VeraCrypt Rescue Disk on a USB Drive
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
As CD/DVD are not including in many ultrabooks and the like, it would be useful for VeraCrypt to use a USB drive as the rescue disk. Otherwise, these machines cannot encrypt the system partition. (or am I missing something?)
You can always skip the check of the rescue disk being burned by running "VeraCrypt Format.exe" with the option /noisocheck or /n from an elevated command prompt (see https://veracrypt.codeplex.com/wikipage?title=Command%20Line%20Usage).
Concerning your request, the issue with USB drives is that we can't configure them to be read-only and as such they can be corrupted or overwritten, which is dangerous for a medium that is supposed to provide rescue functionality in the future.
VeraCrypt doesn't implement any burning functionality and it only calls Windows built-in ISO burner. It is the responsibility of the user to ensure that the ISO file of the rescue disk is correctly burned or backup-ed.
So, for the machines with no CD/DVD drive, the rescue disk check can be turned off manually to be able to encrypt the system but it is the user responsibility to ensure that this ISO can be used in the future.
I'll add in the future an option in the GUI that will be equivalent to the /noisocheck switch.
Thanks for the quick reply! Can you clarify a bit.
If the user does skip the rescue disk burning step, how would a machine with no CD/DVD drive recover the encrypted system should an error occur?
Are you saying that the user could put the ISO on a USB drive or other backup drive, but that is at the users' risk?
The user can always burn the ISO to a USB key and boot on the USB if he needs to recover. There are many free tools on the internet that can create a bootable USB key from an ISO file (for example [UNetbootin)(http://unetbootin.sourceforge.net/)).
The user should backup the ISO file of the rescue disk in a secure way so that he can creates the bootable USB key at any moment. If the user relies only on a created USB key then he can find him self in big trouble if the USB key gets overwritten for any reason. Since a USB key can't be configured to be readonly, there is always a risk that the riscue disk data burned into it get corrupted. Thus, I say that relying only on the USB key as the only rescue medium is a big risk for the user.
So, to clarify more: if you have no CD/DVD drive, you can skip the rescue disk check but you have to securely backup the ISO file so that you can create a bootable USB key from it in the future. If the user prefers to create the bootabe USB key directly and store it instead of the backuping the ISO file, then the user is taking a big risk since a USB key can be overwritten.
Hi Mounir
Could you please address this for me....am I being stupid?
https://sourceforge.net/p/veracrypt/discussion/general/thread/72765aec/
I really want to create a rescue disc so that I can continue to see if I can get VC working on my system.
Last edit: Kevin Boardley 2017-01-18
It is very simple to create bootle USB with FlashBoot and this software
is free for 30 days, Rajko
http://www.prime-expert.com/flashboot/
How can you verify that the saved ISO-image when no disks are encrypted yet? At the option to burn the ISO-image, I saved the file on a USB-key so I can create a bootable USB-key later (I have no disc burner on my laptop). But there seems to be no option to verify this saved ISO-file prior to encypting my drives (single boot windows). I'm afraid of possible errors at booting after choosing cascaded encryption algorithms.
I also tried to mount the saved ISO via an emulator in windows. It gives me a filesize of 1.75MB, but when opening the mounted ISO there are no files to be seen. Is this a good sign?
VeraCrypt only offers the possibility to verify a disk not the ISO file (menu System -> Verify Rescue Disk). We suppose that the user will handle the integrity of the ISO file himself when copying it (for example by calculating its SHA-256 checksum).
That being said, I understand the need of such verification and I'll implement it for the next version.
It is normal that there are no files in the ISO: the rescue disk includes only a bootloader and backup of the volume header and all these are written in the first sectors of the ISO outside the filesystem part. This is the same as for any other bootable medium like Linux except that the rescue disk doesn't include any files since it only handles the boot.
View and moderate all "Feature requests" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
Please remove the requirement for recovery CD. I do not want one. I would burn the CD anyway so it's waste of money and resources for everyone.
Last edit: Anonymous 2016-02-02
View and moderate all "Feature requests" comments posted by this user
Mark all as spam, and block user from posting to "Forums"
real world scenario 2015 = usb b
Last edit: Anonymous 2019-09-26
Should the ISO file be 1,835,008 bytes in size?
I've tried burning this using various methods to a USB, but it won't ever boot. Is it meant to be a floppy image or what? Does it use syslinux or something else? What type of ISO file is it?
Yes, this is the corrected size.
For creating a bootable USB drive from the Rescue Disk, I have already created a package containing all necessary free tools alongside steps to follow.
The package can be found at http://sourceforge.net/projects/veracrypt/files/Contributions/VeraCryptUsbRescueDisk.zip/download
You can find a detailed information at the following Codeplex post: https://veracrypt.codeplex.com/discussions/644091#post1457184
This information has been posted before on Sourceforge: https://sourceforge.net/p/veracrypt/discussion/general/thread/b6725803/#b4b0
Please update the documentation at https://veracrypt.codeplex.com/wikipage?title=VeraCrypt%20Rescue%20Disk
Nothing on the internet is applicable anymore as Veracrypt creates a rescue ZIP, not a rescue ISO. I have had mixed success leveraging tools like dd and Unetbootin, along with the tool solution provided above (in most cases the usb format exe just fails [Yes, running as administrator]), and have had to reinstall my OS just now because of this.
We need a stable, reliable way to create USB recovery reguardless of OS, both during installation, and aftewards.
In regards to USB burning. I know that you state that a USB can't be lcoked as read only. Some USB keys do have a switch (I have two sitting next to me right now), that will write protect it. Additionally, now days there are many systems that do not have a DVD drive, and the user does not have an external USB drive, especially on Laptops, and therefore have no way of recovering their keys. I personally would write to two different keys, lock them with the write protect switch, and put in two different safes so that I don't accidently use them.
I respsectly request considering adding an option to write the recovery to a USB Key that will boot, and perhaps have part of that a verification in the program.
I created a pull request for a documentation update for this case: https://github.com/veracrypt/VeraCrypt/pull/486
Maybe the VeraCrypt rescue disk screen could warn the user that if they create a bootable USB drive, to use a USB drive that can be made read-only (by moving a switch) and to keep it read-only at all times.
Is it possible to use rescue disk to recover encrypted files on a veracrypt encrypted pendrive ?