I really do not want to sound dumb but at this point i really can not afford not to, but anyways i hope you understand and hope you can help me solve this problem.....
I'm following V2 tutorial, it is said to use veracrypt inside D_OS to edit the bootloader(more precisely dcsProp) my main problem is that when i use this method i get this configuration :
<?xml version="1.0" encoding="utf-8"?>
<veracrypt>
<configuration>
<config key="PasswordType">0</config>
<config key="PasswordMsg">Password_edit_dcsProp: </config>
<config key="PasswordPicture">login.bmp</config>
<config key="HashMsg">(0) TEST ALL (1) SHA512 (2) WHIRLPOOL (3) SHA256 (4) RIPEMD160 (5) STREEBOG
Hash: </config>
<config key="Hash">1</config>
<config key="HashRqt">0</config>
<config key="PimMsg">PIM (Leave empty for default): </config>
<config key="Pim">0</config>
<config key="PimRqt">1</config>
<config key="AuthorizeVisible">0</config>
<config key="AuthorizeRetry">10</config>
<config key="DcsBmlLockFlags">0</config>
<config key="DcsBmlDriver">0</config>
<config key="ActionSuccess"></config>
</configuration>
</veracrypt>
As you see there is no secRegionsearch config key....
I have tried mouting the esp partition and manually edit the dcsProp, and to make sure it is my editing i made sure to edit <config key="PasswordMsg">Password_edit_dcsProp: </config> so that i knew i was using this DcsProp right from the begining.
The problem is as soon as get to this stage(editing the DcsProp) and even after i have manually configure the dcsProp i can only boot into either the d_os or the H_os using the rescue disk by "restore header keys " . if i dont use the rescue disk i can only boot into one OS.
I have try everything i could find in the forums but with no success, i also seem to be running into another problem which is: if i boot into the D_OS and go to disk managment i can still see the H_esp and H_OS partitions, remember that at this point i have already run -oshideprep -rnd 2 and have created the gpt enc file together with the gpthos file.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Step by step,
1. "-srm" is important step. It marks USB. (The mark is calculated BIOS serial and USB serial based => the usb will work for the computer only)
2. security region uses 128K*N+62 sectors => first partition offset of the USB has to be ~1MB
3. SecRegionSearch=1 is correct. It is possible enter password without USB for decoy OS - DcsProp - DcsBootForce=1.
4. Correct. It rmoves menu only.
5. It is possible to save DcsProp to security region (a bit complex but possible) e.g. It can contin custom password message
Note: Marked block device(-srm) has to be the only! (it is used to verify password)
Last edit: Alex 2018-02-12
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Wow, fast responce!
Folowing your ideas I have cleaned authorization USB and created it's primary partition with 10MB offset, then marked it by -srm and added gpt_enc to the first (#0) region. And it works! Now I can boot into hidden OS just in seconds!
I set DcsBootForce=1 but still I can not boot into decoy os. It is "authorising..." for two minutes and returns "wrong password PIM or hash" with or without authorization USB.
Config key order in DcsProp is same as in DcsProp.example
I was trying to restore OS header keys for decoy os but it did not help.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, with SecRegionSearch=0 I was able to boot decoy OS.
I noticed that every time either windows is booting it is trying to scan and repair some volume. This volume is Microsoft Reserved Partition (I've checked type). I went to EFI shell and executed:
-srdump key -ds 7(MSR)
And dumped a tone of keys from this partition. Seems this is my problem. Can I somehow unmark this partition as security region container? Or try to backup and remove it somehow?
Alex, that would be great! But I guess it would take some time before next build))
After carefully reading DcsCfg.man I noticed that -srm marks entire disk (not partition) as a security region container. And there are some more amateurish questions:
If I want to store security regions on the same disk as my OS - first partition offset must be 128KN+62 sectors, right? i.e. they can not be stored at the end of the disk.
Sector numeration is sequential through the entire disk, correct?
Is there any tool for Windows or shell command to write directly to 61st sector?
Where can I get some information to read about those security regions structure? Is it some kind of industry standard?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Alex,
Such feature would be great. I gave up on setting up hidden system because I could not make security regions work. (I had same issue as Felis with tons of sec. sectors dumped by -srdump)
I tried to unmark partition that had this problem by overwriting sector 61 with no luck.
