Install Win7 on UEFI BIOS motherboard

Topics: Users Discussion
Dec 21, 2014 at 1:05 PM
Hi.
I am buying my first computer with UEFI BIOS and I do not have any experiance with it. I plan to install win7 x64 on it. Simple question - can I install veracrypt on my computer with win7 and UEFI BIOS motherboard? Are there any restrictions? What should I care about in this case? Thx in advance for asnwer
Dec 21, 2014 at 3:13 PM
Edited Dec 21, 2014 at 3:23 PM
VeraCrypt does not support GPT formatted drives or UEFI BIOS. This is planned for release in late 2015.

To quote Mounir, the developer of VeraCrypt from another thread which is applicable to Windows 7:
.
Yes, VeraCrypt is compatible with Windows 8 and Windows 8.1. The only limitation is with respect to full system encryption with UEFI or GPT partition which has not been implemented yet. If you install Windows 8.x on a MBR partition on BIOS mode, you can perform full system encryption.
.
Another consideration depends on the manufacturer of the PC having prebuilt recovery partition and system tools partition on the system drive. You do not want to encrypt the entire system drive since this will prevent access to the aforementioned partitions when you press the power button and you press certain keys to pull-up the manufacturer menu which happens before the VeraCrypt bootloader starts. You can encrypt those manufacturer partitions with the drawback of being unable to use them when you need them to resolve a problem or install a Windows feature.

In this case, you can encrypt only the C partition called "Encrypt the Windows system partition" which is an option during the system encryption process. You will want to chose "No" for Encryption of Host Protected Area. This will allow you access to the manufacturer's recovery and system tools partitions.

I believe Windows 7 creates a small partition that is called the system partition that you do not want to encrypt. Using the above method will prevent any problems. I wish the TrueCrypt forums were still available since this question/answer with details was fully explained.

Here is information on the Windows system partition. You will have to copy and modify the URL below due to the forum software cannot handle URLs with "#" pound symbols. You will need to copy the URL and remove the double quotes around the pound symbol.

http://windows.microsoft.com/en-us/windows/what-are-system-boot-partitions"#"1TC=windows-7
Dec 21, 2014 at 3:44 PM
Ok. I havent ever used GPT formatted drive and I dont plan to. I always used FAT32 or recently NTFS and I am OK with that. So when using NTFS there should be a problem.
I will build the PC on my own from parts, i.e. separate HDD, CPU etc. and assemble it on my own, thus there shouldnt be any manufacturers partition.
So if I understand correctly, the presence of UEFI BIOS doesnt mean I cant install veracrypt. Correct?
If I choose "Encrypt windows system partition" during encryption process, I should be OK, right? As I understand it, it will encrypt only the "huge part" of HDD with windows and leave the 100 MB partition (described on link of yours) unencrypted and thus let the windows boot from it. This means everyone will know there is encrypted windows installed on that HDD, but everything else will be encrypted. I am OK with that.
Dec 21, 2014 at 4:07 PM
Edited Dec 21, 2014 at 4:21 PM
I would recommend NTFS format for Windows versions Vista and higher.
.
So if I understand correctly, the presence of UEFI BIOS doesnt mean I cant install veracrypt. Correct?
.
I believe you have to change a BIOS setting to Legacy. Or during the Windows 7 install you select Legacy/MBR.

.
If I choose "Encrypt windows system partition" during encryption process, I should be OK, right?
.
Correct.

.
As I understand it, it will encrypt only the "huge part" of HDD with windows and leave the 100 MB partition (described on link of yours) unencrypted and thus let the windows boot from it. This means everyone will know there is encrypted windows installed on that HDD, but everything else will be encrypted. I am OK with that.
.
Currently, even if you can encrypt the entire system drive, the bootloader has in clear text that it is VeraCrypt.

A feature request has been accepted to allow putting the bootloader on external media as a future enhancement.
Dec 21, 2014 at 5:22 PM
Thanks, just 1 question. Are you sure I need to switch the BIOS to some kind of legacy mode or install windows in "legacy mode" (never seen that option)? Can you possibly tell me where to find out more about bios/windows legacy modes?
Dec 21, 2014 at 5:48 PM
Yes. I am running Windows 7 Pro and my PC's BIOS the setting is called Legacy System > Enabled under the System Configuration.

For Windows, you want to install on MBR formatted disk and not a GPT formatted disk. Newer disk drives come preformatted using GPT. At least the one's I have purchased came preformatted GPT.
Dec 21, 2014 at 6:41 PM
Thx. I will probably need to read more about all this UEFI and GPT/MBR stuff. Its more complicated than I thought. Good luck with making veracrypt GPT/UEFI compatible!
Jan 9, 2015 at 5:52 PM
Zakarumit wrote:
Ok. I havent ever used GPT formatted drive and I dont plan to. I always used FAT32 or recently NTFS and I am OK with that. So when using NTFS there should be a problem.
I will build the PC on my own from parts, i.e. separate HDD, CPU etc. and assemble it on my own, thus there shouldnt be any manufacturers partition.
So if I understand correctly, the presence of UEFI BIOS doesnt mean I cant install veracrypt. Correct?
If I choose "Encrypt windows system partition" during encryption process, I should be OK, right? As I understand it, it will encrypt only the "huge part" of HDD with windows and leave the 100 MB partition (described on link of yours) unencrypted and thus let the windows boot from it. This means everyone will know there is encrypted windows installed on that HDD, but everything else will be encrypted. I am OK with that.
The good news provide your system has a legacy mode you can continue to use MBR and thus be able to encrypt your system drive.

If it does not then you will have to wait for VeraCrypt to support GPT partitions. You should accept that in the future there will be devices that do not have this legacy mode since out of the box they come with storage space larger than what MBR can actually support.

Its time to update your knowledge, accept technology has moved to something better ( UEFI ) and adjust accordingly.
Oct 22, 2016 at 3:55 PM
I wish I had read this thread before. After many trial and errors, I finally got the entire system encryption working. I made a step-by-step guide so I can remember what to do next time:

http://www.genopro.com/misc/Installing-VeraCrypt/ - How to Install VeraCrypt on a GUID Partition Table (GPT)