This project has moved. For the latest updates, please go here.

help needed. Acer Aspire One 1-431. Test run fine, wont boot to windows once encrypted

Topics: Technical Issues
Aug 26, 2016 at 6:30 AM
I have an Acer Aspire One 1-431 laptop running windows 10 and the newest 1.11 BIOS version. Using VeraCrypt 1.18a.

Setup and initial test runs fine as long as I change my default BIOS settings to:
Secure Boot Mode: Disabled
TPM (TCM) State: Disabled

Once I continue and encrypt the drive I am no longer able to boot the computer. On attempt, the system attempts to "diagnose the problem" and then "repair." But is unable to do so.

If I boot off my usb recovery drive it loads the veracrypt loader but attempting to enter my password gives me a "invalid password" error.

My only option is to permanently decrypt the drive which does accept my password.

Is there a step I'm missing or is my system simply incompatible with this? I also seem to be unable to boot to a tails USB drive so I'm not sure if my system is just not possible.
Developer
Aug 27, 2016 at 8:33 AM
Check boot menu order in BIOS. VeraCrypt has to be default loader.
Coordinator
Aug 27, 2016 at 11:06 PM
Did you try the Rescue Disk option "Restore VeraCrypt loader to boot menu"? Does it enables you to boot your system?
You can combine this option with "Restore VeraCrypt loader binaries to system disk".

Also, what antivirus/security solution are you using? Something on your machine is removing VeraCrypt bootloader and we need to find what it is.
Aug 28, 2016 at 4:40 AM
Just ran the process again. No luck

I went into BIOS, pushed the windows loader to the bottom of the list. Enabled secure boot, loaded the EFI settings from my recovery disk, brought them up to the top priority, disabled secure boot.

The first time it restarts I get a quick screen saying "preparing automatic repair" and it quickly loads its files. It then goes to the standard ACER boot screen with the spinning disc, the screen flashes and it goes to a similar screen with "Diagnosing your PC" displayed. If I let it keep going it will attempt to repair my pc but that wont work.

I get the same sequence without the initial "Preparing automatic repair" screen on subsequent starts.

If i attempt to Restore VeraCrypt loader or the binaries, i get the same full sequence of events.

Again, if i try to "Boot veracrypt loader from rescue disk" it says "Authorization failed. Wrong password, PIM or hash. Decrypt error(3).

If I Decrypt OS everything works fine.
Aug 28, 2016 at 4:42 AM
I'm pretty confident this is a BIOS issue correct? I have been considering rolling back to windows 7 but wanted to get this process working while I was it. Would doing the roll back now have any positive effect on this?
Aug 28, 2016 at 4:53 AM
Lastly, to confirm I'm doing it correctly, when I select to restore the veracrypt loader to moot menu and it asks me to "Select EFI boot volume:" I am selecting my system drive correct not the Rescue USB drive?
Aug 28, 2016 at 5:52 AM
Forgot to answer the question. I currently do not have an antivirus loaded. I had AVG installed but recently removed it as i find a replacement.
Coordinator
Aug 28, 2016 at 10:07 PM
I did some research and it turned out that there is know issue in the EFI firmware of Acer machines which don't persist the changes in an important EFI variable called "BootOrder" after a cold boot. I found a long discussion about this issue on the forums of another open source project dealing with EFI (efibootmgr): https://github.com/rhinstaller/efibootmgr/issues/19#issuecomment-66692028

Moreover, this non standard behavior seems to be linked to the disabling of Secure Boot.

That's why the Pre-Test was successful since it was a reboot and not cold boot: after reboot, the change to BootOrder is preserved.

For now, you will have to use the Rescue Disk to restore the boot menu and reboot to start Windows or decrypt your system although it is better to decrypt it from Windows.

For those who didn't save your Rescue Disk zip file, you can follow the procedure I describe in this video where I use a Linux Mint Live CD to boot the machine and access the content of the encrypted Windows partition using VeraCrypt on Linux: https://www.youtube.com/watch?v=4xJrVGzAk0Y

Anyway, this Acer non standard behavior is making it impossible to have a persistent VeraCrypt bootloader, at least when Secure Boot is disabled...not sure if we will be able to found a workaround for it.

Meanwhile, Acer users should avoid using VeraCrypt to encrypt Windows for now. I will see how I can detect Acer machines to forbid EFI system encryption on them.