So VeraCrypt recently released a new version that now supports UEFI machines such as mine.
I thought great, now finally I can install the damn thing and use it. I must be a slow learner because last year it almost wiped out the entire computer, where the primary drive crashed and the clone I made had issues with the headers where the keys were kept. And I got stuck with one drive physically down and the other drive encrypted.
Took me a week to recover the data and that was the longest week of my life. I had a thread open on that but that's another story I suppose.
The format of file-hosted volumes is identical to the format of partition/device-hosted volumes (however, the "volume header", or key data, for a system partition/drive is stored in the last 512 bytes of the first logical drive track). VeraCrypt volumes have no "signature" or ID strings. Until decrypted, they appear to consist solely of random data.
In my UEFI Windows 10 machine I use bcdboot / bcdedit to update the firmware entries in the device’s NVRAM to create multiple boot entries pointing to various disks. I use Macrium Reflect to clone the primary boot disk so theoretically I can have 4 different operating systems installed on 4 separate SSDs. Including Linux.
I installed the latest-greatest version of VC (That stands for VeraCrypt not Viet Cong) on the secondary boot drive, thinking that VC would not modify the firmware entries in the NVRAM. The entries that are displayed when the machine is turned on, giving you a chance to select which disk you will boot off. It goes to the primary boot by default or you can scroll down to make another selection.
After the install of VeraCrypt and chosing encrypt the entire drive option (which I ran on the second boot drive, not primary) I rebooted and to my surprise, the firmware entries disappeared, and then the prompt for the password appeared. How is that possible if I never told it to do anything with the primary boot drive or the firmware entries? If I want to encrypt drive C:, I never want to encrypt for example drive X. The answer is, VC installed on the clone drive started managing the BIOS entries. I think part of the problem was, VC was ran on the clone drive but BIOS pointed to another drive. I panicked and swapped SSDs, clone and primary thinking that by default the bootloader will point to the primary disk which didn't have the decryption keys VC needed to unlock the disk, the secondary disk did.
That did not work either.
Maybe this explains why the password would not be accepted. Since it was a test of encryption and none was actually performed, I was able to go back but that greatly worried me. I have no idea why the password just would not get accepted. Most importantly, I do not want to lose the multiple boot capability, I want to chose which disk I boot into. That's the whole point.
Anyway, my faith in this program is not zero, it's minus 5.
VeraCrypt replaces your Windows bootloader with its own bootloader that is encrypted and will decrypt when you give it the password. If that bootloader is damaged your data is gone. VC does suggest you make a rescue disk for that reason. But if you have no rescue disk, you're really screwed. Your password decrypts your master key which is in the bootloader and on your rescue disk and used to decrypt the entire drive. If the master key is damaged *and* you cannot recover it, you can no longer decode your drive.
To sum up my mental notes:
- VC is a terrible hack that now claims to manage UEFI machines but still cannot manage multiple boot entries and is very likely to brick your machine. This is unacceptable as having the primary/clone architecture is central to my backup/recovery process.
There are tons of docs and they are clear as mud and full if if clauses. Bottom line, it does not work for my specific machine which is not uncommon at all. - Total disk encryption is dangerous as hell and should only be done on some test box you don't need and have nothing important on it.
- You are far more likely to do damage to yourself with this dangerous hack than some other person/group/government/criminals. Which defeats the purpose of having this software. Before you install it, shred the disks and throw your machine under a train on a railroad track and then walk away with a modicum of satisfaction, at least you won't suffer any aggravation trying to decrypt your machine when it self-bricks due to VC.
In short, don't use VC. I think it has limited use for file encryption but even then gpg or some PGP-derived public-private key encryption tool works much better and faster, especially on Linux. You can use symmetric encryption with no public keys involved.
VeraCrypt is now compatible with default EFI SecureBoot configuration for system encryption.
Fix EFI system encryption issues on some machines (e.g. HP, Acer).
Support EFI system encryption on Windows LTSB.
Add compatibility of system encryption with Windows 10 upgrade using ReflectDrivers mechanism
Make EFI Rescue Disk decrypt partition correctly when Windows Repair overwrites first partition sector.
Add Driver option in the UI to explicitly allow Windows 8.1 and Windows 10 defragmenter to see VeraCrypt encrypted disks.
Add internal verification of binaries embedded signature to protect against some types to tampering attacks.
Fix Secure Desktop not working for favorites set to mount at logon on Windows 10 under some circumstances.
when Secure Desktop is enabled, use it for Mount Options dialog if it is displayed before password dialog.
when extracting files in Setup or Portable mode, decompress zip files docs.zip and Languages.zip in order to have ready to use configuration.
Display a balloon tip warning message when text pasted to password field is longer than maximum length and so it will be truncated.
Implement language selection mechanism at the start of the installer to make easier for international users.
Add check on size of file container during creation to ensure it's smaller than available free disk space.
Fix buttons at the bottom not shown when user sets a large system font under Window 7.
Fix compatibility issues with some disk drivers that don't support IOCTL_DISK_GET_DRIVE_GEOMETRY_EX ioctl.
