This project has moved and is read-only. For the latest updates, please go here.

Encrypting Non-System GPT Partition's MSR

Topics: Technical Issues
Oct 12, 2015 at 11:19 AM
Edited Oct 12, 2015 at 11:22 AM
Everyone knows that UEFI GPT encryption isn't supported by Veracrypt and that for a full disk encrypt for a non-system drive there can only be one partition (GPT has two).
I've seen several places where it's stated that Non-System GPT formatted partitions are supported for encryption by Veracrypt. Since there are two partitions on a GPT drive (the main partition and the MSR) my question is it ok to encrypt the MSR partition for a GPT formatted drive as well as the main partition to achieve a total disk encryption?

I've done hours of searching on the web regarding this and I keep turning up information regarding encrypting UEFI + GPT=Impossible with Veracrypt and possible with paid encryption software but nothing regarding if it's ok to encrypt the MSR.
Oct 18, 2015 at 7:38 PM
Edited Oct 18, 2015 at 7:43 PM
Since there have been no responses in the last six days I've decided to just try encrypting the MSR. I've found out that full disk encryption is possible but in order to use the GPT partitioned drive both the main partition and the MSR must be mounted in Veracrypt.

To do this:
  1. Format the drive in your OS as GPT.
  2. Encrypt the main partition (VeraCrypt will not allow full disk encryption on a GPT drive because GPT format contains two partitions. In order to do a full disk encryption the drive can only have one partition.)
  3. Encrypt the MSR.
    a. In VeraCrypt go to Volumes ->Create New Volume...
    b. Select Encrypt a non-system partition/drive
    c. Select Standard VeraCrypt volume
    d. Select the MSR partition for encryption (it's 128MB and is located on the same drive as the main partition.)
    e. Check Never save history.
    f. Select Create encrypted volume and format it (VeraCrypt will not allow encryption in place on a partition that is not NTSF; the MSR is not formatted as NTSF.)
    g. Select your preferred Encryption and Hash algorithms and click Next.
    h. Verify the volume size (128MB) and click Next.
    i. Enter Password and click Next.
    j. Filesystem should be set to FAT, Cluster to Default, Quick Format unchecked. Move the mouse randomly for at least two minutes for stronger encryption keys.
    k. Click format, click Yes on the pop up.
    l. When it's done click OK then click Exit.
When the above steps are done you now have a fully encrypted GPT partitioned disk using VeraCrypt. Congratulations.
To use the disk BOTH partitions must be mounted.

You need to be particularly careful to not write or allow any programs to write to the MSR partition. Because it's been mounted with VeraCrypt it now has an assigned drive letter and can be used within the OS (not encrypted, this partition isn't even view-able in a disk manager.

I've been trying to find a way to get the MSR mounted without a drive letter. Thus far no success.