Introduction

For any other people interested in this topic, here is what I did to get a Windows/Linux dual boot, with a shared data partition, with all partitions except /boot being encrypted.

I am explaining a procedure wiping all data. Make sure to backup anything of importance before following these steps! This is done on a old PC, which does not have EFI, but the old BIOS, but I guess this should work in CMS mode on a recent PC as well.

I first booted into a live Linux, to partition my drive into four partitions. I did not format them at the time, because this is done during the installation of the operating systems, but in the end they look like this:

/dev/sda1 ntfs 130GB for Windows 10 (DiskCryptor Encrypted)
/dev/sda2 810GB extended
- dev/sda3 ext4 1GB for /boot
- dev/sda4 lvm2 pv vg1 40GB containing root '/' of LVM2+LUKS encrypted Linux Mint 20.1
- dev/sda5 ntfs 770GB for VeraCrypt encrypted data partition

Windows Installation and Encryption

I installed Windows 10 on the 130GB large partition (/dev/sda1). As the drive was already partitioned, the Windows installer did not create the typical 100MB system partition with the bootloader but instead appears to have put all files on that one partition.

After installation I encrypted the Windows 10 partition using DiskCryptor, made sure to write the bootloader into the MBR and created a .ISO file. Both bootloaders were configured to boot from the first partition for which the password matches. I then made sure, I could boot from the created .ISO file, by putting it on a USB flash drive with easy2boot installed. Once I was sure that this was working, I went on to installing Linux Mint 20.1, which would override the DiskCryptor bootloader in the MBR, with grub2, so the only way to get back into Windows 10 was via the USB flash drive (or of course burning the ISO on a CD, if I still had a drive).

Linux Mint 20.1 Installation and Encryption

I booted into the live OS of Linux Mint 20.1, again via my easy2boot flash drive. Without running the installer, I created the LUKS encrypted partition of drive /dev/sda4:

sudo cryptsetup luksFormat /dev/sda4
sudo cryptsetup luksOpen /dev/sda4 luks-crypt

Next I used LVM to create a phsyical device, volume group and logical volume.

sudo pvcreate /dev/mapper/luks-crypt
sudo vgcreate mint /dev/mapper/luks-crypt
sudo lvcreate -n root-lv -l 100%FREE mint

I ran the Linux Mint 20.1 installer and installed the OS on the freshly encrypted partition, the logical volume called root-lv formatting it with ext4. During the install procedure /dev/sda3 was selected as /boot partition and formatted with ext4. It is important NOT to reboot when done with the installation!

The logical volume with the fresh Linux install needs to be mounted, plus the live instance's special devices.

sudo mount /dev/mapper/mint-root-lv /mnt
sudo mount /dev/sda3 /mnt/boot

sudo mount --bind /dev /mnt/dev
sudo chroot /mnt mount -t proc proc /proc
sudo chroot /mnt mount -t sysfs sysfs /sys
sudo chroot /mnt mount -t devpts devpts /dev/pts

When done, the /etc/crypttab file on fresh OS install (i.e. located in /mnt/etc/crypttab) needs to be edited.

sudo xed /mnt/etc/crypttab
~~~~~~~~~~~~~~~~~~~~~~ /mnt/etc/crypttab ~~~~~~~~~~~~~~~~~~~~~~
luks-crypt /dev/sda4 none luks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now the new install's initram needs to be updated and the PC is ready for the first reboot. Be aware that grub2 is installed as bootloader and one can only boot into Windows with the before created .ISO file.

sudo chroot /mnt update-initramfs -u
reboot

VeraCrypt encrypted Data Partition

I am not going into details, but in order to access the data partition /dev/sda5 from both Linux and Windows, I used VeraCrypt. There are many manuals explaining how to do this and how to mount the VeraCrypt partition automatically during start up in both Windows and Linux.

I decided to use no password, but a key file to unlock the drive. That way you can easily mount the drive during boot of any OS. In Linux Mint you can do something like this:

sudo xed /etc/crypttab
~~~~~~~~~~~~~~~~~~~~~~~~ /etc/crypttab ~~~~~~~~~~~~~~~~~~~~~~~~
# Use a file containing the password
data-vc /dev/sda5   /home/<username>/.credentials/veracrypt_data.pw tcrypt-veracrypt