Here I described my struggle: https://sourceforge.net/p/veracrypt/discussion/technical/thread/5f58e539/
The ability to list marked volumes and remove mark in a reliable way would hopefully solve this kind of problems.
When do you think this feature might be added.
Regards
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ok, the initial problem was that:
Setting SecRegionSearch=1 lets me boot to HOS but denies me to boot to Decoy OS (authorization USB or DcsBootForce flag changes nothing for Decoy OS)
Setting SecRegionSearch=0 lets me boot to Decoy OS but, of coarse, denies me from HOS
The assumption was that I have another device marked as security regions container.
I've used dd tool to dump S61 from authorization USB and from disk. To compare them and to see if disk is marked. The screenshot of comparison is attached: authorization USB flash drive has 9 bytes of info and disk if full of zeroes. So I assume disk is not signed, and I have some other problem... or maybe I did something wrong while dumping.
To dump S61 I used:
dd if=//?/Device/Harddisk0/Partition0 of=... seek=61 count=1 bs=512
Ah, more than a week failing to accomplish this, seems I'm missing some very simple and small detail! Maybe there is something else I can check insted of sitting and waiting for next release?))
I've dumped secuity regions to check myself and yeah, looks like security mark in S61 consists of 9 non zero bytes. Maybe DcsBootForce=1 just does not work for me for some reason(((
Woohoo! It works! I've accidentally wiped S61 on disk with dd tool and now:
USB not inserted - I can boot to decoy OS
USB inserted - I can boot to HOS, but not into decoy os because I have no decoy OS key SR on USB.
I was trying to encrypt gpt_hos but got "Wrong password" message while entering actual decoy password. I don't get how to create SR for decoy OS to be able to boot to decoy OS with authorization USB inserted.
Also there is a question how to work with Outer_start and Outer_end partitions, how to format them correctly? Because after wiping them with -oshideprep they are RAW.
P.S. Alex, if u're reading this - thanks a lot for your help!)))
To create SR for decoy OS: 1. copy gpt_os (not gpt_hos!) to gpt_os_hdr 2.remove GPT info from gpt_os_hdr ("-pz" switch). 3. Encrypt gpt_os_hdr (use -pe (note: use -rnd because salt is required)) 4, add gpt_os to SR
Outer_start - format fat32 (do not use NTFS because it creates index data in the middle) Outer_end - format any FS
Note: Do not write too much to Outer_start - it can overwrite HOS
About SR structure. It is simple
sector 1 - header wit keys (pwd encrypted)
sector 2 - table of extra data (header key encrypted)
sectors with GPT (header key encrypted)
sectors with execute parameters (header key encrypted)
Note: "-pz" remove all SR data except header.
To improve: 1. if you have touch screen it is possible to create picture password ;) 2. It is possible to save custom DcsProp to SR (e.g. to create custom login message) (default DcsProp has to on ESP)
Last edit: Alex 2018-02-16
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi, Alex.
I have tested all scenarios: keys at arbitrary partition, decoy OS keys in SR, it all works! Great!
And as I am trying to create a good manual on this procedure, I decided to repeat everything from scratch. After encrypting the hidden OS I got this message. When I rebooted windows failed with a blue screen. And I did a stupid thing: I restored OS header for HOS from rescue USB. Then I applied gpt_hos to disk. Of course later I understood my mistake and restored os header from decoy rescue USB, so I was able to boot into decoy OS. But now while trying to boot to HOS (with key) i get "Can't open partition ... status - unsupported"
I thought I can roll back by decrypting gpt_enc and applying it to disk but it gives no result and I can't understand why.
Is there any chance to fix it or I just have to reinstall my HOS again?
And one more thing: when I mount outer (outer start) partition from decoy OS it is not possible to format it with FAT, it is much bigger than 32GB. And NTFS will damage HOS. If I will format it from HOS I will destroy the header and will not be able to mount it at all.
1) Check gpt_enc via "-pl", check "-pexec" (GUID of partition with bootmgfw)
Note - rescue USB to improve:
The USB can contain several tools: 1. DCS RE (rescue menu) 2. EFI Shell to boot from the USB and use DcsCfg tool. 3. Windows PE (preinstall environment)
T3. is useful to test and mount HOS (apply gpt_enc, start veracrypt portable to mount, use FAR or any other tools to work with encrypted volumes) Windows PE can be generated via Windows ADK.
