Menu

Hidden OS in EFI mode

DJ Bonez
2017-06-07
2024-03-17
1 2 3 4 > >> (Page 1 of 4)
  • DJ Bonez

    DJ Bonez - 2017-06-07

    Hello guys,
    looking forward to find any suggestions to get my actual plan done.

    I'd like to organize my new Samsung 850 Evo SSD like this in EFI mode:
    | 1. Windows Partition | 2. Data Partition | 3. Hidden OS |

    1. Partition should be secured by PBA password.
    2. Data Partition should be mounted from OS on 1. partition.
    3. Hidden OS should only be mounted when USB with key is plugged and correct password is entered.

    So if...
    ... USB key is plugged and password 1 is entered -> starting OS on 1. partition
    ... USB key is plugged and password 2 is entered -> starting Hidden OS on 3. partition
    ... no USB key is plugged and password 1 is entered -> starting OS on 1. partition
    ... no USB key is plugged and password 2 is entered -> nothing happened

    I saw an experimental solution in 1.20 beta 2, which I tried to adapt here. But I didn't get through the configuration steps in EFI shell, because I haven't any experiences in EFI and my mainboard doesn't have its own EFI shell to boot.

    My configuration actually looks like this:
    || EFI (converted to recovery partition to protect it) | OS (encrypted) || DATA (encrypted) ||
    || DUMMY (start of outer volume) || HIDDEN_EFI | HIDDEN_OS (encrypted) || DUMMY (end of outer volume) ||

    Any suggestions how to get the dummies and the future hidden partitions to an unremarkable outer volume? I'm open for any similar workaround, too.
    How can I execute the shell commands without EFI shell in UEFI mode? EFI shell on USB stick wasn't working like expected, commands weren't executable.

    Thanks in advance.

     
    • Dag Hero

      Dag Hero - 2018-02-10

      You have basically the same request I do with a similar setup. Id bounty a guide on how to do this. I am running out of hardware that supports booting from master boot record.

      I'd like to have w10 in hidden mode, but I cant. I am not tech savy enough to get this done. If you ever figure it out, or someone is kind enough to do so, could you make a noob guide. I am able to get hidden os working in mbr, no problem, but efi is hard. makes no sense. UEFI BIOS says I have an option for EFI shell, but I have absolutly no idea what to type in there....

       
  • DJ Bonez

    DJ Bonez - 2017-06-07

    I refer on this project: https://sourceforge.net/projects/dc5/files/beta/
    Maybe someone could explain me what to do exactly. For example I don't know, what S62 means and how to create these masterkeys, etc.

     
  • Alex

    Alex - 2017-06-07

    Hello DJ Bonez,

    Your scenario is possible. I wrote support for the scenario several months ago.

    Probably I can try to help to install hidden OS but it will require some efforts from you to prepare disk and to investigate details.

    S62 means "sector 62". It contains keys for OS encrypted.

    EFI shell is possible to download from tianocore
    https://github.com/tianocore/edk2/raw/master/ShellBinPkg/UefiShell/X64/Shell.efi

    Note about primary OS and encryption: Primary OS (POS) has to be encrypted. Logic is the following: there is VeraCrypt loader installed => the disk has to contain OS encrypted. if the disk does not contain OS encrypted it is suspicious.

    About hidden OS (HOS) in EFI.
    First step is to arrange several sequential partitions for HOS.
    Part. 1 - decoy space (several GBs. enough to contain decoy data)
    Part. 2 - EFI system partition (ESP) ~400MB for MS boot loader (bootmgfw)
    Part. 3 - HOS partition ~30GB+ (IMHO)
    Part. 4 - decoy space

    Final result (after HOS installed) partitions 1,2,3,4 will look like one big data partition encrypted with decoy data.

    These partitions can be created on new disk or with OS installed. New disk way is simple(just install OS). If the disk contains OS installed with ESP it is necessary to backup ESP and hide it or remove.

    This is the first step.

