I need to update my Windows and without decrypting the disk the process fails.
How can I temporarily decrypt my disk via the VeraCrypt GUI? I want to keep my password, bootloader, and rescue disk, so I can later re-encrypt it.
I can do this using the rescue disk, but I can't find this option in the GUI. Where is it? It seems like it should be a very common operation since most major Windows updates require decrypting the disk.
Thanks.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you for your response. However it's not true that you can't temporarily decrypt a volume. I can do it just fine using the rescue disk. I can decrypt my whole drive, then upgrade Windows, then boot Windows, and encrypt it again using the same password and rescue disk, I've done it several times. The only problem is that it requires booting into the recovery disk. I think this option should be added to GUI.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think we have a language barrier regarding the word "temporary". The VeraCrypt disk/volume is either encrypted or decrypted. Not suspended like BitLocker.
You are correct that you can decrypt, upgrade OS and encrypt again.
However, you need to recreate the Rescue Disk due to the encryption key is different than what is stored on the previous Rescue Disk.
If you attempt to use the previous Rescue Disk(s) to decrypt your system drive, in essence you are encrypting the drive due to the encryption key on the old Rescue Disk is not the correct encryption key causing you to lose the ability to decrypt your system drive via the old Rescue Disk.
EDIT:
You can decrypt and encrypt the system encryption via the GUI. There is no reason to use the Rescue Disk for these operations unless you are unable to boot into Windows.
Last edit: Enigma2Illusion 2017-10-23
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
So to clarify: does it mean that if I encrypt my disk, then boot into the rescue disk and decrypt my disk, then boot into Windows and reencrypt my disk, the old rescue disk is no longer valid even though the encryption is using the same password and seed?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Correct. Another issue using the old Rescue Disk after re-encrypting the system drive/partition again is the option to restore the Master Key (Encryption Key) would be invalid and result in loss of access to the data.
You seem to think that the password creates the encryption key. This is incorrect. The encryption key is created independently using the Random Number Generator.
The password, PIM and/or keyfiles are used to validate mounting the volume. Using the same password for creating a VeraCrypt volume generates a different hash due to the salt is different.
However, it's very worrying, because if it's true then it means that now I have a device encrypted without any valid rescue disk.
I think that it would be a good idea to either disable the option to reencrypt the device after decrypting it via the rescue disk, or at least give a warning. The only option to reencrypt the device should be to go through the standard procedure then (where you generate your seed by moving your mouse, and then get the rescue disk). Now I have an encrypted disk, and VeraCrypt didn't even give me the new rescue disk. This sounds very bad.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Are you saying that when you re-encrypted the system drive/partition again via the GUI that you were not prompted to create a Rescue Disk? You should have been prompted to create a Rescue Disk anytime you encrypt the system drive/partition.
Perhaps the message in the GUI for the Rescue Disk screen should say:
Before you can encrypt the partition/drive, you must create a new VeraCrypt Rescue Disk, which...
The key word above is "new".
To my knowledge, the Rescue Disk repair options are:
Permanently Decrypt System Partition
Restore VeraCrypt Boot Loader
Restore Key Data (this is your encryption key)
Restore Original System Loader
Last edit: Enigma2Illusion 2017-10-24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Restore VeraCrypt Boot Loader as the name implies restores the VeraCrypt bootloader.
Restore Original System Loader restores the Microsoft bootloader. Sometimes when you decrypt the system partition/drive, the VeraCrypt bootloader is not replaced by the Microsoft bootloader. Or if you use a disk imaging software, the restore of the drive is unencrypted and you would use this option to restore Microsoft bootloader.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The issue you are reporting may be the result of 1.19 bug that was fixed in 1.20. However additional bug fixes have been released in 1.21 and 1.22 Beta3.
Would you be able to help the developers by testing using your procedures by using 1.22 Beta3 to make sure the issue you are reporting is resolved?
Last edit: Enigma2Illusion 2017-10-24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I need to update my Windows and without decrypting the disk the process fails.
How can I temporarily decrypt my disk via the VeraCrypt GUI? I want to keep my password, bootloader, and rescue disk, so I can later re-encrypt it.
I can do this using the rescue disk, but I can't find this option in the GUI. Where is it? It seems like it should be a very common operation since most major Windows updates require decrypting the disk.
Thanks.
You cannot "temporarily" decrypt a volume or system encryption in VeraCrypt.
For Windows OS upgrades, not patches, you have to decrypt the OS drive, upgrade, re-encrypt and create new Rescue Disk.
For Windows 10 64-bit OS, if you are technically inclined, Alex has procedures for performing Windows 10 upgrade without decrypting.
https://github.com/th-wilde/veracrypt-w10-patcher
Thank you for your response. However it's not true that you can't temporarily decrypt a volume. I can do it just fine using the rescue disk. I can decrypt my whole drive, then upgrade Windows, then boot Windows, and encrypt it again using the same password and rescue disk, I've done it several times. The only problem is that it requires booting into the recovery disk. I think this option should be added to GUI.