How to create: Create Windows PE USB via ADK. Copy VeraCrypt rescue to the USB. Copy EFI shell. Copy VeraCrypt portable and other tools (FAR etc).
2) Format outer with exFAT. (no size limits)
Thank you for helping with the manual. It looks like many people need it. I can try to explain technical parts.
Last edit: Alex 2018-02-20
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Decrypted gpt_enc to gpt_dec and checked "-pl" and "-pexec": all in place and seems to be correct. But still "Can't open start partition ... status - unsupported"
Can you explain how "-pa" works? I thought it just overwrites GPT but seems like it's more sofisticated...
WinPE on the same USB stick is a good idea, I'll definitely try that!
Hi, Felis, hi Alex. Can you explain, how to restore bootloader on hidden ESP partition ? i decrypt gpt_enc via
DcsCfg.dcs -pf gpt_enc -aa -pa -ps
and after this i loading from liveCD with VC portable and trying to mount gpt_enc file to disk. i am so close to make a encrypted FS
i look to structure of my gpt_enc file and it's looks fine
Last edit: minimaxxximus 2018-06-07
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
i succesfully decrypt gpt_enc via
DcsCfg.dcs -pf gpt_enc -aa -pd -pa
after it i replace gpt table on harddrive via
DcsCfg.dcs -pf gpt_enc -ds <driveNo> -pa
after this i sucessfully mount hidden_esp drive and check it, check all files,repair bootloader, but if i trying to load hidden os - loading only system repair partition.
Have you ideas to fix it?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think the proper commands should be the following:
1. Copy gpt_hide (created in last step of "-oshideprep") to os_hdr
2. Remove SR data except header from os_hdr: EFI\VeraCrypt\DcsCfg.dcs -pf os_hdr -pz
3. Encrypt header before adding to SR: EFI\VeraCrypt\DcsCfg.dcs -pf os_hdr -pe -rnd
4. Add header to SR <N> on authorization USB <usbN>: EFI\VeraCrypt\DcsCfg.dcs -pf os_hdr -sra <N> -ds <usbN>
Is this correct?
I am going to wipe data and create new hidden OS because of damaged OS. In new configuration everything should work properly.
Regards
Bonez
Last edit: DJ Bonez 2018-02-21
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I literally cannot wait for your guide. I would love to get a hidden OS config without needing a USB to boot up, but I haven't been able to make progress without more documentation.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Here goes V1.0 of the manual
The instruction is totaly checked on my system and working.
Added some Q&A and hints, mainly from this topic.
Well this journey took me through EFI operation theory, bootloaders and still have lots of questions I'd like to cover. For example:
1. How to save DcsProp to SR?
2. Does the existence of authorisation USB (with SR) prove the existence of hidden OS in the system?
And theoretical questions like:
3. Is it safe to use system encryption on SSD (due it's regions hidden from user at all)?
4 .Is it safe that hidden and decoy OS share same MSR (microsoft reserved region)?
Alex, maybe I can contact you with private massage, as my questions are out of this topic?
Thanks Felis, great manual. Maybe I can add some ideas after my next run with Hidden OS. ;-)
@Alex: It should be possible to remove Decoy OS header from disk, shouldn't it?
So it wouldn't be possible to boot any OS without USB anymore.
Still don't get header of ordinary OS to SR.
If I try to use the GPT file created in last step of "-oshideprep", password for ordinary OS isn't being accepted for encryption.
After creating new GPT file from system drive and removing GPT info, password is being accepted but there is "No media" after encryption. Error message after encryption: "Save gpt_decoy: No media"
Error message trying to write SR: "Write: No media"
Regards
Bonez
Last edit: DJ Bonez 2018-02-22
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I really do not want to sound dumb but at this point i really can not afford not to, but anyways i hope you understand and hope you can help me solve this problem.....