    Next step is OS installation. (install but do not encrypt!)
    After OS installation header (S62) has to prepared from EFI shell
    USB key flash has to be prepared from EFI shell also.

    In general idea is described in disk_encryption_v1_2.pdf (idea/steps/commands)

    Let me know if you plan to continue ;)

    PS. I do not improve/simplify installation of HOS because there is very little interest to the problem. (IMHO)

     

    Last edit: Alex 2017-06-08
  • DJ Bonez

    DJ Bonez - 2017-06-27

    Hello Alex,
    thank you very much for your support. I unfortunately hadn't enough time to continue my plan last weeks.
    At the moment there are three partitions on my disk: The boot loader, my primary OS and a data partition, which is mounted at booting primary OS.
    There is still enough free space to implement a hidden OS, of course, since I still want to do it.

    If I understand correctly, I now have to backup first 260 MB (EFI) in front of my primary OS or simply convert it to a recovery partition. Then I create 4 partitions for hidden OS and install hidden OS on partition 3.

    EFI shell is still a problem for me. Do I have to create a USB stick with VeraCrypt and EFI shell or do I only need EFI shell for preparing OS header and USB key flash?

    Thanks in advance
    Bonez

     

    Last edit: DJ Bonez 2017-06-27
  • DJ Bonez

    DJ Bonez - 2017-07-05

    Any suggestions?

     
  • DJ Bonez

    DJ Bonez - 2017-08-10

    Hey guys,

    I started another try today. But again I didn't get finished.

    I used the instructions of the installation scenario in 2.1.3 from disk_encryption_v1_2.pdf.

    1. Protect ESP - check.
    2. Create partitions for hidden OS - check.
    3. Install H_OS and VeraCrypt in H_OS - check.
    4. Start system encryption - check.

    5. Modify encryption range to include outer volumes
      Here is where the problem started.

    I executed EFI\VeraCrypt\DcsCfg.dcs -oshideprep -rnd 2

    a) Start of outer: Outer_Start
    b) End of outer: Outer_End
    c) Wipe outer volumes? Yes
    d) Init outer header? Yes, typed fake_password1 (= password for whole Outer Volume, right?)
    Save outer? Yes
    e) Asked for another password, typed fake_password2 (= password for OuterEnd, isn't it?)
    Save outer? Yes
    f) Update main encryption header? Yes (but what?)
    Which password do I have to use here? Password for H_OS?
    g) Encrypted GPT filename? gpt_enc
    (This should be the GPT table with 4 hidden partitions, correct?)
    h) Create GPT with 1 hidden volume? Yes
    i) Hidden GPT filename: gpt_hos
    (So, hidden GPT filename saves the GPT table for loader of ordinary OS?)

    1. Create authorization USB for H_OS

    a) Executed EFI\VeraCrypt\DcsCfg.dcs -srw 2 -ds 1
    (I think, I used the recovery USB for authorization. How do I get the correct USB number? Is it possible to create another USB key afterwards?)

    b) Executed EFI\VeraCrypt\DcsCfg.dcs -srm 2 -ds 1

    c) I wasn't sure which gpt_file I have to use here, so I tried both.
    Only EFI\VeraCrypt\DcsCfg.dcs -pf gpt_enc -aa -pe worked with password of H_OS.

    Is this correct so far?

    d) EFI\VeraCrypt\DcsCfg.dcs -pf gpt_enc -sra 0 -ds 1
    (I think, this copies the GPT table for HOS with all partitions to USB?)

    e) How do I "Edit DcsProp config keys" from here??

    1. Boot H_OS and encrypt - no problem

    2. Boot from rescue USB for H_OS
      (From now it is necessary to use the "right" recovery USB, before it was not?)

    Update GPT to hide H_OS and H_ESP
    EFI\VeraCrypt\DcsCfg.dcs -pf <gpt_file> -pe <ESP_N> -ps
    (<gpt_file> have to be gpt_hos from 5.i, correct? And <ESP_N> is the ESP for ordinary OS?)

