This project has moved. For the latest updates, please go here.

System Drive Encryption with a USB containing Key

Topics: Feature Requests, Users Discussion
Oct 14, 2014 at 3:52 PM
I am looking for a solution where I can encrypt my entire Laptop Hard drive and have the Keyfile on a USB drive so when the system boots, it accesses the USB for the encryption key and allows the system to boot. If the USB is not present, the system will fail to boot.
Coordinator
Oct 15, 2014 at 9:35 AM
Using a USB key for two factor authentication during boot is indeed very interesting but the problem is that there are environment and code size limitations for the bootloader that makes it difficult to implement such kind of hardware interactions (it is a 16-bit environment because of BIOS).

A possibility is to enable this only when a single cipher is supported (let's say AES) and to remove the bootloader backup capability (this will give us 10KB more of space). I think this can be feasible.

We'll definitely investigate the possibility for implementing this. At the same time, if anyone has experience on how to implement low level USB storage at BIOS level, please feel free to contribute.
Oct 15, 2014 at 9:09 PM
Not 100% what you are looking for, but DiskCryptor (Windows-Only but "based" on TrueCrypt) has managed to modify the hardcoded TrueCrypt bootloader options, and allows users to place the bootloader on USB / LAN in addition to allowing many more boot configurations than standard TrueCrypt.

I have no idea how difficult it would be to incorporate these changes into VeraCrypt, but this is likely a very good place to start looking for "suggestions" as to how this can be accomplished.

https://diskcryptor.net/wiki/Bootloader (Bootloader Options) & https://diskcryptor.net/storage/dcrypt/1.1.846.118/dcrypt_1.1.846.118_src.zip (DiskCryptor Source)
Coordinator
Oct 16, 2014 at 5:43 AM
Thanks for the links.
From the source, it appears that DiskCrypt has come up with an interesting approach were it implements a double stage bootloader : it starts in real mode (stage 0) as it is the case in TrueCrypt/VeraCrypt but instead of doing all the logic at this stage (with all its limitations), it has implemented a protected mode boot module that acts like a mini-OS where it has access to the full resources of the machine and from there it decrypts the system partition and starts Windows.

This is a huge work that needs to be studied more deeply in order to understand all its internals. For now, a possible issue in this approach is in the keyboard handling that doesn't seem to handle special characters correctly on AZERTY keyboards (which we use here in France). This is linked to the mini-OS approach where it must handle keyboard layout manually. I don't know if this is something that can be corrected easily but for now this is not good for passwords security.
Oct 23, 2014 at 9:00 PM
This feature is a personal favourite of mine for many years.

DiskCryptor has made a huge leap forward with it's boot loader. The ability to save the bootloader on a flash drive means the WDE drive can be totally random allowing plausible deniability.

WDE is a great feature but not being able to have a drive which appears to be full of random data has always been a weakness.

Also the password on a flash drive is useful for longer passwords especially when combined with a typed one.

With the bootloader separate from the drive it protects against "EvilMaid" attack.

There are many reasons a separate bootloader is a good idea, I would like to suggest that it might be worth the effort pursuing this.
Jan 6, 2015 at 4:00 PM
Edited Jan 6, 2015 at 4:04 PM
mtpagkatipunan wrote:
My system drive is encrypted with Bitlocker and I just plug my USB Stick and it will immediatelly boot to Windows 8.1. VeraCrypt needs the same approach.
Indeed, a "movable bootloader" will increase security..

One of the main problems with Bitlocker is, it is not possible to use on VM's (Because of the TPM is "missing", there is "workarounds", but who cares when the possibility of backdores is there)
I use VC to encrypt disks and filecontainers on my VM's and it runs perfect..
Jan 7, 2015 at 9:48 AM
alkyred wrote:
I am looking for a solution where I can encrypt my entire Laptop Hard drive and have the Keyfile on a USB drive
You may want to look at Yubikey (www.yubico.com) - they sell a highly secure USB device that you can program and feed your application with a code (which can be your veracrypt PW). It behaves as a USB-HID, simulating a keyboard, so no drivers are required. It has good reviews about the manufacturing and methods used to claim high security and assurance.
Coordinator
Jan 7, 2015 at 8:38 PM
Edited Jan 7, 2015 at 8:43 PM
Yubikey seems very interesting for VeraCrypt boot system encryption as a way to enter a strong password.
Has anyone tested it?