I'm following V2 tutorial, it is said to use veracrypt inside D_OS to edit the bootloader(more precisely dcsProp) my main problem is that when i use this method i get this configuration :
<?xml version="1.0" encoding="utf-8"?>
<veracrypt>
<configuration>
<config key="PasswordType">0</config>
<config key="PasswordMsg">Password_edit_dcsProp: </config>
<config key="PasswordPicture">login.bmp</config>
<config key="HashMsg">(0) TEST ALL (1) SHA512 (2) WHIRLPOOL (3) SHA256 (4) RIPEMD160 (5) STREEBOG
Hash: </config>
<config key="Hash">1</config>
<config key="HashRqt">0</config>
<config key="PimMsg">PIM (Leave empty for default): </config>
<config key="Pim">0</config>
<config key="PimRqt">1</config>
<config key="AuthorizeVisible">0</config>
<config key="AuthorizeRetry">10</config>
<config key="DcsBmlLockFlags">0</config>
<config key="DcsBmlDriver">0</config>
<config key="ActionSuccess"></config>
</configuration>
</veracrypt>
As you see there is no secRegionsearch config key....
I have tried mouting the esp partition and manually edit the dcsProp, and to make sure it is my editing i made sure to edit <config key="PasswordMsg">Password_edit_dcsProp: </config> so that i knew i was using this DcsProp right from the begining.
The problem is as soon as get to this stage(editing the DcsProp) and even after i have manually configure the dcsProp i can only boot into either the d_os or the H_os using the rescue disk by "restore header keys " . if i dont use the rescue disk i can only boot into one OS.
I have try everything i could find in the forums but with no success, i also seem to be running into another problem which is: if i boot into the D_OS and go to disk managment i can still see the H_esp and H_OS partitions, remember that at this point i have already run -oshideprep -rnd 2 and have created the gpt enc file together with the gpthos file.
Hi Felis,
Step by step,
1. "-srm" is important step. It marks USB. (The mark is calculated BIOS serial and USB serial based => the usb will work for the computer only)
2. security region uses 128K*N+62 sectors => first partition offset of the USB has to be ~1MB
3. SecRegionSearch=1 is correct. It is possible enter password without USB for decoy OS - DcsProp - DcsBootForce=1.
4. Correct. It rmoves menu only.
5. It is possible to save DcsProp to security region (a bit complex but possible) e.g. It can contin custom password message
Note: Marked block device(-srm) has to be the only! (it is used to verify password)
Last edit: Alex 2018-02-12
Wow, fast responce!
Folowing your ideas I have cleaned authorization USB and created it's primary partition with 10MB offset, then marked it by -srm and added gpt_enc to the first (#0) region. And it works! Now I can boot into hidden OS just in seconds!
I set DcsBootForce=1 but still I can not boot into decoy os. It is "authorising..." for two minutes and returns "wrong password PIM or hash" with or without authorization USB.
Config key order in DcsProp is same as in DcsProp.example
I was trying to restore OS header keys for decoy os but it did not help.
I guess - there is another block device marked ("-srm") . To verify try SecRegionSearch=0 to boot decoy OS.
Yes, with SecRegionSearch=0 I was able to boot decoy OS.
I noticed that every time either windows is booting it is trying to scan and repair some volume. This volume is Microsoft Reserved Partition (I've checked type). I went to EFI shell and executed:
-srdump key -ds 7(MSR)
And dumped a tone of keys from this partition. Seems this is my problem. Can I somehow unmark this partition as security region container? Or try to backup and remove it somehow?
Last edit: Felis 2018-02-12
Probably I'll add extra command to list all marked volumes (eg. -srdl to list and -srrm to remove mark)
Alex, that would be great! But I guess it would take some time before next build))
After carefully reading DcsCfg.man I noticed that -srm marks entire disk (not partition) as a security region container. And there are some more amateurish questions:
If I want to store security regions on the same disk as my OS - first partition offset must be 128KN+62 sectors, right? i.e. they can not be stored at the end of the disk.
Sector numeration is sequential through the entire disk, correct?
Is there any tool for Windows or shell command to write directly to 61st sector?
Where can I get some information to read about those security regions structure? Is it some kind of industry standard?
Hi Alex,
Such feature would be great. I gave up on setting up hidden system because I could not make security regions work. (I had same issue as Felis with tons of sec. sectors dumped by -srdump)
I tried to unmark partition that had this problem by overwriting sector 61 with no luck.
