This project has moved. For the latest updates, please go here.

Veracrypt fresh Windows 7 Pro UEFI on NVMe on Dell

Topics: Technical Issues
Dec 5, 2016 at 2:22 PM
My apologies if the answer to this question is already documented somewhere - I've been reading a lot and not found it so please feel free to point me in the right direction if quicker than replying specifically (and thank you).

I'm setting up a new Dell laptop with a fresh Windows 7 Pro install on a Samsung NVMe SSD. I've been running TrueCrypt full system drive encryption for years but I believe this setup requires UEFI to function properly so for that reason if nothing else I'm intending to run Veracrypt from now on. The initial installation is done, booting UEFI (secure boot off) with Intel RAID disabled so the Samsung NVMe drivers can see the drive and work properly. So far so good.

Veracrypt rejects the system drive encryption request immediately saying that windows may not be installed on the boot drive. If this means 'on the physical boot disk' that's clearly incorrect as there is only one drive in the machine. If it means something more partition-related, can someone explain the requirement exactly?

The machine has four partitions. The first, second and third were created by the windows install and are, respectively, the EFI System Partition, a Microsoft Reserved Partition, and the main C: windows partition. The fourth is just a large D: data-storage partition, mainly to allow system restore to be on for C and off for D. I don't have the machine in front of me to grab a storage manager image but I will do so if I've omitted something important here.

I've not attempted to continue despite the warning because I'd rather understand it than blunder through it not knowing the likely outcome :)

The obvious questions are, then, what exactly is Veracrypt objecting to, will it cause system drive encryption to fail if ignored, and if so, what do I need to do to get it all working!

Thanks for any information or pointers.
Mark
Dec 5, 2016 at 5:05 PM
Update : I have read that via a little jiggery-pokery during a fresh install it is possible to create a good Windows 7 UEFI install with only the ESP and main windows partitions (ie no MSR partition) provided Bitlocker and multi-boot are not required (which they're not). This is supposedly done by letting the installer create the three standard partitions (ESP, MSR, OS) then deleting OS and extending MSR to become OS before continuing, thus forcing the installer to put the boot loader in OS. Does anyone know if this would (a) allow VC to do its thing more easily or (b) cause worse problems? Thanks.
Developer
Dec 5, 2016 at 10:16 PM
DELL and HP have some incompatibilities in firmware. Long story.

https://sourceforge.net/p/veracrypt/discussion/technical/thread/5b859040/
Dec 6, 2016 at 2:17 PM
Thank you. If I use Shift-F10 and diskpart during Windows 7 install to clean and convert the NVMe SSD to MBR, everything can be installed and work correctly including VeraCrypt full disk encyrption. I had been led to believe that the Dell would not boot properly from NVMe unless it was in UEFI mode, but thankfully that appears not to be true. I can therefore run this system as full-disk-encrypted MBR at least. I'm happy to try UEFI again via modifying the EFI boot files as indicated in that thread if you think it would be effective (or interesting). So I understand, and ignoring the Dell/HP issue for a moment, does VC support FDE with UEFI and ESP and MSR partitions, or just system partition encryption? I'll be donating either way :)
Developer
Dec 10, 2016 at 7:58 AM
ESP is main partition to boot EFI. Loader is started from ESP => ESP can not be encrypted. It is like windows boot partition for bitlocker (if system volume is encrypted)

GPT and ESP sectors have to be open to boot from the disk in UEFI mode. (another solution is to boot from external media)

In MBR mode VeraCrypt saves own boot loader in first sectors of disk. So MBR mode does not need special partition like ESP to boot.

MBR or EFI?
MBR pros.
Old and well proven solution

MBR cons.
Some new hardware do not support MBR. (most of tablets with windows)
Limited size and functions.
It can not support picture password, optional authorization, external media for keys etc.
Secure boot not supported.