Concerning VeraCrypt support of USB, there two ways :
  1. support writing the bootloader to a USB key in order to boot from it.
  2. support reading key files from a USB key during the boot password prompt.
The second option is very complex to implement since we need to include USB driver in the bootloader in order to be able to read it. This is clearly not possible for the current boot loader. The solution is have like a mini OS (like a mini linux kernel) that would support USB devices and standard filesystem. It will definitely not fit in the 32 KB we use for the bootloader. Having this will mean a big change of how we handle the boot as we will need a small partition on the disk to put all the code.

The first option is easier as it needs only some changes in the bootloader code in order to make it more flexible and to dynamically choose the partition from where we want to boot.

EDIT:
I have just found that it works with TrueCrypt so it should work with VeraCrypt: http://www.yubico.com/wp-content/uploads/2014/02/TrueCrypt-v1.3.pdf
Jan 7, 2015 at 11:08 PM
Edited Jan 7, 2015 at 11:09 PM
Obviously having both options would be the "dream" combination :)

However option 1 seems to be easier for you. It also has two very good added benefits, prevention of the "Evil Maid" attack and also the ability to make the drive appear fully random, no boot loader :)

This combined with VeraWipe would allow the user some real plausible deniability, not seen before :)

Go for it Mounir !!!! Another leap forward in security for VeraCrypt users :) LOL
Jan 8, 2015 at 3:32 AM

I agree with L0ck Option 1 would be fantastic both would be a dream.

I wish I had abilities to program in this space.


Todd Hank
Senior Network Administrator
(920) 749-0444 Ext. 128
(920) 749-0336 - Fax
[email removed]


This message, including any attachments, is intended only for the use of the individual or entity to which it is addressed, and may contain confidential information. Please do not disseminate this message without the permission of the sender. If you have received this communication in error, please notify the sender by reply e-mail, and delete the original message, and all copies, from your system, without reading it. Any dissemination, distribution or copying of this communication is strictly prohibited, and may be a violation of applicable laws.

Jan 8, 2015 at 3:00 PM
Actually I was wondering if option 1 could also open more than 1 drive ? It would be great to only have to carry 1 USB Flash drive but be able to open all my computers with it.
Coordinator
Jan 8, 2015 at 9:28 PM
The idea behind the first option is to write the bootloader alongside the volume header to the USB key. So, in this case, we won't be able to boot any other computer computer as every one of them will have a different master key.

Of course, if only the bootloader is written to the USB key, the it would be possible to boot any encrypted system if the header is left on the disk. But embarking the header with the bootloader in the USB key seems more secure to me.
Jan 9, 2015 at 12:24 PM
Edited Jan 9, 2015 at 2:38 PM
Sorry, I didn't explain myself very well.

I meant keep the header on the USB flash drive but make it so it is user selectable, this way more than one header is stored on the USB.

The user plugs in, boots from USB, then selects the header to use for that computer.

EDIT

Would this feature also help PXE ? I am desperate for booting over LAN. :)
Jan 11, 2015 at 6:40 PM
i guess its a given most users would back up, kind of crazy not to!
May 23, 2015 at 5:48 AM
The Yubikeys work as advertised, constantly adding new features and new ways of challenge/shared secret and other 2way authorisations for supported infrastructures.

For my FDE (which has been created with TC7.1 and I saw no reason to yet change up to VC) I am stuck to static password of course, like nyone else with this flavor of FDE.

But if you want to "activate" your FDE disk with a USB stick and a passwod, this is the way to go. You can adjust it easily, choose how long your typed passwod should be, let the Key fill in the rest, and you have a two tiered authentification. The Key registers as Keyboard so no compatibilty problems. At least none that I ever found.

They even have a very interesting writeup on their site about how FDE developers can improve the pre boot auth a lot. Soem of it is over my head and I am not sure how aware they are of the contraints of the environment (16bit, etc.) but might be worth a read.

https://www.yubico.com/applications/disk-encryption/full-disk-encryption/
Coordinator
May 24, 2015 at 8:38 AM
Thanks for the link.
I have read their FDE specification and it requires the bootloader to be linked against their API. This is not possible currently because of size constraints of the bootloader, but this something that can be done for normal volumes.

That being said, as I explained in another post, integrating support for a specific manufacturer solution is something that we avoid unless there is sponsoring or funding from the community to do it.