Here I described my struggle:
https://sourceforge.net/p/veracrypt/discussion/technical/thread/5f58e539/
The ability to list marked volumes and remove mark in a reliable way would hopefully solve this kind of problems.
When do you think this feature might be added.
Regards
Ok, the initial problem was that:
Setting SecRegionSearch=1 lets me boot to HOS but denies me to boot to Decoy OS (authorization USB or DcsBootForce flag changes nothing for Decoy OS)
Setting SecRegionSearch=0 lets me boot to Decoy OS but, of coarse, denies me from HOS
The assumption was that I have another device marked as security regions container.
I've used dd tool to dump S61 from authorization USB and from disk. To compare them and to see if disk is marked. The screenshot of comparison is attached: authorization USB flash drive has 9 bytes of info and disk if full of zeroes. So I assume disk is not signed, and I have some other problem... or maybe I did something wrong while dumping.
To dump S61 I used:
dd if=//?/Device/Harddisk0/Partition0 of=... seek=61 count=1 bs=512
Ah, more than a week failing to accomplish this, seems I'm missing some very simple and small detail! Maybe there is something else I can check insted of sitting and waiting for next release?))
Last edit: Felis 2018-02-14
I've dumped secuity regions to check myself and yeah, looks like security mark in S61 consists of 9 non zero bytes. Maybe DcsBootForce=1 just does not work for me for some reason(((
Last edit: Felis 2018-02-14
Woohoo! It works! I've accidentally wiped S61 on disk with dd tool and now:
USB not inserted - I can boot to decoy OS
USB inserted - I can boot to HOS, but not into decoy os because I have no decoy OS key SR on USB.
I was trying to encrypt gpt_hos but got "Wrong password" message while entering actual decoy password. I don't get how to create SR for decoy OS to be able to boot to decoy OS with authorization USB inserted.
Also there is a question how to work with Outer_start and Outer_end partitions, how to format them correctly? Because after wiping them with -oshideprep they are RAW.
P.S. Alex, if u're reading this - thanks a lot for your help!)))
Hey,
same problem like I had a time ago.
Alex wrote:
I did not successfully test it yet.
Regards
Bonez
Good result! ;)
Note: Do not write too much to Outer_start - it can overwrite HOS
About SR structure. It is simple
sector 1 - header wit keys (pwd encrypted)
sector 2 - table of extra data (header key encrypted)
sectors with GPT (header key encrypted)
sectors with execute parameters (header key encrypted)
Note: "-pz" remove all SR data except header.
To improve: 1. if you have touch screen it is possible to create picture password ;) 2. It is possible to save custom DcsProp to SR (e.g. to create custom login message) (default DcsProp has to on ESP)
Last edit: Alex 2018-02-16
Hi, Alex.
I have tested all scenarios: keys at arbitrary partition, decoy OS keys in SR, it all works! Great!
And as I am trying to create a good manual on this procedure, I decided to repeat everything from scratch. After encrypting the hidden OS I got this message. When I rebooted windows failed with a blue screen. And I did a stupid thing: I restored OS header for HOS from rescue USB. Then I applied gpt_hos to disk. Of course later I understood my mistake and restored os header from decoy rescue USB, so I was able to boot into decoy OS. But now while trying to boot to HOS (with key) i get "Can't open partition ... status - unsupported"
I thought I can roll back by decrypting gpt_enc and applying it to disk but it gives no result and I can't understand why.
Is there any chance to fix it or I just have to reinstall my HOS again?
And one more thing: when I mount outer (outer start) partition from decoy OS it is not possible to format it with FAT, it is much bigger than 32GB. And NTFS will damage HOS. If I will format it from HOS I will destroy the header and will not be able to mount it at all.
Last edit: Felis 2018-02-19
Hi Felis,
1) Check gpt_enc via "-pl", check "-pexec" (GUID of partition with bootmgfw)
Note - rescue USB to improve:
The USB can contain several tools: 1. DCS RE (rescue menu) 2. EFI Shell to boot from the USB and use DcsCfg tool. 3. Windows PE (preinstall environment)
T3. is useful to test and mount HOS (apply gpt_enc, start veracrypt portable to mount, use FAR or any other tools to work with encrypted volumes) Windows PE can be generated via Windows ADK.
