Windows 10: VeryCrypt on machine that is UEFI boot

Hi

Have just bought a new laptop which has both UEFI bootloader and Legacy BIOS.

Up until now I have always encrypted the whole system drive with Truecrypt but I understand that TC does not support UEFI boot.

Having looked at the other options, primarily bitlocker and VeraCrypt, my incliniation is to use VeraCrypt.

However I have picked up from my reading that there may be boot issues with VeraCrypt on UEFI booting machines as well. I have posted on the VeraCrypt forum but I have not yet received a response. Does anyone here have any information?

Thanks in advance.

:)

 

Windows 10 image restore

Hi,

The deal with the DVD then may have been that it was booting from a "Standard" DVD drive boot option instead of "UEFI DVD"...

This is something I recently just discovered on my machine as I had never tried booting from a Recovery or Installation DVD with my machine set for UEFI Bios...

I have done this previously with Legacy Bios, but not UEFI..

 

Windows Boot Error (PLEASE HELP)

Hi,

Make sure your BIOS is set to use the graphics card, not the onboard graphics...

If you have both anyway...

Also make sure your machine is booting the USB properly... For instance...

If your machine is UEFI BIOS capable, you may need to select the USB Boot Option for a "USB" or "UEFI USB"...

If you are using UEFI BIOS, your boot info will be on a "EFI" partition, not C:\...

 

I have UEFI on an HP laptop that 2 yrs old and have used TrueCrypt 7.1a from Day One which I carried over from many yrs prior on other computers. Note: I use for created partitions, not the entire drive, like you propose. Let me know your results. Good Luck

 

I think that may be the problem....the way manufacturers are implementing boot sequences from boot files is not following a standard path which is what is causing the problems when the boot drive/partition is encrypted. If I can't find out any more I'll give it a go.
Thanks

 

How is the BIOS / UEFI configured? Looks like mine is configured for UEFI boot with possibility of enabling legacy BIOS mode. It may make a difference and on earlier laptops it maybe that the transition period configured things differently to laptops being sold now? I'm going to give it a go with Truecrypt first and see what happens. Will post back on results.

 

Well that was quick. Error message. "Your system drive has a GUID partition table (GPT). Currently, only drives with MBR partition table are supported."

Will try VeraCrypt. But from what I have read there are some people having similar problems with the UEFI boot.

 

Well that was a waste of time. VeraCrypt would not restart machine for the test verification of bootloader. When started up again got windows message, image not found or somesuch.

What I don't understand is that the big audit of Truecrypt, as I understand it, found little in the way of vulnerabilities. Truecrypt was always reliable and stable - it just worked. Veracrypt devs have apparently found that there are multiple vulnerabilities which are being fixed all the time, the code has ballooned to 8x that of Truecrypt, and now it seems that there are multiple problems and unreliability remaining.

 

"Well that was quick. Error message. "Your system drive has a GUID partition table (GPT)"

Are you trying to encrypt the entire disk or create a TrueCrypt partition for your data only ? Win10 Pro has Bitlocker disk encryption built in if you want to encrypt the entire system. Otherwise, here are screen shots showing that my disk is GPT and I can use TrueCrypt to mount a partition I created under OneDrive as a hidden partition. I had no issues, at all, either after an Upgrade or after a subsequent clean install. I'd suggest trying to make a TrueCrypt container and see if that works.

 

Was trying a system drive encryption which is what I have done before on old laptop. Truecrypt wouldn't do anything immediately throwing the message I relayed about not supporting GPT.

I have been able, obviously, to encrypt a separate partition on the same drive.

I don't at this stage want to use bitlocker as I do not want to be signed into a MSA all the time, if at all. I understand that bitlocker requires this.

I am at a loss to understand why you can do that and I do not appear to be able to encrypt my system drive....unless what you are doing does not effectively encrypt the system. I think what you are doing is encrypting a folder on C:// whereas what I was doing was encrypting from root C://. I think the latter may involve TC firing up at boot time the former not until after boot time.

TC kicking at boot time with GPT is the problem.

 

" I think what you are doing is encrypting a folder on C://"

Yes, that is what C;\Users\name\OneDrive\Storage is in my screenshot, a TrueCrypt container with the system drive where I place sensitive data. The computer is password protected out of standby so it's the data, I'm concerned with, not someone altering system files or settings. That's why I asked you to try to make a container/folder to test. It should work, just like in my case.

 

You can (and I do) use Bitlocker on a machine with entirely Local accounts. It doesn't cause a problem.

If you do have an MS Account setup (I think it may need to be Admin rather than Standard) then Bitlocker gives the option of backing up your recovery keys to the MS Account. But it's an option and not compulsory.

Some machines with Windows 10 Home and above (and indeed Windows 8.1 Core and above) also can have Device Encryption enabled, if the hardware meets the 'InstantGo' specifications. (Which is quite strict - for instance the machine must boot from a non-rotational disk.)

For Device Encryption to switch on, you *do* need a MS Account at Admin level.

But Device Encryption isn't Bitlocker (albeit the underlying encryption is the same, Bitlocker gives you more control) so if you have Win10 Pro, you don't need an MS Account to use Bitlocker.

 

Thank you for this. So on Windows 10 Pro I can turn Bitlocker on without needing to be logged into a MSA?

I would want to keep a backup of the key somewhere and I am thinking I will do this on a usb drive. Is it possible to keep it on a USB drive in a way that makes that drive an 'unlock key' for the device?

Can you explain the difference between Bitlocker and 'Device Encryption' (the latter presumably is still a Microsoft thing?) I have never understood that there were two sorts of encryption on a Windows o/s and the distinction.

Or have I misunderstood your post?

 

Yes - that's how I use it on my Win10 Pro laptop.

Here is a tutorial on how to switch on Bitlocker in various ways, including using a USB key to unlock.
BitLocker - Turn On or Off for Operating System Drive in Windows 10

Personally I would also keep other backups of the keys in addition to the USB key - the dialogs which come up allow you to print out a copy for instance. Also I'd take a backup image of the disk before I started encrypting, just in case...

I believe that under the skin, the actual encryption is the same. But for Bitlocker there are more options on how you can manage that encryption.

If a device has Device Encryption, you can switch it on or off, and backup your keys, but there isn't much more control than that.

Some people will be running encrypted devices and won't even know it, because it runs silently when someone first logs in with an MSA with admin rights, assuming the device meets the specification and is booted with Secure Boot. I think the option about unlocking with a USB key may not be available, for example, presumably because Device Encryption runs without user interaction.

I think that the reason Device Encryption automatically backs up keys to the MSA is because it's running silently, so the intention is that rather than relying on people keeping a backup manually, there's an automatically-created backup for if things go wrong. (Although if people close, or lose access to, their MSA, they may have a problem...)

With the extra control in Bitlocker you have the option to backup keys to an MSA, but you have to select it - it's not automatic.

 

Good solution for Windows up to version 7. I love it too.