    EFI\VeraCrypt\DcsCfg.dcs -ds <driveN> -pf <gpt_file> -pa
    (<driveN> is the authorization USB from step 6?)

    1. Restore ESP from recovery type

    Do I have to boot from rescue USB into HOS or ordinary OS?

    How do I install the DCS loader to VeraCrypt part?
    (Simply copy from DcsPkg\x64\VeraCrypt\ to ESP?)

    How do I modify S62 with entire disk range?

    How do I get to final disk state?

     

    Last edit: DJ Bonez 2017-08-10
    • Alex

      Alex - 2017-08-11

      I executed EFI\VeraCrypt\DcsCfg.dcs -oshideprep -rnd 2

      a) Start of outer: Outer_Start
      b) End of outer: Outer_End

      Select partition index in list

      c) Wipe outer volumes? Yes

      wipe outers with randoms! (important to hide encryption)

      d) Init outer header? Yes, typed fake_password1 (= password for whole Outer Volume, right?)
      Save outer? Yes

      Create fake password for ordinary outer (entire volume)

      e) Asked for another password, typed fake_password2 (= password for OuterEnd, isn't it?)
      Save outer? Yes

      Outer end - yes (as hidden part of outer. This is not HOS)

      f) Update main encryption header? Yes (but what?)
      Which password do I have to use here? Password for H_OS?

      Password for H_OS - correct. (from start encryption procedure). It modifies range to include ESP and HOS. Range: ( end of outer start, start of outer end)

      g) Encrypted GPT filename? gpt_enc
      (This should be the GPT table with 4 hidden partitions, correct?)

      yes. GPT to boot HOS.

      h) Create GPT with 1 hidden volume? Yes
      i) Hidden GPT filename: gpt_hos
      (So, hidden GPT filename saves the GPT table for loader of ordinary OS?)

      GPT to hide HOS.

      Create authorization USB for H_OS
      

      a) Executed EFI\VeraCrypt\DcsCfg.dcs -srw 2 -ds 1
      (I think, I used the recovery USB for authorization. How do I get the correct USB number? Is it possible to create another USB key afterwards?)

      **list of disks:
      dcscfg -dl d
      or
      dcscfg -dl

      see man: dcscfg.dcf.man for details.

      -srm 2 is possible but probably it is better to use ~8**

      b) Executed EFI\VeraCrypt\DcsCfg.dcs -srm 2 -ds 1
      c) I wasn't sure which gpt_file I have to use here, so I tried both.
      NO! gpt_enc to save to USB. gpt_hid to apply to disk.

      Only EFI\VeraCrypt\DcsCfg.dcs -pf gpt_enc -aa -pe worked with password of H_OS.
      Is this correct so far?
      yes!

      d) EFI\VeraCrypt\DcsCfg.dcs -pf gpt_enc -sra 0 -ds 1
      (I think, this copies the GPT table for HOS with all partitions to USB?)
      yes

      e) How do I "Edit DcsProp config keys" from here??

      Decoy OS is normal encrypted OS. Edit DcsProp from the OS.

      Boot H_OS and encrypt - no problem
      
      Boot from rescue USB for H_OS
      (From now it is necessary to use the "right" recovery USB, before it was not?)
      

      Update GPT to hide H_OS and H_ESP
      EFI\VeraCrypt\DcsCfg.dcs -pf gpt_hid -ds <DISKN> -pa
      It updates GPT on diskn. to list disks use:
      EFI\VeraCrypt\DcsCfg.dcs -dl d

      EFI\VeraCrypt\DcsCfg.dcs -pf <gpt_file> -pe <ESP_N> -ps
      (<gpt_file> have to be gpt_hos from 5.i, correct? And <ESP_N> is the ESP for ordinary OS?)
      NO!

      EFI\VeraCrypt\DcsCfg.dcs -ds <driveN> -pf <gpt_file> -pa
      (<driveN> is the authorization USB from step 6?)
      NO!

      Restore ESP from recovery type
      

      Do I have to boot from rescue USB into HOS or ordinary OS?