How to create: Create Windows PE USB via ADK. Copy VeraCrypt rescue to the USB. Copy EFI shell. Copy VeraCrypt portable and other tools (FAR etc).
2) Format outer with exFAT. (no size limits)
Thank you for helping with the manual. It looks like many people need it. I can try to explain technical parts.
Last edit: Alex 2018-02-20
Decrypted gpt_enc to gpt_dec and checked "-pl" and "-pexec": all in place and seems to be correct. But still "Can't open start partition ... status - unsupported"
Can you explain how "-pa" works? I thought it just overwrites GPT but seems like it's more sofisticated...
WinPE on the same USB stick is a good idea, I'll definitely try that!
"-pa" saves sectors only. Probaby hidden ESP is damaged. select and mount it via "mount without preboot authentication" e.g. from WinPE
Hi, Felis, hi Alex. Can you explain, how to restore bootloader on hidden ESP partition ? i decrypt gpt_enc via
DcsCfg.dcs -pf gpt_enc -aa -pa -ps
and after this i loading from liveCD with VC portable and trying to mount gpt_enc file to disk. i am so close to make a encrypted FS
i look to structure of my gpt_enc file and it's looks fine
Last edit: minimaxxximus 2018-06-07
i succesfully decrypt gpt_enc via
DcsCfg.dcs -pf gpt_enc -aa -pd -pa
after it i replace gpt table on harddrive via
DcsCfg.dcs -pf gpt_enc -ds <driveNo> -pa
after this i sucessfully mount hidden_esp drive and check it, check all files,repair bootloader, but if i trying to load hidden os - loading only system repair partition.
Have you ideas to fix it?
Hi Alex,
I think the proper commands should be the following:
1. Copy gpt_hide (created in last step of "-oshideprep") to os_hdr
2. Remove SR data except header from os_hdr:
EFI\VeraCrypt\DcsCfg.dcs -pf os_hdr -pz
3. Encrypt header before adding to SR:
EFI\VeraCrypt\DcsCfg.dcs -pf os_hdr -pe -rnd
4. Add header to SR <N> on authorization USB <usbN>:
EFI\VeraCrypt\DcsCfg.dcs -pf os_hdr -sra <N> -ds <usbN>
Is this correct?
I am going to wipe data and create new hidden OS because of damaged OS. In new configuration everything should work properly.
Regards
Bonez
Last edit: DJ Bonez 2018-02-21
I literally cannot wait for your guide. I would love to get a hidden OS config without needing a USB to boot up, but I haven't been able to make progress without more documentation.
Here goes V1.0 of the manual
The instruction is totaly checked on my system and working.
Added some Q&A and hints, mainly from this topic.
Well this journey took me through EFI operation theory, bootloaders and still have lots of questions I'd like to cover. For example:
1. How to save DcsProp to SR?
2. Does the existence of authorisation USB (with SR) prove the existence of hidden OS in the system?
And theoretical questions like:
3. Is it safe to use system encryption on SSD (due it's regions hidden from user at all)?
4 .Is it safe that hidden and decoy OS share same MSR (microsoft reserved region)?
Alex, maybe I can contact you with private massage, as my questions are out of this topic?
Good manual!
1)
Save dcsprop to tbl_sr
Dcscfg.dcs –tbf tbl_sr –tbn DCSPROP_ -tba <your_custom_dcsprop_from_usb>
Copy tbl_sr to SR<pos>
Dcscfg.dcs –sra <pos> -pf tbl_sr –ds <devN>
2) No. It proves idea - separate data encrypted and keys.
3) Probably possible. There are two questions - data encrypted? data hidden?
4) Possible. Hidden OS is long story ;)
Thanks Felis, great manual. Maybe I can add some ideas after my next run with Hidden OS. ;-)
@Alex: It should be possible to remove Decoy OS header from disk, shouldn't it?
So it wouldn't be possible to boot any OS without USB anymore.
Still don't get header of ordinary OS to SR.
If I try to use the GPT file created in last step of "-oshideprep", password for ordinary OS isn't being accepted for encryption.
After creating new GPT file from system drive and removing GPT info, password is being accepted but there is "No media" after encryption.
Error message after encryption: "Save gpt_decoy: No media"
Error message trying to write SR: "Write: No media"
Regards
Bonez
Last edit: DJ Bonez 2018-02-22