Security Regions and sector 61 (dcscfg.dcs -srm / -srdump) confusion
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hi
First I want to thank all people for sharing information on this forum.
Without that I could not even dream of going through the process of making
hidden systen with UEFI boot.
I hope I'm almost done, but I'm stuck on problems with security
regions/conatiners.
Can someone share some wisdom on how to safely "unmark" block device as a
security region container?
And how to tell if one is marked as such? (every device allows to dump at
least one key with -srdump key -ds <dn> so this doesn't seem to be the
right way to do this).</dn>
I tried with hexeditor and dd (by saving sector 61 to disk, changing first
bit and writing it back to disk).
I also tried to do
EFI\VeraCrypt\DcsCfg.dcs -srm 0 -ds <device no="">
in hope that marking it with zero can effectively unmark that - but windows
"fixed" that for system volume and regarding other volumes I still don't
know if they remain "marked"</device>
Right now my windows system disc allows to dump MANY security keys with
-srdump.
All other dump one sector except for one partition that I want to have as
security region container (it has 8 regions)
The reson for my struggle is that from this thread
https://sourceforge.net/p/veracrypt/discussion/technical/thread/aaeeb26b/?
page=0
I understood that there has to be only one block device marked as the
security region container.
And I faced the similar problem as described by Felis:
" noticed that every time either windows is booting it is trying to scan
and repair some volume. . I went to EFI shell and executed:
-srdump key -ds 7(MSR)
And dumped a tone of keys from this partition. Seems this is my problem.
"
In my case I dumped hundreds of keys from 4 partitions on two hard drives.
I tried to fix this as descibed above - with dd or by
EFI\VeraCrypt\DcsCfg.dcs -srm 0 ....
Thank you for help!
Jerzy
I ovewrite the 61 sector with the following command:
dd if=/dev/sdb3 of=myimage.img seek=61 count=1 bs=512
(now I use linux dd - before I tried with win dd)
And the strangest thing is that whatever I put into "myimage.img" the result is the same.
efi\veracrypt\dcscfg.dcs -srdump key -ds 10
(-ds 10 is the same partition as /dev/sdb3 - I checked unique ID via mountvol and compared size)
dumps bazylion keys.
Am I missing something?
Is it possible that sector 61 as seen by DD is not sector 61 as seen by efi\veracrypt\dcscfg.dcs ??
I used attached images to ovewrite sector 61 - one filled with hex 01 and second wit random values.
OK I did some more research and I found out that the command
efi\veracrypt\dcscfg.dcs -srm 0 -ds 10
does not write anything to the sector 61 - retrieved via
dd if=/dev/sdb3 of=myimage.img skip=61 count=1 bs=512
I double checked that -ds 10 is same block dev. as /dev/sdb3 (same id - checked via blkid)
SO where it writes?
I checked everything retrieved via:
dd if=/dev/sdb3 of=myimage.img skip=1 count=62 bs=512
before and after "-srm" command - no change...
I feel like I'm missing some basic concept :(
I'd appreciate any directions what that might be.....
Maybe I'm wrong about sector size ? (I use 512)
Sector size as reported by fdisk -l
logical/physical = 512 bytes / 4096 bytes
Does efi\veracrypt\dcscfg.dcs use logical or physical?
It seemst that it's 512 - if I read correctly DcsCfgCrypt.c line 1569:
res = bio->WriteBlocks(bio, bio->Media->MediaId, 61, 512, adm);
Last edit: Jerzy 2018-05-03