      How do I install the DCS loader to VeraCrypt part?
      (Simply copy from DcsPkg\x64\VeraCrypt\ to ESP?)

      Install Decoy OS and encrypt. (install after hide HOS: EFI\VeraCrypt\DcsCfg.dcs -pf gpt_hid -ds <DISKN> -pa )

      How do I modify S62 with entire disk range?
      it is modified by hideosprep.

       
  • DJ Bonez

    DJ Bonez - 2017-08-11

    Thank you very much for your response, Alex.

    I think, I'm close to finish my project. But there are still a few questions:

    1. Why it is probably better to use up to 8 possible security regions on authorization USB?

    2. EFI\VeraCrypt\DcsCfg.dcs -pf gpt_enc -sra 0 -ds 1
      writes encrypted gpt_table to security region 0 on device 1. Is there any reason to use any other or more than one security region on device?

    3. Is it possible to protect security regions from changes? Are they going to be damaged when formatting USB?

    4. EFI\VeraCrypt\DcsCfg.dcs -pf gpt_hos -pe <ESP_N> -ps
      seems to be wrong in documentation? Do I have to encrypt the gpt_hos table before writing on disk? (Step 8)

    5. If ordinary OS is already encrypted, I only have to restore ESP from recovery type to EFI and change DcsProp config keys at the end?

    Regards

     
  • Alex

    Alex - 2017-08-11
    1. Number of SR initialized hides real number of OS installed. Also there is possibility to move picture password and DcsProp to SR.
    2. You can save header of ordinary OS encrypted to SR or create several HOS.
    3. This is not a problem. Recovery is possible if you have gpt_enc.
    4. gpt_hos - it is open. Docs - copy paste error. Thank you.
    5. yes
     
  • DJ Bonez

    DJ Bonez - 2017-08-12

    Thanks Alex, everything is running fine now.

    Although I protected ESP by converting to recovery partition I had to restore VeraCrypt loader and volume header of ordinary OS after hidden OS encryption was done.

    I'll save GPT tables on separate device like recovery disks of the systems. Thanks for the info.

    Have a nice weekend!

    P.S.: HiddenOS.pdf describes, how I created hidden OS. Maybe this could help some other users.

     

    Last edit: DJ Bonez 2017-08-12
    • Alex

      Alex - 2017-08-12

      Good result :)

      Probably there is improtant step: Boot ordinary os - mount outer and quick format fat32 or exfat. Mount outer hidden - format any (e.g. NTFS and copy any data)

       
  • DJ Bonez

    DJ Bonez - 2017-11-14

    Hey Alex,
    I actually got new questions about hidden OS in EFI.

    1. Is it possible to save GPT table with hidden partitions in security region of an USB stick, too?
      Like described in my scenario, I'd like to boot regular OS, when USB with SR is connected and regular password is used. At the moment, when USB stick is connected, regular OS is not bootable from VeraCrypt loader.
      I already tried with "DcsCfg.dcs -pf gpt_hos -sra <SR> -ds <USB>", but gpt_hos is not encrypted and I do not know which password I have to use.

    2. How do I created a new USB stick with the GPT table for hidden OS?
      I used the following commands without success:
      "DcsCfg.dcs -srw <maxSR> -ds <USB> -rnd 2
      DcsCfg.dcs -srm <maxSR> -ds <USB>
      DcsCfg.dcs -pf gpt_enc -sra <SR_hos> -ds <USB>"
      USB stick is not working for booting hidden OS. Older sticks are still useable.
      (Maybe it is possible to clone security regions of an existing USB stick to a new one as an alternative?!)

    Thanks in advance.

    Kind regards,
    Bonez

     

    Last edit: DJ Bonez 2017-11-14
    • Alex

      Alex - 2017-11-14

      Hello DJ Bonez,

      Need clarification
      1. Scenario: Loader is installed. USB connected. Password entered. Ordinary OS booted. (Driver in ordinary OS is installed as boot device). New GPT is selected. Correct?
      Probably the scenario is possible but easier to use DcsWinCfg tool to create several hidden volumes.
      2. Commands look correct. What does it mean "USB stick not working"? (no password prompt? wrong password? )

       

      Last edit: Alex 2017-11-14
  • DJ Bonez

    DJ Bonez - 2017-11-16

    Thank you for your fast reaction.

