This project has moved. For the latest updates, please go here.

How to turn on evil made protection ?

Topics: Users Discussion
Dec 11, 2016 at 8:10 AM
How to turn on evil made protection ? Thx
Can't see this function...
Developer
Dec 11, 2016 at 10:28 AM
EFI boot is different.

You can setup Secure boot and install certificates.
https://sourceforge.net/p/veracrypt/code/ci/master/tree/src/Boot/EFI/Readme.txt

Note: Also it is possible to use TCG+TPM measured boot chain. Development is progress.
Dec 11, 2016 at 11:11 AM
May be I not correctly put. I mean that I want to hide password field when I turn on notebook. How can I do that?
Developer
Dec 11, 2016 at 11:28 AM
You can edit DcsProp configuration.

From admin cmd:
mountvol o: /s
notepad o:\EFI\VeraCrypt\DcsProp

key -> PasswordMsg
Dec 11, 2016 at 12:07 PM
Yes, but if you type something it will looks like passpowrd
I mean posibility to type pass without any words
Developer
Dec 11, 2016 at 1:27 PM
OK. I see. I'll add the possibility.
Thank you.
Dec 11, 2016 at 5:11 PM
It's already work on previous verions... Why I can't see it on new one...

Image
Image
Image
Developer
Dec 11, 2016 at 6:11 PM
EFI support is new option. Loader is rewritten.
Dec 12, 2016 at 5:12 AM
Understand. Okay thanks. Because it's very very important thing
For example simple situation. For any inspection items at the airport ask to turn on notebook. If they see this pass, the ask to write it. If you don't, they not allow to fly. Human rights no one cares. It is a standard situation in all airports Russia, Ukraine
Developer
Dec 12, 2016 at 7:04 AM
there is possibility to configure the following
Special USB flash is connected => ask password
Special USB flash is not connected => boot any other OS (e.g. Linux)
Dec 12, 2016 at 8:51 AM
Yes, it's good idea ! Give instructions please :)
Developer
Dec 12, 2016 at 9:31 AM
Edited Dec 12, 2016 at 9:35 AM
  1. Install Linux or other OS (not windows! because it uses the same loader bootmgfw.efi)
    Note: you can edit EFI\VeraCrypt\DcsProp from linux. ESP is mounted to boot.(ordinary)
  2. It is necessary set "RUD" key in DcsProp (Require USB device)
  3. Select correct boot order in BIOS (first veracrypt loader, second linux loader)
RUD is CRC32 of the following string "VID_PID_SERIALNUM" of usb disk.

How to calculate RUD. Several ways:
A) It is possible via EFI shell and DcsCfg tool

Save EFI shell to USB FAT32 formatted. path is "EFI\Boot\bootx64.efi"
https://github.com/tianocore/edk2/raw/master/ShellBinPkg/UefiShell/X64/Shell.efi

Save DcsCfg.efi to the USB root
https://sourceforge.net/p/veracrypt/code/ci/master/tree/src/Boot/EFI/DcsCfg.efi?format=raw

Boot from the USB
select disk
FS0:
list all USB connected and RUDs
DcsCfg -ul
B) Via tool like usbtreeview

It is possible to find VID, PID and serial number of USB device in usbtreeview
Create ASCII text file with "VID_PID_Serial"
Calculate CRC32

C) From linux via procfs of devices.
/proc/bus/usb/devices
Dec 12, 2016 at 10:38 AM
Heh.. it's too hard for simple user like me. May be you can make video to do that ? I think it will be helpfull for everyone
Developer
Dec 12, 2016 at 6:24 PM
Probably I'll try to create configuration tool. There are several options of loader to support. See the demo http://sendvid.com/px9jirm6
Dec 20, 2016 at 5:51 AM
kavsrf wrote:
Probably I'll try to create configuration tool. There are several options of loader to support. See the demo http://sendvid.com/px9jirm6
Everything ok. But I hope it's temporary variant. Using USB flash not comfortably
Developer
Dec 20, 2016 at 6:00 AM
comfortable - it is not clear.

Does it mean - not enough security? You need smart card?
You spoke about radio tag? Wireless connection?
Another flag to force login prompt? (like special button or touch zone)
Developer
Dec 20, 2016 at 8:42 AM
Edited Dec 20, 2016 at 8:46 AM
I created tool to calculate RUD from Windows
DcsWinCfg
Dec 21, 2016 at 2:43 PM
Using USB flash is not comfortable (always forget to take it with me )
Another flag to force login prompt? (like special button or touch zone)
It's intersting. Default turn on like that http://image.prntscr.com/image/f084125ab81949bba96d22357d5a20f2.png
And then if you press for example Ctrl+alt = than put password
Developer
Dec 22, 2016 at 6:33 AM
Probably instead of "Critical error..." - it can be "press enter to continue..."

if enter is pressed => password is empty => can not decrypt header => boot next OS

To set one authorization retry - key is "AuthorizeRetry" in DcsProp

Probably authorization error message has to be parameter also because if wrong password it has to print something like "Booting..."
Dec 22, 2016 at 1:27 PM
Yes, it's ok
Developer
Dec 23, 2016 at 8:29 AM
New version of DcsInt with extra parameters is attached (with description)

https://sourceforge.net/u/kavsrf/wiki/DcsInt/

Keys in DcsProp to support your scenario
<config key="PasswordMsg">Press enter to continue</config>
<config key="AuthStartMsg"></config>
<config key="AuthErrorMsg">...</config>
<config key="AuthorizeProgress">0</config>
<config key="AuthorizeVisible">0</config>
<config key="AuthorizeRetry">1</config>
Jan 27 at 8:03 PM
Any news to turn on this feature by default ? like here - http://image.prntscr.com/image/ce16e903657a440483944742068be8c7.png