This project has moved. For the latest updates, please go here.

Please include Microsoft-Signed Boot Loader for Windows UEFI and Secure Boot Support

Topics: Feature Requests, Technical Issues, Users Discussion
Aug 19, 2016 at 3:29 PM
Dear IDRIX,
Would it be possible to have Microsoft Sign the VeraCrypt Boot Loader, so that it won't be blocked by UEFI Secure Boot? 
Now I know that one can manually import the VeraCrypt-DCS certificates into motherboard firmware, in order to keep Secure Boot ON, and for VeraCrypt to be able to install its boot loader under UEFI Secure Boot. So my question is: will this DCS certificate be valid for future VeraCrypt versions, and for how long it will work (will it expire)? 

Thanks. The best solution would be to have Microsoft sign the DCS Certificates, although it may take a long time. 
Developer
Aug 19, 2016 at 6:59 PM
The certificate is valid till 2031.
Aug 19, 2016 at 7:46 PM
Edited Aug 19, 2016 at 7:53 PM
Thanks. I could not find the certificate from the download section, but only the source code. Do we have to compile the boot loader with the certificates by ourselves? Would it be possible for you to release a ready to use boot loader?

Edit: never mind, find the certificates in the EFI Boot Loader source code.
Coordinator
Aug 19, 2016 at 7:58 PM
All certifcate are already present in VeraCrypt source code (folder "src\Boot\EFI"). You don't need to compile anything.
The instruction to load VeraCrypt-DCS certificate into firmware are here: https://veracrypt.codeplex.com/SourceControl/latest#src/Boot/EFI/Readme.txt

Here is a quote:
Secure Boot:
In order to allow VeraCrypt EFI bootloader to run when EFI Secure Boot is enabled, VeraCrypt EFI bootloader files are signed
using a custom key whose public part can be loader into Secure Boot to allow the verification of VeraCrypt EFI files.

below are instruction to update Secure Boot configuration:
  1. Enter BIOS configuration
  2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key.
  3. Boot Windows
  4. execute from admin command prompt: powershell -File sb_set_siglists.ps1
It sets in PK (platform key) - DCS_platform
It sets in KEK (key exchange key) - DCS_key_exchange
It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27
Aug 19, 2016 at 8:17 PM
Thanks Idrassi for your kind help.
It appears though my UEFI won't allow me to switch to setup mode. The only option regarding secure boot is grayed out. I guess it's just the vendor's choice not allow customers to change the BIOS settings. Maybe time for me to change my computer :)

Anyway, thanks much for your assistance. It would be wonderful if you guys could have Microsoft sign the UEFI boot loader, so that it'll be compatible with UEFI secure boot.
Aug 21, 2016 at 12:47 AM
Edited Aug 22, 2016 at 12:34 AM
Image

It may not do you personally any good (but you never know) but as an act of social consciousness,
I'd raise holy Hell with whoever sold you that machine. If they won't take it back, at least raise
enough stink that it hurts them, even if only a little bit. This sort of thing MUST get the strongest
possible negative feedback. It it's a local vendor, that's worth spending a night in jail for.

Think how they would love the headline:

Irate customer arrested for Disturbing the Peace at Office Depot

Faced with that prospect they might make major concessions to you personally. Alternately, having
suffered such a contratemps, they might reconsider what brands they want to stock, or at the very
least put up a clear warning on the machines that have this "I can't let you do that, Dave" feature.