veracrypt is not booting (windows 10 UEFI)
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
As I read the news that veracrypt finally works on uefi system I tried to encrypt my windows 10 laptop acer. therefore I disabled the secure boot. after I ran the veracrsypt program and finished it. it showed that my main (whole) partition was succesfully encrypted. when I turned off the PC and restart it, no password was asked and while it boots it gets to an Endless Automatic Repair failures and restart loops. I can't even set it back were it was before because of the encryption.
when i ran the test to look if the password works while installinf veracrypt, it worked fine. but after encryption it does not boot properly.
can anyone help me out? why doesn't the request for the password appear? das
Last edit: Nanana 2016-08-28
There is problem with EFI boot menu.
You can boot rescue disk and decrypt OS or restore boot menu.
I confirm Alex assessment that this is a boot menu issue and after further investigations it turns out that is affects mostly ACER machines.
Actually, ACER EFI firmware has non standard behavior with regards to an important EFI variable (BootOrder) as it doesn't persist any change to it after a cool boot and this apparently happens because Secure Boot is disabled.
That's why the Pre-Test was successful since it was a reboot and not cold boot: after reboot, the change to BootOrder is preserved.
I found a long discussion about this issue on the forums of another open source project dealing with EFI (efibootmgr): https://github.com/rhinstaller/efibootmgr/issues/19#issuecomment-66692028
For now, you will have to use the Rescue Disk to restore the boot menu and reboot to start Windows. You can also use the Rescue Disk to decrypt your system although it is better to decrypt it from Windows.
If you didn't save your Rescue Disk zip file, you can follow the procedure I describe in this video where I use a Linux Mint Live CD to boot the machine and access the content of the encrypted Windows partition using VeraCrypt on Linux: https://www.youtube.com/watch?v=4xJrVGzAk0Y
This ACER non standard behavior is making it impossible to have a persistent VeraCrypt bootloader...not sure if we will be able to found a workaround for it.
I'm having the same problem on a HP ENVY laptop model 13-d010nl running Windows 10 Home with UEFI firmware (last updated on August 16th, 2016). The pre-test passes successfully and the Windows partition gets correctly encrypted (I can't choose the 'full drive' option, by the way). But once rebooted, the system starts the automatic repair procedure.
In my case the repair procedure fails without entering an endless loop, so I just have to choose the 'boot from USB device' option, then choose the .efi file created by Veracrypt Rescue Disk wizard to re-gain access to my Windows installation – and eventually proceed to decrypt the partition.
Last edit: John Rezzo 2016-08-31
So I have a worktop development machine with the requirement to have full drive encryption. Naturally it was no decision on choosing VeraCrypt. Everything went great but only with Safe Boot turned off. When I turn it back on I'm apparently missing the Veracrypt boot loader on the EFI partition. So I must have missed a step that requires a manual step. How do I get my boot loader setup correctly so that I can turn on Safe Boot?
Dell Inspiron 5559
Last edit: Michael Eber 2016-09-18
Do you mean Secure Boot?
You can try to set VeraCrypt certificate in BIOS. Details is https://sourceforge.net/p/veracrypt/code/ci/master/tree/src/Boot/EFI/Readme.txt
Hi Alex,
I tried to follow the instruction inside the readme.txt file but after running the sb_set_siglists.ps1 file
from an admin power shell I reiceved "incorrect authentication data" errors.
I attach the errors image and some other images from the boot screen.
Maybe you have an idea what I am missing here?
Thanks a lot!
Jack
Hi Alex. By any chance, setting VeraCrypt certificate in BIOS and enabling Secure Boot could help to avoid the "Automatic repair procedure" problem I described above? Thanks
I suspect - yes. But I cannot reproduce the problem. Need experiment.
Hi guys,
Just to add to this. I have the exact same issue on a HP laptop - Windows 10 (UEFI). Ran prestest, let it encrypt my hdd over night ( took about 14 hours). Once I booted after the encryption processes my machine went into automatic repair loop. Ive got around it so far by selecting boot device options on startup which allows me to boot from EFI file which eventually allows me to boot from the veracrypt bootloader. Obviously Im seeking a more permanent solution to this problem. Here are pictures of every step along the way. Hopefully this may help in the troubleshooting process. See attached. Also file(2).jpg where it asks which OS to boot from. This initially didnt appear but around a few boots ( or maybe 1 ) it appeared as an added step. Do you think the only solution in my case is to just decrypt the hdd and do without?
Last edit: Martin 2016-10-01
HP boot loader differs from UEFI spec. It always loads EFI\Microsoft\Boot\Bootmgfw.efi and do not allow change boot order.
