Official site launch very soon, hurrah!
I have been a proponent and user of pre-boot authentication volume (hard drive) encryption for quite a while now, but there is one security hole in it that always bugged me. This is the fact that the boot loader (the code at the beginning [sector 0] of the hard drive that starts the computer [usually loads the operating system]) is unencrypted itself and can be tampered with. Even though the encrypted data is completely safe from reading without a password, the password itself could be hijacked from someone modifying the boot loader and having it record your password when you type it. This hack could also be made hard to detect because the original boot loader could be restored from the hijacked one after the damage is done.
I decided this was a moot point for a long time, until I saw it got slashdotted. This prompted me to finally change my security model slightly so I was no longer vulnerable to this problem. The appropriate method is to always use a known secure TrueCrypt rescue disk, which contains its own boot loader, to boot the hard drive. Unfortunately, CDs are a bit cumbersome to always keep around. The workaround for me was to use a bootable USB Flash Drive instead, as I keep it on my keychain which is always with me. Getting the TrueCrypt boot loader to work from the flash drive was not easy at all due to how bootable flash drives work (they take the hard drive #0 slot in BIOS, which Windows doesn’t like). It took some GRUB4DOS magic to get things going, but it all ended up working out :-).
I removed the TrueCrypt boot loader from my hard drive so I would not be tempted to use it, and would always use the flash drive. This left the boring message of “Error loading operating system” upon booting without the flash drive, which I just couldn’t stand, so I decided to have some fun writing my own “Operating System Not Found” boot loader :-).
Here is the code for the boot loader (in assembly), and here is the compiled boot loader which can be placed in the boot sector of any bootable medium (Hard Drive, USB Flash, CD, etc).
Do not attempt to replace the boot loader on your hard drive without knowing what you are doing, as this is a very dangerous operation that can make your computer unbootable. Always back up your boot loader before making modifications to it so you can easily restore it. Also, when writing a boot loader, do not overwrite bytes 0x1BE-0x1FD of your boot sector as they contain important partition information.
timeout 10title Load Truecrypt - HD Mode RAWmap --memdisk-raw=1map (hd0) (hd1)map (hd1) (hd0)map --hookmap --mem (hd1,0)/boot/Truecrypt.iso (0xFF)map --hookchainloader (0xFF)boottitle Load Truecrypt - HD Modemap (hd0) (hd1)map (hd1) (hd0)map --hookmap --mem (hd1,0)/boot/Truecrypt.iso (0xFF)map --a20-keep-on=1map --hookchainloader (0xFF)boottitle Ultimate Boot CD v4.11find --set-root /boot/ubcd411.isomap /boot/ubcd411.iso (0xff) || map --mem /boot/ubcd411.iso (0xff)map --hookchainloader (0xff)title Ubuntu 9.10find --set-root /boot/ubuntu-9.10-desktop-i386.isomap /boot/ubuntu-9.10-desktop-i386.iso (0xff)map --hookroot (0xff)kernel /casper/vmlinuz boot=casper iso-scan/filename=/boot/ubuntu-9.10-desktop-i386.iso quiet splash locale=am.UTF-8 --initrd /casper/initrd.lzboottitle CentOS 5.5 Installfind --set-root /CentOSInstall.isomap /CentOSInstall.iso (0xff)map --hookroot (0xff)kernel /isolinux/vmlinuzinitrd /isolinux/initrd.imgboot
if loadfont /boot/grub/font.pf2 ; then set gfxmode=auto insmod efi_gop insmod efi_uga insmod gfxterm terminal_output gfxtermfiset menu_color_normal=white/blackset menu_color_highlight=black/light-graymenuentry "Ubuntu 12.10 x64" { set gfxpayload=keep set isofile="/ISOs/ubuntu-12.10-desktop-amd64.iso" loopback loop (hd1,msdos1)$isofile linux (loop)/casper/vmlinuz boot=casper iso-scan/filename=$isofile noprompt noeject initrd (loop)/casper/initrd.lz}menuentry "Ubuntu 12.10 x86" { set gfxpayload=keep set isofile="/ISOs/ubuntu-12.10-desktop-i386.iso" loopback loop (hd1,msdos1)$isofile linux (loop)/casper/vmlinuz boot=casper iso-scan/filename=$isofile noprompt noeject initrd (loop)/casper/initrd.lz}
map (hd0) (hd1)map (hd1) (hd0)