System encryption support for bootable image files ?

[Anonymous]

TrueCrypt does not support system encryption of OS partitions installed in image files ( .img ,.vhd)
It just gets confused when you try to encrypt the system drive when the OS is running from an image file, and it will pop up errors.

There is a workaround but it's a hassle and it just lacks elegance:

1 - Install Windows XP in a virtual machine.

2 - Encrypt the system partition / system drive in your VM with TrueCrypt

3 - On real hardware: use Grub4DOS to map the VHD file and the Rescue CD ISO file and boot from the CD image.

It works fine but there are some issues.

• It's complicated because one needs to use a VM.

• The rescue CD has all kind of repair options and I just don't WANT or NEED them and it just doesn't look as clean as the standard HD boot loader.

It would be great if the VHD file could be booted directly without the need of using the ISO file, or if that's not possible, at least have the option to have a separate standard bootloader image to boot from (ISO, IMG, BIN, or whatever format).

The bootloader file could be placed on the drive that contains the VHD file or just on a separate USB thumb drive for more flexibility or security.

Still using Windows XP here and I will continue to use it for a very long time.... :)

[Mounir IDRASSI]

This is a rather rare configuration which requires specific modifications because the current code expects the system partition to be on a physical drive and as such it issues some low level IOCTLs to get specific information.
Apparently this fails because the VHD emulator your are using (grub??) doesn't answer correctly to these.

The best solution would be to correct the VHD emulation layer in order to answer correctly to low level IOCTL calls.

Modifying VeraCrypt to remove those low level calls is not trivial as we would need to assume some default configuration and it should match the one used in the VHD file.

Not sure if this will be implemented one day and it is good to keep it for the record.

[Anonymous]

It's a very special configuration; a TrueCrypted XP running from RAMdisk using nested mapping.

Grub4DOS (not Grub) is used to map the RescueDisc ISO file and the VHD file.
The VHD contains another raw image file that is loaded in memory with the standard Microsoft ramdisk.sys driver using boot.ini and ntldr

Here's the magic: the drive mapping of the VHD gets lost somewhere during boot.

The TrueCrypted system drive is not mounted when XP reaches the desktop so this means that it's completely protected from malware infection (unless the malware finds a way to crack the TrueCrypt password using a brute force attack... Not very likely to happen !)

XP's disk management doesn't show the C drive but it's there in RAM and in Explorer !

Ramdisk: great performance + no persistance (system modifications are lost after reboot)
Truecrypt: privacy (pre boot authentication) + security (image file protected from infection by malware)

I understand that a lot of modifications to the code are needed to allow encryption of systems running from image files so I'm not expecting anything soon but I thought it never hurts to ask. :)

Maybe you could create an option to put the bootloader on external media (USB thumb drive) ?
At the moment I am using the TC RescueDisk to boot my system and I want to get rid of al the repair options it offers and just use the normal bootloader.

Another tool (DiskCryptor) has this option: https://diskcryptor.net/wiki/Bootloader

I was hoping you could implement this option in VeraCrypt...

[Virgus]

Hello Anonymous, I just read this very interesting post of yours.
Could you please better explain how you set up all the process to use an encrypted VHD boot image?

Thanks,
V.

PS Hope you will get my message even if more than two years have passed!