This project has moved. For the latest updates, please go here.

Whole disk encryption on Windows 8.1 ?

Topics: Technical Issues
Nov 2, 2014 at 2:57 AM
Hello there! I saw that GPT partitions and UEFI are not supported yet. So
I've created a MBR partition on an Intel 530 SSD. The disk has only one partition the OS (ok and the tiny Windows' partition that setup creates - that makes them 2 partitions) and nothing else.

Tried to apply the whole disk encryption, it stuck on boot when I am entering the password.
(On the test reboot that it does of course I didn't completely encrypt it).
Pressing escape to escape back to bootloader of windows it boots up normally.

Are there any issues with windows 8.1 ? Or just bad luck ?
Tried with e version and beta f.
Coordinator
Nov 2, 2014 at 8:35 AM
Another way to ensure the maximum compatibility is to partition your disk before installing Windows 8.1 in order to have two partitions : one that is NTFS and a second one that uses a format not recognized by Windows (for example Ext4). For example, you can boot on a Linux disk, perform the partitioning as I described and than install Windows 8.1 as usual.

Thanks to this method, you'll have only one partition for the system and the boot. Afterwards, you can reformat the second partition in order to make usable under Windows.
Coordinator
Nov 2, 2014 at 8:57 AM
Hi,

It should have worked. I have a similar Windows 8.1 setup although on a standard hard drive and the encryption is OK.

Can you check the partitions information using Windows "Disk Management" utility and post a screen short or a description of the displayed information?
Here it shows :
  • System Reserved: Healthy (System, Active, Primary partition)
  • (C:): Healthy (Boot, Page File, Crash Dump, Primary Partition)
Nov 8, 2014 at 9:41 PM
idrassi wrote:
Hi,

It should have worked. I have a similar Windows 8.1 setup although on a standard hard drive and the encryption is OK.

Can you check the partitions information using Windows "Disk Management" utility and post a screen short or a description of the displayed information?
Here it shows :
  • System Reserved: Healthy (System, Active, Primary partition)
  • (C:): Healthy (Boot, Page File, Crash Dump, Primary Partition)
Sorry about the delay. Anyway, drive information, partition information here:

http://files.infected.gr/veracrypt/partitions.png
http://files.infected.gr/veracrypt/windows_disk_management.png

After reboot I got the classic error message that pretest failed:
http://files.infected.gr/veracrypt/failed.png

Also made a video here https://www.youtube.com/watch?v=itJVKv3FhAM what exactly does.
(Ignore the small password -only for the video test-, I only had one hand to type it when taping it)
Nov 9, 2014 at 12:17 AM
Just for curiosity but that's odd. Erased VeraCrypt, installed TrueCrypt 7.1a.
Tried with the exact same configuration (RIPEMD, AES, whole disk encryption not partition only)
and it booted normally.
http://files.infected.gr/veracrypt/truecrypt_pretest_ok.png

Is there anything that I can do to help debug it ?

Is there a log I can check and send you, debug option or maybe send the boot of both with dd command using a live linux ?
Coordinator
Nov 9, 2014 at 7:42 AM
Thank you very much for your detailed feedback about this issue. If everybody was as thorough as you, things would be much easier!

From all the elements you reported, it is clear that the bootloader in VeraCrypt is causing the PC to restart after the password is verified but before Windows is started. This can come from different reasons but the most probable one is a memory issue. Since TrueCrypt loader is working, this makes us focus on the differences with VeraCrypt loader which is are linked on adding security checked in the bootloader and increasing the iterations count in PBKDF2.

The extra checks in VeraCrypt uses a little more memory and it is possible that in your case the memory layout available to BIOS is restricted.

In order to help pinpoint the real cause of the issue, can you please :
  • Test with a different cipher or a cascade of cipher (e.i AES-Twofish).
  • Test with version 1.0f-BETA of VeraCrypt that is available here. Some memory optimizations were implemented.
  • I can build a verbose bootloader that will display major executions steps. This will help determine which part is causing the reboot. The only thing is that adding code to print message will change the memory layout and the behavior will possibly change. So, I'll wait for the other tests before trying this.
Thank you again for your help on this. As you can imagine, the number of machines we use for tests is limited and we can test on all possible hardware combinations. So, the help of users like you is very precious in order to make VeraCrypt compatible with the maximum number of PCs out there.
Nov 9, 2014 at 3:54 PM
It doesn't restart by itself, it just stuck there. I press Control-Alt-Delete eventually to reboot again and press Esc to boot to OS.
Tried the beta, Ripemd and SHA which is still in beta right? Anyway it also crashes there sorry.

Then I re-tried Truecrypt to see if it fully encrypt it, it did, and it boots, so for any other testing I will be late a few hours :P
Have to de-crypt it again and play with beta again a few times.
Nov 9, 2014 at 4:58 PM
I am stupid or something else happened here :-)
Truecrypt boots immediately since I enter the password. The same time I press the "Enter".

Now tried with beta again with ripemd and twofish and it stuck. I said "damn let's take a picture of it"
And I was searching the phone to take a picture of it. While searching 50-60 seconds later it booted just fine.

Then I tried again with AES and Sha256 and a ...timer.
It booted just fine but it boot in 1 minute and 17 seconds.

I believe the first time also it didn't stuck. I just hadn't any patience (more than a minute).
But from what I see it boots normally after 1+ minute.

And thoughts ? Normal behavior is like that?
Coordinator
Nov 9, 2014 at 5:01 PM
Ah, I see. I think you just didn't wait enough time for the key derivation to complete. It should take 30 seconds but in the video I see that you restarted after 10 seconds only. Did you wait longer?

In VeraCrypt, we use a higher iterations count compared to TrueCrypt. In pre-boot authentication mode, this means that the time needed to validate a password is increased dramatically compared to TrueCrypt (~300 times more). This is important if we need to be 100% immune from brute-force attacks.

Let's wait for your confirmation about how much time you waited before rebooting your machine.

For your information, in SHA-256 the time needed is much longer than RIPEMD-160 because we have chosen an iteration count of 200000. On recent CPU, this means up to 1 minute for the boot to start. Of course, we reducing the count would give better start-up times but we prefer sticking with the most secure level. That being said, we'll probably introduce the notion of security level in order to enable users to choose lower value to speedup start-up while reducing their security level.
Nov 9, 2014 at 5:09 PM
Verified my stupidity. It works. It just needs ~70 seconds to boot. Sorry about that
Coordinator
Nov 9, 2014 at 5:46 PM
No problem. This is an understandable mistake.