This project has moved and is read-only. For the latest updates, please go here.


Detect Bootloader Tampering


Hello Mounir,

Per your request from my posting in the forums from the link below, I am logging the issue.

Validate the bootloader has not been tampered with after system boot-up for encryption of the system partition/drive?

I am specifically referencing the Evil Maid attack vulnerability.

One thought could be to compare the contents of ISO image on the C drive to the bootloader to make sure there are no differences once the PC boots in an attempt to detect changes to the bootloader.

If a difference is detected, you can issue a warning box that the system has been compromised with instructions to restore the bootloader from the Rescue Disk created during system encryption.

To be clear about my request, it is to detect and remediate a compromised bootloader no matter its location.

Thank your consideration and your hard work.

Kind Regards,


idrassi wrote Jul 28, 2015 at 11:50 PM

I have implement a detection mechanism for boot loader tampering.
This mechanism doesn't require the rescue disk and it uses the boot loader embedded in VeraCrypt binaries. This is sufficient because the attacker who tampers with the bootloader can not modify VeraCrypt binaries that resides inside the encrypted system partition such as the tampered boot loader would be the same as the embedded one.

The detection mechanism is based on the computation of both Whirlpool and SHA512 hash of the bootloader on disk and the embedded one and then comparing both hashes. Two different hash functions are used in order to protect against any unknown collision vulnerability in one of the hashes (it is extremely unlikely for an attacker to be able to find a collision with the same input using these two different hash functions).

The corresponding commit:

I have uploaded a new 1.12-BETA binary that includes this mechanism:

Enigma2Illusion wrote Jul 29, 2015 at 8:11 PM

Thank you Mounir for adding this feature!

Can the verification be extended to the Rescue Disk? This would allow people who believe their system has been compromised to verify using external media like a CD Rescue Disk to validate the bootloader on their computer.

idrassi wrote Jul 30, 2015 at 12:46 AM

Yes, this can be extended.

An attacker can not bypass the current bootloader tampering detection unless it also tampers with VeraCrypt binaries inside the encrypted system in order to replace them with his own. And the only way to modify the binaries is to do it while Windows is running, but in this case, if the attacker is able to do this then he could simply get the password directly without the hassle of modifying the bootloader and the binaries.

For this reason, the current mechanism is secure enough and it has the advantage of being automatic.

That being said, I will add a manual chack against a rescue disk.