This project has moved and is read-only. For the latest updates, please go here.

Several issues with VeraCrypt 1.18a

Topics: Technical Issues
Aug 25, 2016 at 1:56 AM
Edited Aug 25, 2016 at 3:18 AM
1. When I encrypted mys OS Windows 10 Enterprise LTSB and just had to restart to start the encryption I got a red windows error after booting. So I entered BIOS and disabled Secure Boot and it worked.

I thought VeraCrypt 1.18a supported Secure Boot and was signed by Microsoft. Am I wrong?

My motherboard: ASUS Z97-A

Image


2. I used PIM when encrypted the system. I remember that when I used PIM with VeraCrypt 1.17 the boot time was way much longer. About 5 minutes but now it boots instantly. I used default PIM value. Is default PIM value the "strongest"? Why does it boot much faster compared to version 1.17 with PIM enabled? I used default PIM value in version 1.17 too.

3. When I tried to encrypt the system I could not choose "encrypt whole drive" and had to "encrypt windows partition" option. Why not the whole drive like you could do with Windows 7?


4. I can't mount TrueCrypt volume. I thought you could do this?
Aug 25, 2016 at 4:13 AM
2) Have you disabled Windows feature called Fast Startup?

http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html

3) Post a screenshot of your Windows Disk Management.

4) If the TrueCrypt volumes were created using TrueCrypt version prior to 6.x, VeraCrypt cannot open those volumes.

https://veracrypt.codeplex.com/wikipage?title=TrueCrypt%20Support
Aug 25, 2016 at 5:32 AM
Edited Aug 25, 2016 at 5:33 AM
2. I have disabled hibernate so it would disable Fast Startup.


3. Can't post picture at the moment. My system disk: 1: 450MB Recovery 2: 100MB EFI 3: Rest of Windows in that order.


4. It's TrueCrypt 7.1a


Do you know anything about question 1?
Aug 25, 2016 at 8:54 AM
Edited Aug 25, 2016 at 8:59 AM
Hello VCuser,

1. To sign EFI loader the technology has to be stable. Procedure is rather long.

I implemented first version of DCS (Disk Cryptography Services for EFI). Development is in progress.

Details about secure boot is
https://github.com/veracrypt/VeraCrypt-DCS/blob/master/SecureBoot/readme.txt

If you set secure boot custom mode and set certificates from the distributive protection is the same.(by RSA signature)
The only difference - boot loader of MS signed by MS key. DCS is signed by DCS_sign key.

2. Start of EFI system is faster (even fast boot disabled). There are several reasons in architecture.

3. To load EFI needs EFI system partition FAT formatted. it is partition 2 in your list.
To mount the partition and see contents:
mountvol O: /S
dir O:\

(from adimin)

So whole drive encryption is not possible for OS disk.
Aug 25, 2016 at 11:31 PM
So the "whole drive encryption is not possible for OS disk." is serious issue for those that use SSD, since these have to be fully encrypted not to leak data?
Aug 26, 2016 at 6:21 AM
SDXC wrote:
So the "whole drive encryption is not possible for OS disk." is serious issue for those that use SSD, since these have to be fully encrypted not to leak data?
.
BitLocker does not encrypt the System Reserved or EFI partitions has it uses those partitions to boot your system. You data is not going to leak onto the System Reserved or EFI partitions unless malware has infected your system.

Other concerns with SSDs are:

https://veracrypt.codeplex.com/wikipage?title=Wear-Leveling

https://veracrypt.codeplex.com/wikipage?title=Reallocated%20Sectors

Be aware that SSDs have a reserved space called over-provisioning (OP) that cannot be accessed directly by encryption software for encrypting. Only the SSD controller has access to the over-provisioning space to be used for bad blocks. Hence, any data that exists in the over-provisioning prior to encrypting still exists unencrypted due to wear leveling.