q.com] and GUI Yareg [akucom.de] application that reads files from an reiserfs partition.
• rfsd [sourceforge.net] - native reading support for reiserfs

This shows that :

• It is possible to add access to linux partition in windows
• Even write access is possible and currently the non-open source ext2ifs [fs-driver.org] provides a solution that can be read/written by both OS and which is a little better than FAT32
• although Windows has no propper device mapper but only Dynamic Drives, LVM2 data can still be accessed (although not with a native driver).
• None of this numerous attempt is done by Microsoft. This show how much they want to play nice with the others

Meanwhile, the opensource community is trying [linux-ntfs.org] to play nice with Microsoft's OS.

Re:FAT32

[Dave2 Wickham]

You can get pretty safe write support now via ntfsmount [linux-ntfs.org] (FAQ entry [linux-ntfs.org]).