This project has moved. For the latest updates, please go here.

Disable Secure Boot?

Topics: Technical Issues
Oct 20, 2016 at 9:35 PM
Hi,
I have a Lenovo Yoga 900 with UEFI and InsydeH20 Bios.

When installing Truecrypt bootloader for system encryption the bootloader won't work since it is not allowed by the secure boot system.

Do I need the secure boot enabled or can I run with it disabled to be able to use the VeraCrypt Bootloader ?

Thanks.
Developer
Oct 21, 2016 at 7:38 AM
TrueCrypt does not support UEFI.

VeraCrypt supports UEFI. I made DCS loader for UEFI. It is the first loader to support UEFI for open source FDE.

To install the loader you have to disable secure boot or you can install custom certificate in BIOS in addition to MS certificates. Details:
https://sourceforge.net/p/veracrypt/code/ci/master/tree/src/Boot/EFI/

to update Secure Boot configuration:
  1. Enter BIOS configuration
  2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key.
  3. Boot Windows
  4. execute from admin command prompt
    powershell -File sb_set_siglists.ps1
    It sets in PK (platform key) - DCS_platform
    It sets in KEK (key exchange key) - DCS_key_exchange
    It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27
All DCS modules are protected by DCS_sign.
All Windows modules are protected by MicWinProPCA2011_2011-10-19
All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27
Oct 21, 2016 at 7:46 AM
Thank you, I'll try that.

Of course I meant VeraCrypt - I'm just to used to use TrueCrypt that I wrote that instead.. ;)