    1. Yes, I'd like to boot ordinary OS with regular password, whether USB with SR is connected or not. So in sense of plausible deniability I could demonstrate regular booting, although stick maybe is identified as a key.
      So I thought, I have to write the GPT table with hidden volume to one SR on USB. Loader is searching for SR, founds SR 2 and SR 3 on USB connected -> SR 2 with password 1 = ordinary OS; SR 3 with password 2 = hidden OS.
      But GPT_HOS (GPT table with hidden volume for ordinary OS) can't be written to SR, since I have to encrypted it first. Password for ordinary OS, hidden outer volume or hidden inner volume are not valid here.
      Or is there any other way to boot ordinary OS, although stick with SR for hidden OS is connected?

    2. I created SR like described, but can't boot to hidden OS. When using older USB stick with same SR, hidden OS is booting.

     
    • Alex

      Alex - 2017-12-05
      1. It is possible to write SR without GPT. save GPT + header for ordinary encrypted OS. remove GPT from saved file. Encypt. Add to USB
      2. Need details. How do you create the USB?
       
  • tulip

    tulip - 2018-01-06

    Hi DJ Bonez & Alex,

    I have a question. Two, to be exact. But first - thank you both a lot. Alex, you for doing the work needed to create the opportunity to do this on uefi systems and the continual help you're providing here, DJ Bonez for sharing his steps which saved me a lot of trials and errors. Thanks guys. Hope you have a great 2018.

    1.Could either of you share the steps needed to create a backup "auth_usb" for booting the hidden os after the whole decoy_os + hidden_os system has been set up? I've tried the srw+srm+sra steps while booting from hidden_os rescue usb with shell, but, as expected, there was no "gpt_enc" to load and I have no idea on how to proceed... should I somehow dump the SRs from the existing "auth_usb" and then somehow copy them to another one? Would something like that even work? Do I need to somehow extract the gpt_enc applied to a SR on the "auth_usb" decrypt/reencrypt+apply to a new "auth_usb"? How?

    2.Another question, Bonez, did you succeed in creating a "combo auth_usb" - to be able to boot the decoy os both with and without the "auth_usb" connected and the hidden os only with "auth_usb" connected? If you did, could you please share the steps?

    3.Finally,

    Probably there is improtant step: Boot ordinary os - mount outer and quick format fat32 or exfat. Mount outer hidden - format any (e.g. NTFS and copy any data)

    It's safe to do when the full setup is finished?

    Thanks

     
    • Alex

      Alex - 2018-01-06

      1) If there is USB with key and the USB is not platform locked it is possible to use switch "-srdump"

      -srdump <SFX> - dump security regions from USB to files (list of files created - N<SFX>)

      e.g. DcsCfg -srdump _regs -ds <BN>
      BN - number of USB device with keys

      I added the possibility in the latest beta.

      2) the following scenario is possible (tested).
      USB connected, picture password requested. Authorization for decoy os is also possible (header for decoy os saved to the USB SR also).
      USB not found - ordinary password requested. 62 sector is used.
      Configuration: save header with key of decoy OS to 62 sector and add DcsBootForce=1 to DcsProp

      3) How to hide is up to you. The technology gives possibility to create multiple hidden OS and hide volume at any sectors range.
      Note: NTFS uses middle of volume to create index...

       

      Last edit: Alex 2018-01-06
  • Felis

    Felis - 2018-02-09

    Hi everyone!
    I spent quite a while trying to create a hidden system in EFI mode, and this branch also helped me a lot: https://sourceforge.net/p/veracrypt/discussion/technical/thread/f90bcf05/

    I'm not very familiar with EFI, so I took a HiddenOS.pdf from DJ Bonez as a reference and faced some problems. All questions and notes I had during the process are listed in a pdf file attached, to avoid creating large post.
    I don't want to use USB stick for authentification so I created another small partition on my disk to store keys, maybe problem is there.