Probably you can do the following:
1. Rename EFI\Microsoft\Boot\bootmgfw.efi bootmgfw_ms.efi
2. edit DcsProp file and add config key
<config key="ActionSuccess">postexec file(EFI\Microsoft\Boot\bootmgfw_ms.efi)</config>
3. Copy DcsBoot.efi to EFI\Microsoft\Boot\bootmgfw.efi
To access from Windows EFI volume from admin console
Last edit: Alex 2016-10-02
Hi Alex,
Is it possible to add your suggestion to VeraCrypt? I think it is quite simple to detect HP laptop.
incase anyone is coming up after this, the chronological steps you want to take to successfully complete this work around
Use the Command Prompt window to access the P: (EFI System Partition, or ESP) volume.
p:
<config key="ActionSuccess">postexec file(EFI\Microsoft\Boot\bootmgfw_ms.efi)</config>
It worked for me, good luck
Last edit: Robert Smith 2017-07-15
Hi Alex,
Thanks a million for your solution. It worked perfectly. Your a genius :)
Not sure how windows will complain when doing this, but I deleted the file located in \windows\boot\efi\bootmgfw.efi to make it more difficult for windows to replace it back in the ESP. My reasoning is that Windows Update copies the file from that directory sometimes, but I’m not sure. Does anyone know if this will work? If this does, this opens the possibility’s for truly working around most firmwares to truly use uefi as I think the spec intended because it will fall back to using bootx64.efi in the case of my laptop’s firmware.
Last edit: Carlos M 2016-10-09
More experimenting:
For those of you with an HP firmware, I now think the firmware resets the boot order variable based on the order of the boot entry hex. So if it can’t find bootmgfw.efi, it’ll set bootx64.efi on top. This only happens if you go in the onetime boot menu I think.
If this is true, I have to make sure VeraCrypt appears first in the onetime boot menu so it always loads first. Since the boot menu appears to show the entries in order from lowest hex to highest hex, I’d have to delete all entries that have the first slots filled, and then create them in the order I want them to appear in the firmware.
My current setup doesn’t have a bootx64.efi and bootmgfw.efi file in the ESP, so I’m using the VeraCrypt binary under \EFI\VeraCrypt\DcsBoot.efi to load \EFI\Microsoft\Boot\bootmgfw_ms.efi. It works, and I don’t have to worry about the firmware resetting it, unless ms copies back bootmgfw.efi into the ESP.
I have found how to use acer uefi:
first set administrator password in uefi, then clear secure boot record, add the veracrypt efi to trusted efi image, reboot, press f12 to select boot image (this is important, this step will save what efi you have to future boot)
Thank you for the advise!
How do you clear the secure boot and add the trusted efi image?
I have a HP Pavilion x360 laptop and I had the same problem mentioned by Nanana and Martin in this thread. It was going through endless Windows 10 automatic repair loops instead of loading Veracrypt's efi file. So the only way to get the laptop load Windows 10 is either to use the Veracrypt Rescue Disk or to manually select the Veracrypt's efi file by going through the HP's boot menu by pressing F9 as soon as the laptop is powered on (but before it starts the Windows 10 automatic repair).
Alex's solution worked (thanks a ton to him!). It worked fine as long as the bootmgfw.efi, DcsBoot.efi or the DcsProp files were not modified further. In my case, Windows update replaced the bootmgfw.efi, which bought the problem back. So I had to replace the bootmgfw.efi again with DcsBoot.efi file (copy and rename) to make it work again.
In the second instance, I upgraded Veracrypt from 1.18a to 1.19, which might have modified/replaced the DcsProp file and/or the DcsBoot.efi file. Veracrypt's efi loaded fine but it was going through an endless loop of asking for the password to decrypt the drive. It never further loaded Windows 10. So I would guess the DcsProp file was reset by the Veracrypt upgrade.
I have an ASUS running Windows 10 and Ubuntu. When I tried to encrypt the Windows 10 system partition, I encountered an error stating that the boot loader requires 32 KB of free space at the beginning of the system drive (screenshot attached). I'm not sure how to do this, and I'm afraid of doing anything that might destabilize the system. Can anyone point me to some resources to help me understand how to free up the 32KB? (Would shrinking the partition directly before the Windows partition do it?)
Last edit: eidc 2016-10-31
I have the same problem with the HP firmware as others above.
Can anyone break down these steps a little further to help me do this?
I tried doing this inside of windows 10 and I get access denied (even though I'm on as admin) when I try the notepad and renaming. So, I imagine I have to do it in PE. Where am I getting the DcsProp and DcsBoot files from? And what command does step 3 above at command line?
Thank you.
You have to execute cmd.exe with administrative privilages.
DcsBoot and DcsProp are on EFI boot volume ( o:\ in the script above)
Thank you. And what does "copy DcsBoot.efi to EFI\Microsoft\Boot\Bootmgfw.efi", mean?
The contents of the one to the other? Or rename DcsBoot.efi and move it?
Thank you.
And where is DcsBoot.efi coming from?
Last edit: Benjamin J Collins 2016-12-03
to move
EFI\Microsoft\Boot\Bootmgfw.efi => EFI\Microsoft\Boot\Bootmgfw_ms.efi
to copy
EFI\VeraCrypt\DcsBoot.efi => EFI\Microsoft\Boot\Bootmgfw.efi
Hello i have the same issue i cant start my system i have no recovery and ist loops windows is reparing