I think we have a language barrier regarding the word "temporary". The VeraCrypt disk/volume is either encrypted or decrypted. Not suspended like BitLocker.
You are correct that you can decrypt, upgrade OS and encrypt again.
However, you need to recreate the Rescue Disk due to the encryption key is different than what is stored on the previous Rescue Disk.
If you attempt to use the previous Rescue Disk(s) to decrypt your system drive, in essence you are encrypting the drive due to the encryption key on the old Rescue Disk is not the correct encryption key causing you to lose the ability to decrypt your system drive via the old Rescue Disk.
EDIT:
You can decrypt and encrypt the system encryption via the GUI. There is no reason to use the Rescue Disk for these operations unless you are unable to boot into Windows.
Last edit: Enigma2Illusion 2017-10-23
So to clarify: does it mean that if I encrypt my disk, then boot into the rescue disk and decrypt my disk, then boot into Windows and reencrypt my disk, the old rescue disk is no longer valid even though the encryption is using the same password and seed?
Do not confuse seed as meaning Personal Iterations Multiplier or PIM. You cannot control the value of the salt (seed).
Correct. Another issue using the old Rescue Disk after re-encrypting the system drive/partition again is the option to restore the Master Key (Encryption Key) would be invalid and result in loss of access to the data.
https://www.veracrypt.fr/en/VeraCrypt%20Rescue%20Disk.html
You seem to think that the password creates the encryption key. This is incorrect. The encryption key is created independently using the Random Number Generator.
https://www.veracrypt.fr/en/Random%20Number%20Generator.html
The password, PIM and/or keyfiles are used to validate mounting the volume. Using the same password for creating a VeraCrypt volume generates a different hash due to the salt is different.
https://www.veracrypt.fr/en/Header%20Key%20Derivation.html
https://www.veracrypt.fr/en/Encryption%20Scheme.html
Last edit: Enigma2Illusion 2017-10-24
Makes sense, thank you.
However, it's very worrying, because if it's true then it means that now I have a device encrypted without any valid rescue disk.
I think that it would be a good idea to either disable the option to reencrypt the device after decrypting it via the rescue disk, or at least give a warning. The only option to reencrypt the device should be to go through the standard procedure then (where you generate your seed by moving your mouse, and then get the rescue disk). Now I have an encrypted disk, and VeraCrypt didn't even give me the new rescue disk. This sounds very bad.
Are you saying that when you re-encrypted the system drive/partition again via the GUI that you were not prompted to create a Rescue Disk? You should have been prompted to create a Rescue Disk anytime you encrypt the system drive/partition.
Perhaps the message in the GUI for the Rescue Disk screen should say:
The key word above is "new".
To my knowledge, the Rescue Disk repair options are:
Last edit: Enigma2Illusion 2017-10-24
Please tell me what is a difference between Restore Boot Loader
and Restore Original System Loader ?
Restore VeraCrypt Boot Loader as the name implies restores the VeraCrypt bootloader.
Restore Original System Loader restores the Microsoft bootloader. Sometimes when you decrypt the system partition/drive, the VeraCrypt bootloader is not replaced by the Microsoft bootloader. Or if you use a disk imaging software, the restore of the drive is unencrypted and you would use this option to restore Microsoft bootloader.
Thank you very much for your help :)
Last edit: Tulip81 2017-10-24
No, I wasn't prompted to create a new Rescue Disk.
It really sounds like I've discovered a new feature which not even the devs were aware of.
I can provide repro steps for you to try yourself:
What is the version of VeraCrypt?
What version of Windows and 32 or 64-bit OS?
Click on the lower left Windows icon and type Winver then hit return.
Last edit: Enigma2Illusion 2017-10-24
1.19 I think
Windows 10 Home 64 bit 1703 (15063.674)
Last edit: ison 2017-10-24
VeraCrypt 1.19 version has a Rescue Disk bug that is displayed at the top of the webpage in Announcements.
https://sourceforge.net/p/veracrypt/discussion/general/thread/d7d2a042/
Please upgrade to 1.21 version or you can upgrade to 1.22 Beta 3 which appears to be stable.
https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/
I'm aware of the bug, but I thought it didn't affect the fact that you can reencrypt your drive.
If it's no longer possible in 1.21 then the problem is solved.
The issue you are reporting may be the result of 1.19 bug that was fixed in 1.20. However additional bug fixes have been released in 1.21 and 1.22 Beta3.
Would you be able to help the developers by testing using your procedures by using 1.22 Beta3 to make sure the issue you are reporting is resolved?
Last edit: Enigma2Illusion 2017-10-24
Currently I don't have any working backup computer, so I'd rather not risk. But as soon as I get one I'll try to test it.