This is the only missing method which prevents me from fully using VeraCrypt because the password has to be at least 20 characters long to be useful and this method is not easy to use if I want to change the password every month for example. While with keyfiles, it is just magic!
By the way, thank you for your work on VeraCrypt. Like TLS for Internet, it is a very important project. Thank you again!
Last edit: Kdmeizk 2017-06-24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
http://sendvid.com/px9jirm6
scenario of the demo:
1. OS key on vbox_hiddenos_key.vhd
2. key connected -> password request -> password from encrypted OS (veraen) -> boot OS from disk 1
3. key connected -> password request -> password from hidden OS (verahid) -> boot OS from disk 2
4. OS key disconnected -> boot Linux
Note: Also possible to use TPM to protect boot chain and save extra secret to TPM.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The Alex’s solutions should be in VeraCrypt when finalized as he said. It seems impossible for me to edit the title of this thread with “[ALREADY IN PROGRESS] Add the possibility to use keyfiles for system encryption” for example.
So, every reader considers this thread as: ALREADY IN PROGRESS.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What I am after is something I can use to properly replace Bitlocker for not just me but for friends/family as well.
I.e. my requirments of this is that it has the ability boot automatically if the usb is plugged in during start up. Optionally (and thats important) you can have password/pin as well.
My family will not want an extra password to boot their computers, but being able to remove a USB and be assured that it is properly encrypted and unable to be read is the ideal solution.
Willing to help test etc etc
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It is possible to login with USB only and without password
Configuration of the USB (via EFI shell and DcsCfg tool (-srm -srw -sra switches))
-srm <SRT> - mark disk as security regions container(write CRC of platform to 61 sector); <SRT> - number of possible security regions
-srw <SRT> - wipe security regions data with random data (write random data [62, 62 + 256 * SRT]) it has to be free! check first partition start sector!
-sra <SRN> - add <gpt_file_name> to security region <SRN>
2 Set parameters in DcsProp
Try to find security region
<config key="SecRegionSearch">0</config>
AutoLogin 0/1 Posibility to avoid password prompt
AutoPassword is password by default
Use it with PlatformLocked or TPMLocked enabled to lock password to the computer.
Here are the respective proposed features that would enable external keyfiles on e.g. USB-sticks.
I would prefer to store a small keyfile together with a bootloader on a USB-drive, then boot the PC from the USB.
Last edit: 2017-08-31
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
i would love to use the keyfile feature for system encryption just like its currently possible for containers. if you have 1000 keyfiles on a usb drive and the ability to select one or more of them, enter a password and pim it it would be the ultimate solution.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is the only missing method which prevents me from fully using VeraCrypt because the password has to be at least 20 characters long to be useful and this method is not easy to use if I want to change the password every month for example. While with keyfiles, it is just magic!
By the way, thank you for your work on VeraCrypt. Like TLS for Internet, it is a very important project. Thank you again!
Last edit: Kdmeizk 2017-06-24
There is possibility to use two factors autorization.
1. I know - pwassword+PIM
2. I have - USB flash
See the demo:
https://sourceforge.net/projects/dc5/files/beta/
http://sendvid.com/px9jirm6
scenario of the demo:
1. OS key on vbox_hiddenos_key.vhd
2. key connected -> password request -> password from encrypted OS (veraen) -> boot OS from disk 1
3. key connected -> password request -> password from hidden OS (verahid) -> boot OS from disk 2
4. OS key disconnected -> boot Linux
Note: Also possible to use TPM to protect boot chain and save extra secret to TPM.
The Alex’s solutions should be in VeraCrypt when finalized as he said. It seems impossible for me to edit the title of this thread with “[ALREADY IN PROGRESS] Add the possibility to use keyfiles for system encryption” for example.
So, every reader considers this thread as: ALREADY IN PROGRESS.
I came here, and signed for a sourceforge account to make this request.
I had previously mentioned it in the old forums here:
https://veracrypt.codeplex.com/discussions/656304
What I am after is something I can use to properly replace Bitlocker for not just me but for friends/family as well.
I.e. my requirments of this is that it has the ability boot automatically if the usb is plugged in during start up. Optionally (and thats important) you can have password/pin as well.
My family will not want an extra password to boot their computers, but being able to remove a USB and be assured that it is properly encrypted and unable to be read is the ideal solution.
Willing to help test etc etc
It is possible to login with USB only and without password
-srm <SRT> - mark disk as security regions container(write CRC of platform to 61 sector); <SRT> - number of possible security regions
-srw <SRT> - wipe security regions data with random data (write random data [62, 62 + 256 * SRT]) it has to be free! check first partition start sector!
-sra <SRN> - add <gpt_file_name> to security region <SRN>
2 Set parameters in DcsProp
Try to find security region
<config key="SecRegionSearch">0</config>
AutoLogin 0/1 Posibility to avoid password prompt
AutoPassword is password by default
Use it with PlatformLocked or TPMLocked enabled to lock password to the computer.
<config key="AutoLogin">0</config>
<config key="AutoPassword"></config>
PS. DCS/VC is flexible. There are many possibilities but it can require some efforts to configure.
Last edit: Alex 2017-08-26
Sorry, you will have to treat me like a child - How do I go about setting up usb authentication for system encyrption in more simple steps?
Look at this:
https://sourceforge.net/p/veracrypt/discussion/technical/thread/aaeeb26b/
https://sourceforge.net/p/veracrypt/discussion/technical/thread/f90bcf05/
https://sourceforge.net/projects/dc5/files/beta/
We discussed hidden OS and separate USB with keys.
But I don't want a hidden OS? Sorry for maybe missing the point.
Or are you suggesting this same process can be applied to a normal OS?
yes. the same procedure for normal OS. see "-srm" "-srw" "-sra" and SecRegionSearch=1
Last edit: Alex 2017-10-19
We need to wait until this will be OK I think. Maybe we can hope to have it before 2018.
I'm very interested in using keyfiles to protect my system drive!
https://veracrypt.codeplex.com/workitem/63
https://veracrypt.codeplex.com/workitem/27
Here are the respective proposed features that would enable external keyfiles on e.g. USB-sticks.
I would prefer to store a small keyfile together with a bootloader on a USB-drive, then boot the PC from the USB.
Last edit: 2017-08-31
It is possible. Look at hidden OS discussion for UEFI.
I am only looking for a keyfile featured Veracrypt bootloader.
i would love to use the keyfile feature for system encryption just like its currently possible for containers. if you have 1000 keyfiles on a usb drive and the ability to select one or more of them, enter a password and pim it it would be the ultimate solution.