Replacing Windows 7 - multiple users on one computer

Hello everyone. I had a search, but couldn’t find the answer I was looking for. Can you help?

I’m looking to replace an ageing Windows 7 desktop which our business depends on.

Currently, the Win7 desktop is encrypted with Veracrypt. When we switch it on, our PC boots, and we choose which user to login as. The files we collaborate on are in a shared folder. The desktop itself doesn’t have Internet access and we are a team of two who are real life as well as business partners; if one of us was up to no good, our business would be over. Our threat model is someone stealing our computer and breaking in. For those purposes, Windows 7 is still perfectly adequate.

Here’s the thing. On our current Windows machine, we only need to type one password to boot the PC. With Linux, I can’t seem to add users without giving them a password or needing one to unlock the keyring.

Is there a way to replicate the behaviour of our current Windows 7 setup with Zorin? I have read about ecryptfs to encrypt home directories, but from my understanding when you have a directory that belongs to a group they both need to be logged in before anyone can access them.

If You do have a trust-full backup of Your data, then start with a Partition-Manager, and start after defining a root-partition of 24GB, a SWAP partition depended on Your internal memory, and define the rest as Both Your Home partition, and FORGET Windows!

Hi colonelpanic, and welcome to the forum! Before doing anything else I would advise that you post on the vera crypt forum at sourceforge:

https://sourceforge.net/p/veracrypt/discussion/technical/

Having just done a brief look at veracrypt searches,
a. it is cross-platform - can be used on any OS
b. cannot encrypt entire drives/volumes

One suggestion for Linux (and I am not validating this) is to use dm-crypt at point of install:

Why dm-crypt? From Arch Wiki site: [Start of extract]:

Overview

Securing a root filesystem is where dm-crypt excels, feature and performance-wise. Unlike selectively encrypting non-root filesystems, an encrypted root filesystem can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as mlocate and /var/log/ . Furthermore, an encrypted root filesystem makes tampering with the system far more difficult, as everything except the boot loader and (usually) the kernel is encrypted.

All scenarios illustrated in the following share these advantages, other pros and cons differentiating them are summarized below: [end of transcript]
url: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system

Your first task should be to backcup your Windows 7 machine - post on the Veracrypt forum on how to do this without loss of data should you need to do a restore. At this point it might be worth checking what make and model of hard drive you have and what controller is installed for the hard drive - there is a way of checking this somehow but can’t remember as any difference in hardware could render restoration useless if you have a copy of a spare drive for disaster recovery.
Other options might be for you to decrypt your data temporarily and backup to an external drive in readiness for deploying for Linux or you just might want to migrate to an external drive that is placed in a secure strong-box when not in use or build a well-ventilated steel box around it with access to connections.
Rather than mess with your existing hard drive, purchase a new one - if you intend using the same PC, install the new hard drive and setup Linux on that drive first but make sure the Windows 7 drive is disconnected. The crucial element will be what software you use and whether there is an equivalent in Linux to begin with. Assuming you won’t need any specialist software you would be good to go. One thing before you do anything else is if your PC’s CoA has been removed or deteriorated overtime is to find out the CoA key by using a vbs script to extract the key using Notepad and saving as a .vbs file then run it to find the key and store it in case you want to reinstall as a VM at some later date on your Linux install.

For future reference, run a VB script to find what your CoA code is for your install.
Open up Notepad and enter the following:

Set WshShell = CreateObject(“WScript.Shell”)
MsgBox ConvertToKey(WshShell.RegRead(“HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId”))
Function ConvertToKey(Key)
Const KeyOffset = 52
i = 28
Chars = “BCDFGHJKMPQRTVWXY2346789”
Do
Cur = 0
x = 14
Do
Cur = Cur * 256
Cur = Key(x + KeyOffset) + Cur
Key(x + KeyOffset) = (Cur \ 24) And 255
Cur = Cur Mod 24
x = x -1
Loop While x >= 0
i = i -1
KeyOutput = Mid(Chars, Cur + 1, 1) & KeyOutput
If (((29 - i) Mod 6) = 0) And (i <> -1) Then
i = i -1
KeyOutput = “-” & KeyOutput
End If
Loop While i >= 0
ConvertToKey = KeyOutput
End Function

Save the file as WindowsKeyCode.vbs NOT .txt

Double click on the saved file to get the results and print it out and keep in a safe place - then should you need to download the official .iso for your version - in System Properties see if you have Windows 7 Home or Pro - as you need to ensure you download the correct iso, also whether 32-bit or 64-bit - it should state that in System Properties.
[From my post here: https://forum.zorin.com/u/swarfendor437]

The rest is down to you - only you can make the right decision for your business model.

If you want to take security to the next level, Linux Magazine had an excellent article many years ago how to make your Linux pc secure by creating a USB key that was needed to boot the machine, make a copy of it and secure the initial key in a safe place. Make copies for the people going to use it - that way the machine would never boot without the USB key.

1 Like

Thanks for that very thorough answer, @swarfendor437.
Encrypting the complete hard disk is not really the issue - that should be fairly straightforward. The process I’m envisioning is:

1.Switch on the PC.
2.Type in a password to unlock the disk.
3.Select the user to login as via the greeter, but not be asked for a password.

I could just type:
sudo passwd -d
and remove the password, but that would also mean I could use sudo commands without a password.

This is really easy to do with Windows. It’s got to be possible with Linux!

Beyond me friend! My concern on that last statement “This is really easy to do with Windows” - is it really that secure in the first place? :wink:

I read an interesting article about Windows Defender - apparently it can be used to download malware - Bleeping Computer or the other site I linked to in Security News!

In our use case, it is.

The computer has no Internet connection. The two users are not going to try to do anything malicious. The sole reason we have encrypt the disk is to prevent a thief seeing what is on it if it gets stolen.

Regarding Windows 7 and malware, it is out of support now; no bugs are likely to be fixed. Therefore any use of it connected to the Internet is inherently risky. I would suggest that offline, with the whole disk encrypted with VeraCrypt, you could still say it’s secure for our use case.

I’m not going to use it, because it would mean me using nefarious tools and/or uncertain, old hardware to get Windows 7.

Still, we’re going off track.

I will try and install Zorin on a PC I have knocking around and removing passwords. I will report back. :smiley:

Whenever I did what you are describing, I did not quite do it this way. I ran the host machine as a server, then installed the OS via Cloud to the parasite machines, operating entirely from the server rather than being fully installed on the machine. However, that was over ten years ago, now…