# Use a keyfile and no password
data-vc /dev/sda5 /dev/null tcrypt-veracrypt,tcrypt-keyfile=/home/<username>/.credentials/veracrypt-data-keyfile.key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Windows I used the task scheduler to mount the drive by an administrator account on start of the PC, so BEFORE login of a user. I need this, since I moved all my personal folders (Documents, Videos, Pictures, etc.) to the encrypted drive and it must be mounted before I login.

The configuration you can import into the task scheduler and the script it calls to mount the VeraCrypt volume are attached here: MountVeraCryptPartitionOnWindowsBoot.zip

You need to at least replace the %COMPUTERNAME% and %USERNAME% placeholders I put into the .XML file, instead of the "real" values of my PC.

For this to work well, you also need to enable the classical login style using the group editor (I do not know the exact names in English, so I pasted the German terms):

GPEDIT.MSC > Computerconfiguration > Administrative Vorlagen > System > Anmeldung: Immer klassische Anmeldung verwenden: Aktiviert

If you do not activate this, Windows 10 automatically already logs in the user, even though you have not yet entered your password yet. Pretty sneaky... This is probably done to save some time once the user actually wants to login, but causes Windows to complain about the missing or unreachable personal folders. Since I have an ancient PC, I wait around 10s before logging into my account, to give the scheduled task enough time to mount the VeraCrypt volume.

Integration of DiskCryptor bootloader into grub2

Now the part answering my own question, how to integrate the previously created .ISO into grub2, as to have a fully encrypted (except /boot) dual boot system.

First syslinux needs to be installed, then the file memdisk and the, let's call it DiskCryptorBootloader.ISO, need to be copied to /boot.

sudo apt install syslinux

sudo cp /usr/lib/syslinux/memdisk /boot/
sudo mkdir -p /boot/iso
sudo cp DiskCryptorBootloader.iso /boot/iso

A custom menu entry for the .ISO file needs to be created.

sudo xed /etc/grub.d/40_custom
~~~~~~~~~~~~~~~~~~~~~~ /etc/grub.d/40_custom ~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
menuentry "Windows 10 (DiskCryptor)" --class windows {
    savedefault
    insmod part_msdos
    insmod ext2
    # set root=(hd0,5) # Optionally set a different partition.
    linux16 /memdisk iso
    initrd16 /iso/DiskCryptorBootloader.iso
}

# Find a disk partition by it`s UUID.
#menuentry "Windows 10 (DiskCryptor)" --class windows {
#    savedefault
#    insmod part_msdos
#    insmod ext2
#    insmod search_fs_uuid
#    search --fs-uuid --no-floppy --set=root 4e3262d0-e6f0-4d3b-849f-e09db01295fb
#    linux16 ($root)/memdisk iso raw
#    initrd16 ($root)/iso/DiskCryptorBootloader.iso
#}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now grub needs to be updated.

sudo grub-mkconfig && sudo update-grub

During the next boot you can boot into the DiskCryptor encrypted Windows 10 directly via the grub2 entry, without the need of attaching or inserting an external media containing the previously created DiskCryptorBootloader.iso.

Final Words

And that's it. Booting from the new custom menu entry pointing to the DiskCryptorBootloader.iso looks a bit ugly, as the memdisk application outputs a lot of text before in the very bottom of the screen the DiskCryptor bootloader is asking for your password, but it works.

I hope this answer gives a complete overview and is of use to some other people wanting a similar setup.

DavidXanatos / DiskCryptor

Integration of DiskCryptor bootloader into grub2 #27