Menu

VeraCrypt Rescue Disk on a USB Drive

Anonymous
2015-01-15
2020-03-10
  • Anonymous

    Anonymous - 2015-01-15

    As CD/DVD are not including in many ultrabooks and the like, it would be useful for VeraCrypt to use a USB drive as the rescue disk. Otherwise, these machines cannot encrypt the system partition. (or am I missing something?)

     
  • Mounir IDRASSI

    Mounir IDRASSI - 2015-01-16

    You can always skip the check of the rescue disk being burned by running "VeraCrypt Format.exe" with the option /noisocheck or /n from an elevated command prompt (see https://veracrypt.codeplex.com/wikipage?title=Command%20Line%20Usage).

    Concerning your request, the issue with USB drives is that we can't configure them to be read-only and as such they can be corrupted or overwritten, which is dangerous for a medium that is supposed to provide rescue functionality in the future.

    VeraCrypt doesn't implement any burning functionality and it only calls Windows built-in ISO burner. It is the responsibility of the user to ensure that the ISO file of the rescue disk is correctly burned or backup-ed.

    So, for the machines with no CD/DVD drive, the rescue disk check can be turned off manually to be able to encrypt the system but it is the user responsibility to ensure that this ISO can be used in the future.
    I'll add in the future an option in the GUI that will be equivalent to the /noisocheck switch.

     
  • Anonymous

    Anonymous - 2015-01-16

    Thanks for the quick reply! Can you clarify a bit.

    If the user does skip the rescue disk burning step, how would a machine with no CD/DVD drive recover the encrypted system should an error occur?

    Are you saying that the user could put the ISO on a USB drive or other backup drive, but that is at the users' risk?

     
  • Mounir IDRASSI

    Mounir IDRASSI - 2015-01-18

    The user can always burn the ISO to a USB key and boot on the USB if he needs to recover. There are many free tools on the internet that can create a bootable USB key from an ISO file (for example [UNetbootin)(http://unetbootin.sourceforge.net/)).

    The user should backup the ISO file of the rescue disk in a secure way so that he can creates the bootable USB key at any moment. If the user relies only on a created USB key then he can find him self in big trouble if the USB key gets overwritten for any reason. Since a USB key can't be configured to be readonly, there is always a risk that the riscue disk data burned into it get corrupted. Thus, I say that relying only on the USB key as the only rescue medium is a big risk for the user.

    So, to clarify more: if you have no CD/DVD drive, you can skip the rescue disk check but you have to securely backup the ISO file so that you can create a bootable USB key from it in the future. If the user prefers to create the bootabe USB key directly and store it instead of the backuping the ISO file, then the user is taking a big risk since a USB key can be overwritten.

     
    • Kevin Boardley

      Kevin Boardley - 2017-01-18

      Hi Mounir
      Could you please address this for me....am I being stupid?
      https://sourceforge.net/p/veracrypt/discussion/general/thread/72765aec/

      I really want to create a rescue disc so that I can continue to see if I can get VC working on my system.

       

      Last edit: Kevin Boardley 2017-01-18
  • rd077

    rd077 - 2015-01-18

    It is very simple to create bootle USB with FlashBoot and this software
    is free for 30 days, Rajko

    http://www.prime-expert.com/flashboot/

     
  • Anonymous

    Anonymous - 2015-02-16

    How can you verify that the saved ISO-image when no disks are encrypted yet? At the option to burn the ISO-image, I saved the file on a USB-key so I can create a bootable USB-key later (I have no disc burner on my laptop). But there seems to be no option to verify this saved ISO-file prior to encypting my drives (single boot windows). I'm afraid of possible errors at booting after choosing cascaded encryption algorithms.

    I also tried to mount the saved ISO via an emulator in windows. It gives me a filesize of 1.75MB, but when opening the mounted ISO there are no files to be seen. Is this a good sign?

     
  • Mounir IDRASSI

    Mounir IDRASSI - 2015-02-17

    VeraCrypt only offers the possibility to verify a disk not the ISO file (menu System -> Verify Rescue Disk). We suppose that the user will handle the integrity of the ISO file himself when copying it (for example by calculating its SHA-256 checksum).
    That being said, I understand the need of such verification and I'll implement it for the next version.

    It is normal that there are no files in the ISO: the rescue disk includes only a bootloader and backup of the volume header and all these are written in the first sectors of the ISO outside the filesystem part. This is the same as for any other bootable medium like Linux except that the rescue disk doesn't include any files since it only handles the boot.

     
  • Anonymous

    Anonymous - 2015-08-19

    Please remove the requirement for recovery CD. I do not want one. I would burn the CD anyway so it's waste of money and resources for everyone.

     

    Last edit: Anonymous 2016-02-02
  • Anonymous

    Anonymous - 2015-09-03

    real world scenario 2015 = usb b

     

    Last edit: Anonymous 2019-09-26
  • Andrew McGlashan

    Should the ISO file be 1,835,008 bytes in size?

    I've tried burning this using various methods to a USB, but it won't ever boot. Is it meant to be a floppy image or what? Does it use syslinux or something else? What type of ISO file is it?

     
  • Fmstrat

    Fmstrat - 2016-12-03

    Please update the documentation at https://veracrypt.codeplex.com/wikipage?title=VeraCrypt%20Rescue%20Disk

    Nothing on the internet is applicable anymore as Veracrypt creates a rescue ZIP, not a rescue ISO. I have had mixed success leveraging tools like dd and Unetbootin, along with the tool solution provided above (in most cases the usb format exe just fails [Yes, running as administrator]), and have had to reinstall my OS just now because of this.

    We need a stable, reliable way to create USB recovery reguardless of OS, both during installation, and aftewards.

     
  • Mark Pennington

    Mark Pennington - 2016-12-24

    In regards to USB burning. I know that you state that a USB can't be lcoked as read only. Some USB keys do have a switch (I have two sitting next to me right now), that will write protect it. Additionally, now days there are many systems that do not have a DVD drive, and the user does not have an external USB drive, especially on Laptops, and therefore have no way of recovering their keys. I personally would write to two different keys, lock them with the write protect switch, and put in two different safes so that I don't accidently use them.
    I respsectly request considering adding an option to write the recovery to a USB Key that will boot, and perhaps have part of that a verification in the program.

     
  • Felix Reichmann

    Felix Reichmann - 2019-09-14

    I created a pull request for a documentation update for this case: https://github.com/veracrypt/VeraCrypt/pull/486

     
  • Dave

    Dave - 2019-10-27

    Maybe the VeraCrypt rescue disk screen could warn the user that if they create a bootable USB drive, to use a USB drive that can be made read-only (by moving a switch) and to keep it read-only at all times.

     
  • d3v3lop3r

    d3v3lop3r - 2020-03-10

    Is it possible to use rescue disk to recover encrypted files on a veracrypt encrypted pendrive ?

     

Log in to post a comment.

MongoDB Logo MongoDB