    Anyway if someone can help me to accomplish this process, I will create a manual for dummies on how to do it with screenshots and all the stuff, just like HiddenOS.pdf or disk_encryption_v1_2.pdf
    those ones are reealy helpfull!

     

    Last edit: Felis 2018-02-09
    • Alex

      Alex - 2018-02-10

      Good manual. You did most of steps.

      DcsProp is on EFI volume for decoy OS. (to mount ESP use "mountvol" tool)
      Directory EFI\Veracrypt\DcsProp
      or it is possible to edit DcsProp via VeraCrypt->System settings

      What version of Veracryt do you use? 1.22B4 contains the latest fixes.

       
      • Felis

        Felis - 2018-02-12

        Hi Alex,

        Thanks, now I know how to edit DcsProp manually. VeraCrypt -> System settings returns an error for some reason.

        I was using version 1.21 but after your comment I decided to take version 1.22B4 and start everything from scratch. Also I decided to take a USB stick to repeat every step in the manual exectly as DJ Bonez described to get at least something working. But I failed with no idea how to debug. Here's what happened:
        After I went through all steps I had no VeraCrypt bootloader in boot menu so I had to restore it from decoy OS rescue disk. But I was not able to boot neither to decoy nor to HOS with message "wrong password PIM or hash", inserting and removing authorization USB made no difference.
        So I "Restored VeraCrypt binaries on system disk" and finally was able to boot into decoy OS. It means I can not boot into decoy os while SecRegionSearch=1.

        Under decoy OS I can mount outer partition using "Fake_Password1"
        Also I can mount outer partition with hidden volume protection using "Fake_Password2"
        And I can mount hidden "Outer_End" partition.
        But I can not mount Hidden OS partition in either way. Is that correct?

        Here are some more questions:

        1. After whiping N security regions on authorization USB should I add an encrypted GPT to arbitrary security region or should I use the first one?

        2. Any preparation needed for authorization USB? Should it be formated in some way or cleaned?

        3. To check if authorization USB is created correctly I use -srdump. If keyfiles are dumped successfully, does it mean authorization USB is ok?

        4. VeraCrypt rescue disk gives an option to "Remove Veracrypt loader from boot menu". It works but Veracrypt folder and all the files are not removed fro ESP. Is that correct operation?

        5. After seting SecRegionSearch=1 bootloader works way slower, two minutes before any result. Can I check or debug if it realy goes inside authorization USB?

        Any suggestios on what else I can do and check are welcome.
        Thanks

         
      • alfie mr

        alfie mr - 2018-10-23

        hello alex

        I have try editing the DcsProp from the decoy OS using veracrypt >> system settings >> edit the bootloader but in my configuration there is no config key line with SecRegionSearch nor DcsBootForce.
        Can someone explain what should i do in order to add that line into my bootloader?

        BACKGROUD INFORMATION
        Currently I'm using the V2 tutorial created by Felis

         
        • Alex

          Alex - 2018-10-23
           
          • alfie mr

            alfie mr - 2018-10-24

            Hello alex
            I had a look at the DCSProp.example and it seems this is what i should be getting as my DcsProp but where is this file located in my system in the decoy ESP partition, the H_ESP or USB? Or do i have to dowload the files from karvsrf and replace the DcsProp file in one of this locations (D_ESP,H_ESP,USB)?

             
            • Alex

              Alex - 2018-10-25

              D_ESP
              Logic of boot loader:
              1. It is started from D_ESP (according to EFI boot menu (bootorder))
              2. It loads DcsProp from D_ESP
              3. If SecRegionSearch selected => Search for block devices marked by "DcsCfg -srm"
              4. If the device is found => Check for DcsProp in security region => load and update parameters according to the DcsProp found
              5. Authorization...

               
1 2 3 4 > >> (Page 1 of 4)

Log in to post a comment.